asgardeo · pavinduLakshan · Apr 27, 2026 · Apr 28, 2026 · Apr 28, 2026
diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml
@@ -149,8 +149,22 @@ jobs:
       - name: 🎭 Install Playwright browsers
         run: pnpm e2e:install
 
+      # - name: 🐳 Start Thunder
+      #   run: pnpm e2e:docker:up:thunder
+
       - name: 🐳 Start Thunder
-        run: pnpm e2e:docker:up:thunder
+        run: |
+          set -euxo pipefail
+          pnpm e2e:docker:up:thunder || {
+            echo "Thunder compose failed. Dumping docker state + logs..."
+            docker ps -a || true
+            docker compose -f e2e/docker-compose.yml ps || true
+            docker compose -f e2e/docker-compose.yml logs --no-color --timestamps || true
+            # If thunder-setup is a container name, also dump it directly:
+            docker logs --timestamps asgardeo-e2e-thunder || true
+            docker inspect asgardeo-e2e-thunder || true
+            exit 1
+          }
 
       - name: 🧪 Run E2E redirect tests against Thunder
         run: pnpm e2e -- --idp thunder --mode redirect

diff --git a/packages/browser/src/__legacy__/helpers/authentication-helper.ts b/packages/browser/src/__legacy__/helpers/authentication-helper.ts
@@ -65,13 +65,15 @@ export class AuthenticationHelper<T extends MainThreadClientConfig | WebWorkerCl
   protected _spaHelper: SPAHelper<T>;
   protected _instanceId: number;
   protected _isTokenRefreshing: boolean;
+  protected _refreshAccessTokenPromise?: Promise<User>;
 
   public constructor(authClient: AsgardeoAuthClient<T>, spaHelper: SPAHelper<T>) {
     this._authenticationClient = authClient;
     this._storageManager = this._authenticationClient.getStorageManager();
     this._spaHelper = spaHelper;
     this._instanceId = this._authenticationClient.getInstanceId();
     this._isTokenRefreshing = false;
+    this._refreshAccessTokenPromise = undefined;
   }
 
   public enableHttpHandler(httpClient: HttpClient): void {
@@ -174,23 +176,33 @@ export class AuthenticationHelper<T extends MainThreadClientConfig | WebWorkerCl
   public async refreshAccessToken(
     enableRetrievingSignOutURLFromSession?: (config: SPACustomGrantConfig) => void,
   ): Promise<User> {
-    try {
-      await this._authenticationClient.refreshAccessToken();
-      const customGrantConfig = await this.getCustomGrantConfigData();
-      if (customGrantConfig) {
-        await this.exchangeToken(customGrantConfig, enableRetrievingSignOutURLFromSession);
-      }
-      this._spaHelper.refreshAccessTokenAutomatically(this);
+    if (this._refreshAccessTokenPromise) {
+      return this._refreshAccessTokenPromise;
+    }
 
-      return this._authenticationClient.getUser();
-    } catch (error) {
-      const refreshTokenError: Message<string> = {
-        type: REFRESH_ACCESS_TOKEN_ERR0R,
-      };
+    this._refreshAccessTokenPromise = (async (): Promise<User> => {
+      try {
+        await this._authenticationClient.refreshAccessToken();
+        const customGrantConfig = await this.getCustomGrantConfigData();
+        if (customGrantConfig) {
+          await this.exchangeToken(customGrantConfig, enableRetrievingSignOutURLFromSession);
+        }
+        this._spaHelper.refreshAccessTokenAutomatically(this);
 
-      window.postMessage(refreshTokenError);
-      return Promise.reject(error);
-    }
+        return this._authenticationClient.getUser();
+      } catch (error) {
+        const refreshTokenError: Message<string> = {
+          type: REFRESH_ACCESS_TOKEN_ERR0R,
+        };
+
+        window.postMessage(refreshTokenError);
+        throw error;
+      } finally {
+        this._refreshAccessTokenPromise = undefined;
+      }
+    })();
+
+    return this._refreshAccessTokenPromise;
   }
 
   protected async retryFailedRequests(failedRequest: HttpRequestInterface): Promise<HttpResponse> {
@@ -385,9 +397,9 @@ export class AuthenticationHelper<T extends MainThreadClientConfig | WebWorkerCl
           })
           .catch(async (error: HttpError) => {
             if (error?.response?.status === 401 || !error?.response) {
-              let refreshTokenResponse: TokenResponse | User;
+              let refreshTokenResponse: User;
               try {
-                refreshTokenResponse = await this._authenticationClient.refreshAccessToken();
+                refreshTokenResponse = await this.refreshAccessToken();
               } catch (refreshError: any) {
                 if (isHttpHandlerEnabled) {
                   if (typeof httpErrorCallback === 'function') {