I like to highlight that when we attempt to use Ziti Edge Desktop via OIDC authentication, I am aware it require IDP client to set valid redirect url to http://localhost:20314/auth/callback
This works but i noticed that many times it would failed callback on first attempt. User will need to re-click the idp authorize button to be successfully authenticated.
Is this a known bug that need to be fixed ?
That's not a bug I know about, but it's believable. It could be that the csdk doesn't have a valid refresh token, or that it's expired or "something" like that. Having a set of logs at DEBUG level for us to look at would help.
Better would be some sort of docker-compose-based setup that we could pull/run/test (but i'm not sure if that's doable). Anything to help us try to reproduce the issue.
My hunch is that you didn't get a refresh token or that the refresh token exchange failed, but that's just a guess at this point 
thanks i will try to explore more based on the info you provided