feat(oidc-client): Add a 'login_state_storage' option to allow storing the auth flow state separately to tokens (#1646) (release)

* Add a 'login_state_storage' option to allow storing the auth flow state in a separate storage location to tokens

* Fix linting/prettier errors

Author: awocallaghan

FAQ.md

@@ -103,6 +103,26 @@ export const configuration = {
 
 If your Service Worker file is already registered on your browser, your need to unregister it. For example from chrome dev tool.
 
+## Two tabs race condition during login with localStorage
+
+When `storage: localStorage` is used without a service worker and two tabs initiate the login flow at the same time, they write the authorization state (`state`, `code_verifier`, `nonce`, login params) to the same `localStorage` keys. Each tab can overwrite the other's values, causing the callback in one tab to fail with a state mismatch error.
+
+The recommended fix is to use the `login_state_storage` option to store authorization flow state in `sessionStorage` (which is isolated per tab) while keeping tokens in `localStorage` so they persist across tabs:
+
+```javascript
+export const configuration = {
+  client_id: 'interactive.public.short',
+  redirect_uri: window.location.origin + '/authentication/callback',
+  scope: 'openid profile email api offline_access',
+  authority: 'https://demo.duendesoftware.com',
+  service_worker_only: false,
+  storage: localStorage,         // tokens persist across tabs
+  login_state_storage: sessionStorage, // authorization state is isolated per tab
+};
+```
+
+This option has no effect when using a service worker, which already handles multi-tab isolation internally.
+
 ## Tokens are always refreshed in background every seconds
 
 The @axa-fr/oidc-client automatically refreshes tokens in the background.  

packages/oidc-client/README.md

@@ -1,4 +1,4 @@
-# @axa-fr/oidc-client
+# @axa-fr/oidc-client
 
 [![Continuous Integration](https://github.com/AxaGuilDEv/react-oidc/actions/workflows/npm-publish.yml/badge.svg)](https://github.com/AxaGuilDEv/react-oidc/actions/workflows/npm-publish.yml)
 [![Quality Gate](https://sonarcloud.io/api/project_badges/measure?project=AxaGuilDEv_react-oidc&metric=alert_status)](https://sonarcloud.io/dashboard?id=AxaGuilDEv_react-oidc) [![Reliability](https://sonarcloud.io/api/project_badges/measure?project=AxaGuilDEv_react-oidc&metric=reliability_rating)](https://sonarcloud.io/component_measures?id=AxaGuilDEv_react-oidc&metric=reliability_rating) [![Security](https://sonarcloud.io/api/project_badges/measure?project=AxaGuilDEv_react-oidc&metric=security_rating)](https://sonarcloud.io/component_measures?id=AxaGuilDEv_react-oidc&metric=security_rating) [![Code Corevage](https://sonarcloud.io/api/project_badges/measure?project=AxaGuilDEv_react-oidc&metric=coverage)](https://sonarcloud.io/component_measures?id=AxaGuilDEv_react-oidc&metric=Coverage) [![Twitter](https://img.shields.io/twitter/follow/GuildDEvOpen?style=social)](https://twitter.com/intent/follow?screen_name=GuildDEvOpen)
@@ -210,6 +210,7 @@ const configuration = {
     scope: String.isRequired, // oidc scope (you need to set "offline_access")
     authority: String.isRequired,
     storage: Storage, // Default sessionStorage, you can set localStorage, but it is not secure
+    login_state_storage: Storage, // Optional. Storage used only for authorization flow state (state, code_verifier, nonce, login params). Defaults to the value of `storage`. Set to sessionStorage when using storage: localStorage to prevent race conditions when multiple tabs start the login flow simultaneously.
     authority_configuration: {
       // Optional for providers that do not implement OIDC server auto-discovery via a .wellknown URL
       authorization_endpoint: String,

