OIDC snatches URLs and responds with 403

[Pike]

There's something on l10n.mozilla.org that seems to break URLs.

I've found that an ajax request to https://l10n.mozilla.org/builds/tbpl-rows?after=199204&random=3 got a 403 response with a refresh_url to https://auth.mozilla.auth0.com/authorize?nonce=XXX&prompt=none&state=XXX&redirect_uri=https%3A%2F%2Fl10n.mozilla.org%2Foidc%2Fcallback%2F&response_type=code&client_id=XXX&scope=openid+profile+email.

@flodolo had the same thing happen to tabs he had open. He ended up with a bunch of tabs open with https://l10n.mozilla.org/oidc/callback/?code=... urls open.

Seems that https://mozilla-django-oidc.readthedocs.io/en/stable/installation.html#validate-id-tokens-by-renewing-them doesn't work as advertised?

[akatsoulas]

Hi @Pike,

Thanks for filing this issue. The session refresh middleware can be a bit tricky with ajax requests. There is a relevant section in the documentation [0] that explains in more detail what might be happening there. Does this help solving your issue?

[0] https://mozilla-django-oidc.readthedocs.io/en/stable/xhr.html

[Pike]

So, this isn't just about AJAX, we also see this problem with main views, and with some fidgeting, I was able to narrow it down. If you load multiple tabs in parallel that all try to refresh the session, they all get bad state.