react-router Link to a SecureRoute yields "OAuth flow response state doesn't match request state"

[Naught0]

I'm submitting this issue for the package(s):

• [ ] jwt-verifier
• [ ] okta-angular
• [ ] oidc-middleware
• [x] okta-react
• [ ] okta-react-native

I'm submitting a:

• [ ] Feature request
• [x] Other (Describe below)

Current behavior

<Link>ing to a <SecureRoute> fails after the Okta login is triggered with error: AuthSdkError: OAuth flow response state doesn't match request state If I navigate back to /, I'm signed in and everything works just fine.

Expected behavior

The component for this route (LoginCallback) comes with @okta/okta-react. It handles token parsing, token storage, and redirecting to a protected page if one triggered the sign in.

From: https://developer.okta.com/code/react/okta_react/#connect-the-routes

Minimal reproduction of the problem with instructions

I attempted to use one of the samples to provide an example however I ran into another issue: https://github.com/okta/samples-js-react/issues/145#issuecomment-725445390 The basic structure is thus:

// App.js
<Router>
  <Security
    issuer="https://{oktaDomain}.okta.com/oauth2/default"
    clientId="{clientID}"
    redirectUri={window.location.origin + '/users/callback'}
    pkce={true}
  >
    <Switch>
      <Route exact={true} path="/" component={Home} />
      <SecureRoute path="/secure_path" component={SecurePath} />
      <Route path="/insecure_path" component={InsecurePath} />
      <Route path='/users/callback' component={LoginCallback} />
    </Switch>
  </Security>
</Router>

With Home linking to the <SecureRoute> like so:

<Link to="/secure_path">
// ...
</Link>

Environment

• Package Version: ^3.0.9
• Browser: Chrome 86.0.4240.183
• OS: MacOS 10.15.7
• Node version: 15.1.0

[patricklizon]

I have run into the same issue, however previous version 3.0.8 seems to be working fine

[aarongranick-okta]

@Naught0 Can you confirm whether this issue also appears when using version 3.0.8?

Also, we have made some fixes related to this issue with the auth-js library which okta-react depends on. To make sure you have these updates, wipe your node_modules and any lock files and do a fresh install.

[Naught0]

@aarongranick-okta I've just downgraded to 3.0.8 and everything is working just as expected now! Is there anything I can do to help you identify the cause?

[aarongranick-okta]

@Naught0 We have identified a flaw in 3.0.9 which causes a flood of requests to /authorize when navigating to a secure route. My guess is this is also the cause of the mismatched response state. If you see in your network tab more than one request to /authorize then this is probably the source of the issue. We are working on a fix and will release it soon as 3.0.10