packages/oidc-client/src/initSession.spec.ts

@@ -0,0 +1,215 @@
+import { beforeEach, describe, expect, it } from 'vitest';
+
+import { initSession } from './initSession';
+
+const makeStorage = (): Storage => {
+  const store: Record<string, string> = {};
+  return {
+    getItem: (key: string) => store[key] ?? null,
+    setItem: (key: string, value: string) => {
+      store[key] = value;
+    },
+    removeItem: (key: string) => {
+      delete store[key];
+    },
+    clear: () => {
+      for (const key of Object.keys(store)) {
+        delete store[key];
+      }
+    },
+    get length() {
+      return Object.keys(store).length;
+    },
+    key: (index: number) => Object.keys(store)[index] ?? null,
+    [Symbol.iterator]: function* () {
+      yield* Object.entries(store);
+    },
+  } as unknown as Storage;
+};
+
+describe('initSession', () => {
+  const configName = 'default';
+
+  describe('single storage (existing behaviour)', () => {
+    let storage: Storage;
+    let session: ReturnType<typeof initSession>;
+
+    beforeEach(() => {
+      storage = makeStorage();
+      session = initSession(configName, storage);
+    });
+
+    it('stores tokens in storage', () => {
+      session.setTokens({ accessToken: 'at', idToken: 'id' });
+      expect(storage[`oidc.${configName}`]).toContain('accessToken');
+    });
+
+    it('stores login params in same storage', () => {
+      session.setLoginParams({ callbackPath: '/callback', extras: null, scope: 'openid' });
+      expect(storage[`oidc.login.${configName}`]).toBeTruthy();
+    });
+
+    it('stores state in same storage', async () => {
+      await session.setStateAsync('abc123');
+      expect(storage[`oidc.state.${configName}`]).toBe('abc123');
+    });
+
+    it('stores code verifier in same storage', async () => {
+      await session.setCodeVerifierAsync('verifier');
+      expect(storage[`oidc.code_verifier.${configName}`]).toBe('verifier');
+    });
+
+    it('stores nonce in same storage', async () => {
+      await session.setNonceAsync({ nonce: 'nonce-value' });
+      expect(storage[`oidc.nonce.${configName}`]).toBe('nonce-value');
+    });
+
+    it('clearAsync nulls the tokens entry', async () => {
+      session.setTokens({ accessToken: 'at' });
+      await session.clearAsync('LOGGED_OUT');
+      const stored = JSON.parse(storage[`oidc.${configName}`]);
+      expect(stored.tokens).toBeNull();
+    });
+  });
+
+  describe('dual storage — login state in separate storage', () => {
+    let tokenStorage: Storage;
+    let loginStateStorage: Storage;
+    let session: ReturnType<typeof initSession>;
+
+    beforeEach(() => {
+      tokenStorage = makeStorage();
+      loginStateStorage = makeStorage();
+      session = initSession(configName, tokenStorage, loginStateStorage);
+    });
+
+    it('stores tokens in tokenStorage, not loginStateStorage', () => {
+      session.setTokens({ accessToken: 'at', idToken: 'id' });
+      expect(tokenStorage[`oidc.${configName}`]).toContain('accessToken');
+      expect(loginStateStorage[`oidc.${configName}`]).toBeUndefined();
+    });
+
+    it('stores login params in loginStateStorage, not tokenStorage', () => {
+      session.setLoginParams({ callbackPath: '/callback', extras: null, scope: 'openid' });
+      expect(loginStateStorage[`oidc.login.${configName}`]).toBeTruthy();
+      expect(tokenStorage[`oidc.login.${configName}`]).toBeUndefined();
+    });
+
+    it('stores state in loginStateStorage, not tokenStorage', async () => {
+      await session.setStateAsync('abc123');
+      expect(loginStateStorage[`oidc.state.${configName}`]).toBe('abc123');
+      expect(tokenStorage[`oidc.state.${configName}`]).toBeUndefined();
+    });
+
+    it('retrieves state from loginStateStorage', async () => {
+      await session.setStateAsync('state-value');
+      const retrieved = await session.getStateAsync();
+      expect(retrieved).toBe('state-value');
+    });
+
+    it('stores code verifier in loginStateStorage, not tokenStorage', async () => {
+      await session.setCodeVerifierAsync('verifier');
+      expect(loginStateStorage[`oidc.code_verifier.${configName}`]).toBe('verifier');
+      expect(tokenStorage[`oidc.code_verifier.${configName}`]).toBeUndefined();
+    });
+
+    it('retrieves code verifier from loginStateStorage', async () => {
+      await session.setCodeVerifierAsync('cv-value');
