diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index b64b992b77f0209548e8b8594b1992b8a309ea2a..86d3c74e27172ea77edf80413dd6e3341be3874d 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -9,8 +9,8 @@ variables:
   CONTAINER_GALAXY_URL: "${NDIP_DOCKER_REPOSITORY}/${CI_PROJECT_PATH}"
   CONTAINER_GALAXY_BASE_URL: "${CONTAINER_GALAXY_URL}/base"
   CONTAINER_GALAXY_COMMIT_URL: "${CONTAINER_GALAXY_URL}/commit"
-  GALAXY_VERSION_PYTHON: 25.1.dev1+ornl
-  GALAXY_VERSION_DOCKER: 25.1.dev1.ornl
+  GALAXY_VERSION_PYTHON: 25.1.dev2+ornl
+  GALAXY_VERSION_DOCKER: 25.1.dev2.ornl
 
 # This import is for the func_rse_docker_* functions
 before_script:
diff --git a/lib/galaxy/authnz/custos_authnz.py b/lib/galaxy/authnz/custos_authnz.py
index 977f734f35d13c516caa34716fdddd272c5355fb..ecf8488da3f6289f41c9d2ec4fc883794d44a85c 100644
--- a/lib/galaxy/authnz/custos_authnz.py
+++ b/lib/galaxy/authnz/custos_authnz.py
@@ -168,8 +168,7 @@ class OIDCAuthnzBase(IdentityProvider):
         custos_authnz_token.refresh_expiration_time = processed_token["refresh_expiration_time"]
 
         sa_session.add(custos_authnz_token)
-        with transaction(sa_session):
-            sa_session.commit()
+        sa_session.commit()
 
         log.debug(
             f"Refreshed user token for {custos_authnz_token.external_user_id} via `{custos_authnz_token.provider}` identity provider"
diff --git a/lib/galaxy/authnz/psa_authnz.py b/lib/galaxy/authnz/psa_authnz.py
index 37046f064fa652637d781341b1129c6e11de2516..bd65cb3578deea68192cbe8cde03d4058d02c2a3 100644
--- a/lib/galaxy/authnz/psa_authnz.py
+++ b/lib/galaxy/authnz/psa_authnz.py
@@ -230,12 +230,20 @@ class PSAAuthnz(IdentityProvider):
         return False
 
     def _try_to_locate_refresh_token_expiration(self, extra_data):
-        return (
-            extra_data.get("expires", None)
-            or extra_data.get("expires_in", None)
-            or extra_data["refresh_token"].get("expires", None)
-            or extra_data["refresh_token"].get("expires_in", None)
-        )
+        try:
+            # Azure provides the number of seconds to expiration in the extra_data
+            return (
+                extra_data.get("expires", None)
+                or extra_data.get("expires_in", None)
+                or extra_data["refresh_token"].get("expires", None)
+                or extra_data["refresh_token"].get("expires_in", None)
+            )
+        except Exception:
+            # Keycloak provides an expiration timestamp in the id token
+            decoded_id_token = jwt.decode(
+                extra_data["id_token"], options={"verify_signature": False}
+            )
+            return decoded_id_token.get("exp") - decoded_id_token.get("auth_time")
 
     def authenticate(self, trans, idphint=None):
         on_the_fly_config(trans.sa_session)
@@ -299,7 +307,6 @@ class PSAAuthnz(IdentityProvider):
             if self.config.get("well_known_oidc_config_uri", None)
             else self._get_well_known_uri_from_url(self.config["provider"])
         )
-        well_known_oidc_config = None
         try:
             well_known_oidc_config = requests.get(
                 well_known_oidc_config_uri,