Multiple authenticate requests from the same session causes state mismatch

[mrviniciux]

Describe the bug

Opening authentication in two different tabs result on state mismatch causing some libraries that use node-openid-client to throw an error to the user.

To Reproduce

Same steps as described here: #154

Expected behaviour
A common user can easily open multiple tabs of an application and choose a random one after to login. But instead of having a successful login, an error is returned.

Environment:

• openid-client version: [e.g. v5.6.1]
• node version: [e.g. v20.9.0]

Additional context

This issue is also related on next-auth projects:

nextauthjs/next-auth#7894

In the issue above I posted some logs from next-auth.

Something similar also happened here: nextauthjs/next-auth#3022

[panva]

Unsurprisingly, just like in the aforementioned #154, there's nothing much to do. The passport strategy is meant to remain simple, not dealing with edge cases.

As far as next-auth, or other pieces of work that utilize openid-client, they can orchestrate the state v session management however complex they can afford since the core library is not responsible for maintaining the user-agent state and its state in any way.