+      const retrieved = await session.getCodeVerifierAsync();
+      expect(retrieved).toBe('cv-value');
+    });
+
+    it('stores nonce in loginStateStorage, not tokenStorage', async () => {
+      await session.setNonceAsync({ nonce: 'nonce-value' });
+      expect(loginStateStorage[`oidc.nonce.${configName}`]).toBe('nonce-value');
+      expect(tokenStorage[`oidc.nonce.${configName}`]).toBeUndefined();
+    });
+
+    it('retrieves nonce from loginStateStorage', async () => {
+      await session.setNonceAsync({ nonce: 'nonce-value' });
+      const { nonce } = await session.getNonceAsync();
+      expect(nonce).toBe('nonce-value');
+    });
+
+    it('stores session_state in tokenStorage, not loginStateStorage', async () => {
+      await session.setSessionStateAsync('ss-value');
+      expect(tokenStorage[`oidc.session_state.${configName}`]).toBe('ss-value');
+      expect(loginStateStorage[`oidc.session_state.${configName}`]).toBeUndefined();
+    });
+
+    it('clearAsync nulls tokens in tokenStorage', async () => {
+      session.setTokens({ accessToken: 'at' });
+      await session.clearAsync('LOGGED_OUT');
+      const stored = JSON.parse(tokenStorage[`oidc.${configName}`]);
+      expect(stored.tokens).toBeNull();
+    });
+
+    it('clearAsync removes login state keys from loginStateStorage', async () => {
+      session.setLoginParams({ callbackPath: '/callback', extras: null, scope: 'openid' });
+      await session.setStateAsync('abc');
+      await session.setCodeVerifierAsync('verifier');
+      await session.setNonceAsync({ nonce: 'n' });
+
+      await session.clearAsync('LOGGED_OUT');
+
+      expect(loginStateStorage[`oidc.login.${configName}`]).toBeUndefined();
+      expect(loginStateStorage[`oidc.state.${configName}`]).toBeUndefined();
+      expect(loginStateStorage[`oidc.code_verifier.${configName}`]).toBeUndefined();
+      expect(loginStateStorage[`oidc.nonce.${configName}`]).toBeUndefined();
+    });
+
+    it('clearAsync does not remove login state from tokenStorage when storages differ', async () => {
+      tokenStorage[`oidc.login.${configName}`] = 'should-not-be-touched';
+      await session.clearAsync('LOGGED_OUT');
+      expect(tokenStorage[`oidc.login.${configName}`]).toBe('should-not-be-touched');
+    });
+  });
+
+  describe('two-tab isolation', () => {
+    it('two sessions sharing tokenStorage but with independent loginStateStorages do not overwrite each other', async () => {
+      const sharedTokenStorage = makeStorage();
+      const tab1LoginStorage = makeStorage();
+      const tab2LoginStorage = makeStorage();
+
+      const tab1 = initSession(configName, sharedTokenStorage, tab1LoginStorage);
+      const tab2 = initSession(configName, sharedTokenStorage, tab2LoginStorage);
+
+      await tab1.setStateAsync('state-tab1');
+      await tab2.setStateAsync('state-tab2');
+
+      expect(await tab1.getStateAsync()).toBe('state-tab1');
+      expect(await tab2.getStateAsync()).toBe('state-tab2');
+    });
+
+    it('two sessions sharing tokenStorage but with independent loginStateStorages have isolated nonces', async () => {
+      const sharedTokenStorage = makeStorage();
+      const tab1LoginStorage = makeStorage();
+      const tab2LoginStorage = makeStorage();
+
+      const tab1 = initSession(configName, sharedTokenStorage, tab1LoginStorage);
+      const tab2 = initSession(configName, sharedTokenStorage, tab2LoginStorage);
+
+      await tab1.setNonceAsync({ nonce: 'nonce-tab1' });
+      await tab2.setNonceAsync({ nonce: 'nonce-tab2' });
+
+      const { nonce: nonce1 } = await tab1.getNonceAsync();
+      const { nonce: nonce2 } = await tab2.getNonceAsync();
+      expect(nonce1).toBe('nonce-tab1');
+      expect(nonce2).toBe('nonce-tab2');
+    });
+
+    it('token updates from one tab are visible to the other via shared tokenStorage', async () => {
+      const sharedTokenStorage = makeStorage();
+
+      const tab1 = initSession(configName, sharedTokenStorage, makeStorage());
+      const tab2 = initSession(configName, sharedTokenStorage, makeStorage());
+
+      tab1.setTokens({ accessToken: 'new-at', idToken: 'new-id' });
+
+      const tokensJson = tab2.getTokens();
+      expect(tokensJson).not.toBeNull();
+      const parsed = JSON.parse(tokensJson!);
+      expect(parsed.tokens.accessToken).toBe('new-at');
+    });
+  });
+});

