State mismatch when using flask-session with identity.web

[phsyn]

Background:

• Using Flask with Redis Flask-session to persist server-side user sessions
• Flask is running on Gunicorn with multiple workers
• Using identity.web instead of identity.flask so I don't need to use the decorator (the Flask app wraps a Plotly Dash page, so I don't want to use the decorator and instead just redirect any unauthorized users to the login page)

With the setup described above, I'm getting intermittent state mismatch errors when calling complete_log_in. I believe this is caused when the auth response is handled by a different worker than the one that initiated the auth flow. I can see that the Flask session.sid is the same, so I believe that the Flask-session setup that I have is working correctly. However, the state in the auth code changes between the requests. If I reduce the number of Gunicorn workers to 1, the problem goes away.

My code is very similar to this sample (the 0.4.0 one) which is the example code that my Azure instance provides for connecting Python auth to Azure.

[rayluo]

• Using identity.web instead of identity.flask so I don't need to use the decorator (the Flask app wraps a Plotly Dash page, so I don't want to use the decorator and instead just redirect any unauthorized users to the login page)

For the sake of investigation, what if you temporarily remove the Plotly Dash, and then use identity.flask and its decorator. Will it still run into same issue when Gunicorn has multiple workers?

[phsyn]

Good idea. Looks like that works, even with multiple workers. I simplified the code to test this and basically implemented the 0.9.0 version of the sample I linked above.