-
-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"State doesn't match" race condition #67
Comments
Some thoughts on solutions. The Stack Overflow answers suggest a state store as a guard:
This would appear to resolve the issue:
Due to race conditions with session storage itself, it's not a perfect solution:
But the race condition window should be substantially narrowed from seconds to milliseconds. It's also worth noting implementers are currently encouraged to store their own auth state (e.g. |
I recognise it's a late response - but we solved this with the following pattern:
|
We started running into occasional Auth0 failures with "State doesn't match". After a day of banging my head against the wall, I think I have a pretty good idea of what's going on:
https://stackoverflow.com/questions/65493296/authorization-code-flow-concurrent-requests-from-multiple-tabs
If a user simultaneously loads multiple pages while unauthenticated, the result is a race condition:
state
and redirects to OAuthstate
and redirects to OAuthstate
This is pretty common when reopening a closed browser, for example.
The text was updated successfully, but these errors were encountered: