I have a generic (Apache with mod_auth2, and Keycloak) remote repo, and I'm trying to set up a Windows client to access this repo. This basically works, but there's a problem. The client info is:

Windows 10 (22H2)
Git for Windows, 2.47.1.windows.2
GCM, 2.6.1

.gitconfig:

[credential "https://example.com"]
  helper                      = manager
  provider                    = generic
  oauthClientId               = openid-cli
  oauthScopes                 = "openid email"
  oauthAuthorizeEndpoint = ...
  oauthTokenEndpoint       = ...
  oauthRedirectUri             = http://127.0.0.1
  oauthClientSecret            = ...(32 chars)
  credentialStore                = dpapi
[user]
	name  = ...
	email  = ...

This works for both fetch and push, but it contains the client secret in plaintext, which is obviously an issue. My procedure is:

1. Clone a repo; this pops up a browser window
2. Enter a username and password; a new window pops up for the TOTP
3. Enter the TOTP
4. The repo clones correctly
5. Comment out or delete the oauthClientSecret line

GCM creates ~/.gcm with the dpapi information, which appears to be valid. I can then fetch/push/etc for about 10 minutes without entering any credentials. However, after 10 minutes, the client secret is forgotten, and I need to log in again. Why?

GCM does pop up another window asking for a username and password, but I can't find a combination of username and password which works. The only solution appears to be to leave oauthClientSecret in the config file, so dpapi appears to be useless after 10 minutes. Apache does appear to be correctly set up for refreshing tokens.

Can anyone suggest a fix for this? Log attached, if it helps.
logs.txt