search

manfredsteyer / angular-oauth2-oidc

Support for OAuth 2 and OpenId Connect (OIDC) in Angular.
MIT License
1.9k stars 688 forks source link

Occasional Code_Verifier mismatch #1445

Open AndersAbel opened 21 hours ago

AndersAbel commented 21 hours ago

I'm investigating an issue reported by a Duende IdentityServer customer where they get occasional errors logged in IdentityServer on the token endpoint: "Transformed code verifier does not match code challenge"

The client application is typically opened in multiple tabs on the same time in the same browser.

Upon reviewing the logs I can see that this happens when the client makes two silent token renewals on the same time.

  1. Call A to authorize endpoint with code_challenge=X
  2. Call B to authorize endpoint with code_challenge=Y
  3. Call to token endpoint which results in "Transformed code verifier does not match code challenge". When we hash the code_verifier from this call, it matches code_challenge X, from call A to the authorize endpoint.

Right now we do not have logs of the generated authorization code from the responses from the authorize endpoints, but it looks like the code_verifier for call A to the authorize endpoint together with the authorization returned from B (or the other way around).

We have two questions:

  1. Is there a way when running the application in multiple tabs to prevent multiple refreshes running on the same time?
  2. Could there be a bug in the state handling in this library that mixes up the code_verifiers when there are two simultaneous calls?

Desktop (please complete the following information):

kduszaandea commented 20 hours ago

I'm one of the people working on the aforementioned app. Aside from what Anders wrote, we'd be grateful for the description of the behavior of the silent refresh mechanism when such issue happens. It seems that the app is still issuing silent refresh calls but is this "broken state" affecting future silent refreshes in some negative way? Are they safe to ignore if they only happen once in a blue moon?

Aside from code verifier issue we also observe many nonce-related errors, however they dont seem to be visible to the customer, but may be also proof that multiple tabs are problematic for this library. Can anyone shed light on this matter?