Open Pike opened 5 years ago
Hi @Pike,
Thanks for filing this issue. The session refresh middleware can be a bit tricky with ajax requests. There is a relevant section in the documentation [0] that explains in more detail what might be happening there. Does this help solving your issue?
[0] https://mozilla-django-oidc.readthedocs.io/en/stable/xhr.html
So, this isn't just about AJAX, we also see this problem with main views, and with some fidgeting, I was able to narrow it down. If you load multiple tabs in parallel that all try to refresh the session, they all get bad state.
There's something on l10n.mozilla.org that seems to break URLs.
I've found that an ajax request to https://l10n.mozilla.org/builds/tbpl-rows?after=199204&random=3 got a 403 response with a refresh_url to https://auth.mozilla.auth0.com/authorize?nonce=XXX&prompt=none&state=XXX&redirect_uri=https%3A%2F%2Fl10n.mozilla.org%2Foidc%2Fcallback%2F&response_type=code&client_id=XXX&scope=openid+profile+email.
@flodolo had the same thing happen to tabs he had open. He ended up with a bunch of tabs open with https://l10n.mozilla.org/oidc/callback/?code=... urls open.
Seems that https://mozilla-django-oidc.readthedocs.io/en/stable/installation.html#validate-id-tokens-by-renewing-them doesn't work as advertised?