Threading issue with Nonce, LocalStorage, and extra browser tabs

[richardspence]

When using LocalStorage, nonce guids are stored there. If you have multiple tabs open context can bleed if they both try to renew the id token concurrently, causing "User login is required" errors in logs. This is because the nonce can be mutated between tabs and overwritten.

One solution would be to not use storage for NONCE_IDTOKEN, and instead use class variables. This will enable all calls to succeed. A better and more complicated solution would be to have a locking mechanism and only have 1 tab try and perform the renewal at a time. Also, here's a link to a "Lockable storage" that someone has tried to create

[rohitnarula7176]

@richardspence I apologize for the delayed response. We made a change in the library to avoid overwriting the nonce value in the tabs and appending the nonce values instead using a separator('||') as shown below: 2d42c06a-191c-4975-88f2-25d6db4a1da0||0ffc5885-118b-4f81-80da-64f89860d16d||. This way we can match the nonce value when we receive the response from the server. Can you please confirm if you are using the latest version of the library. If you are facing a different issue, can you please provide the repro steps.

[richardspence]

I no longer work on the project where I used this library (moved jobs since then). Your solution doesn't appear to take in account that local storage still can't "lock" regions of reads and writes together. Meaning you'd still have a potential race condition if both tabs tried to read & update at the same time.

[sameerag]

All current authentication work from microsoft is delivered through msal js library here. adal js is still supported only for security fixes. We would recommend to move to msal js for any advanced feature asks.