panva
commented
11 months ago Unsurprisingly, just like in the aforementioned #154, there's nothing much to do. The passport strategy is meant to remain simple, not dealing with edge cases.
As far as next-auth, or other pieces of work that utilize openid-client, they can orchestrate the state v session management however complex they can afford since the core library is not responsible for maintaining the user-agent state and its state in any way.
Describe the bug
Opening authentication in two different tabs result on state mismatch causing some libraries that use
node-openid-clientto throw an error to the user.To Reproduce
Same steps as described here: https://github.com/panva/node-openid-client/issues/154
Expected behaviour A common user can easily open multiple tabs of an application and choose a random one after to login. But instead of having a successful login, an error is returned.
Environment:
Additional context
This issue is also related on next-auth projects:
https://github.com/nextauthjs/next-auth/issues/7894
In the issue above I posted some logs from next-auth.
Something similar also happened here: https://github.com/nextauthjs/next-auth/issues/3022