Occasional Code_Verifier mismatch

[AndersAbel]

I'm investigating an issue reported by a Duende IdentityServer customer where they get occasional errors logged in IdentityServer on the token endpoint: "Transformed code verifier does not match code challenge"

The client application is typically opened in multiple tabs on the same time in the same browser.

Upon reviewing the logs I can see that this happens when the client makes two silent token renewals on the same time.

1. Call A to authorize endpoint with code_challenge=X
2. Call B to authorize endpoint with code_challenge=Y
3. Call to token endpoint which results in "Transformed code verifier does not match code challenge". When we hash the code_verifier from this call, it matches code_challenge X, from call A to the authorize endpoint.

Right now we do not have logs of the generated authorization code from the responses from the authorize endpoints, but it looks like the code_verifier for call A to the authorize endpoint together with the authorization returned from B (or the other way around).

We have two questions:

1. Is there a way when running the application in multiple tabs to prevent multiple refreshes running on the same time?
2. Could there be a bug in the state handling in this library that mixes up the code_verifiers when there are two simultaneous calls?

Desktop (please complete the following information):

• Multiple browsers, both Safari and Chrome.

[kduszaandea]

I'm one of the people working on the aforementioned app.
Aside from what Anders wrote, we'd be grateful for the description of the behavior of the silent refresh mechanism when such issue happens. It seems that the app is still issuing silent refresh calls but is this "broken state" affecting future silent refreshes in some negative way? Are they safe to ignore if they only happen once in a blue moon?

Aside from code verifier issue we also observe many nonce-related errors, however they dont seem to be visible to the customer, but may be also proof that multiple tabs are problematic for this library. Can anyone shed light on this matter?

[jeroenheijmans]

Not a definitive answer to these questions, but perhaps still helpful pointers:

Ad 1:

There's no built-in way to prevent concurrent refreshes that I know of. You'd have to roll something yourself.

Ad 2:

The code verifier seems to be set and retrieved from possibly localStorage depending on your configuration. Since that is shared between tabs, I totally understand and expect that concurrent (silent or not) login attempts will interfere with each other.

Solutions or workarounds might include using sessionStorage instead, or creating your own wrapper for localStorage that makes some keys (such as the code verifier) tab-specific in some way.