Open AndersAbel opened 21 hours ago
I'm one of the people working on the aforementioned app. Aside from what Anders wrote, we'd be grateful for the description of the behavior of the silent refresh mechanism when such issue happens. It seems that the app is still issuing silent refresh calls but is this "broken state" affecting future silent refreshes in some negative way? Are they safe to ignore if they only happen once in a blue moon?
Aside from code verifier issue we also observe many nonce-related errors, however they dont seem to be visible to the customer, but may be also proof that multiple tabs are problematic for this library. Can anyone shed light on this matter?
I'm investigating an issue reported by a Duende IdentityServer customer where they get occasional errors logged in IdentityServer on the token endpoint: "Transformed code verifier does not match code challenge"
The client application is typically opened in multiple tabs on the same time in the same browser.
Upon reviewing the logs I can see that this happens when the client makes two silent token renewals on the same time.
Right now we do not have logs of the generated authorization code from the responses from the authorize endpoints, but it looks like the code_verifier for call A to the authorize endpoint together with the authorization returned from B (or the other way around).
We have two questions:
Desktop (please complete the following information):