packages/oidc-client/src/initSession.ts

@@ -1,7 +1,19 @@
-export const initSession = (configurationName, storage = sessionStorage) => {
+export const initSession = (
+  configurationName,
+  storage = sessionStorage,
+  loginStateStorage?: Storage,
+) => {
+  const loginStorage = loginStateStorage ?? storage;
+
   const clearAsync = status => {
     storage[`oidc.${configurationName}`] = JSON.stringify({ tokens: null, status });
     delete storage[`oidc.${configurationName}.userInfo`];
+    if (loginStateStorage && loginStateStorage !== storage) {
+      delete loginStorage[`oidc.login.${configurationName}`];
+      delete loginStorage[`oidc.state.${configurationName}`];
+      delete loginStorage[`oidc.code_verifier.${configurationName}`];
+      delete loginStorage[`oidc.nonce.${configurationName}`];
+    }
     return Promise.resolve();
   };
 
@@ -27,7 +39,7 @@ export const initSession = (configurationName, storage = sessionStorage) => {
   };
 
   const setNonceAsync = nonce => {
-    storage[`oidc.nonce.${configurationName}`] = nonce.nonce;
+    loginStorage[`oidc.nonce.${configurationName}`] = nonce.nonce;
   };
 
   const setDemonstratingProofOfPossessionJwkAsync = (jwk: JsonWebKey) => {
@@ -40,7 +52,7 @@ export const initSession = (configurationName, storage = sessionStorage) => {
 
   const getNonceAsync = async () => {
     // @ts-ignore
-    return { nonce: storage[`oidc.nonce.${configurationName}`] };
+    return { nonce: loginStorage[`oidc.nonce.${configurationName}`] };
   };
 
   const setDemonstratingProofOfPossessionNonce = async (dpopNonce: string) => {
@@ -61,10 +73,10 @@ export const initSession = (configurationName, storage = sessionStorage) => {
   const getLoginParamsCache = {};
   const setLoginParams = data => {
     getLoginParamsCache[configurationName] = data;
-    storage[`oidc.login.${configurationName}`] = JSON.stringify(data);
+    loginStorage[`oidc.login.${configurationName}`] = JSON.stringify(data);
   };
   const getLoginParams = () => {
-    const dataString = storage[`oidc.login.${configurationName}`];
+    const dataString = loginStorage[`oidc.login.${configurationName}`];
 
     if (!dataString) {
       console.warn(
@@ -80,19 +92,19 @@ export const initSession = (configurationName, storage = sessionStorage) => {
   };
 
   const getStateAsync = async () => {
-    return storage[`oidc.state.${configurationName}`];
+    return loginStorage[`oidc.state.${configurationName}`];
   };
 
   const setStateAsync = async (state: string) => {
-    storage[`oidc.state.${configurationName}`] = state;
+    loginStorage[`oidc.state.${configurationName}`] = state;
   };
 
   const getCodeVerifierAsync = async () => {
-    return storage[`oidc.code_verifier.${configurationName}`];
+    return loginStorage[`oidc.code_verifier.${configurationName}`];
   };
 
   const setCodeVerifierAsync = async codeVerifier => {
-    storage[`oidc.code_verifier.${configurationName}`] = codeVerifier;
+    loginStorage[`oidc.code_verifier.${configurationName}`] = codeVerifier;
   };
 
   return {

packages/oidc-client/src/keepSession.ts

@@ -1,4 +1,4 @@
-import { eventNames } from './events';
+import { eventNames } from './events';
 import { initSession } from './initSession';
 import { initWorkerAsync } from './initWorker';
 import Oidc from './oidc';
@@ -62,7 +62,11 @@ export const tryKeepSessionAsync = async (oidc: Oidc) => {
           message: 'service worker is not supported by this browser',
         });
       }
-      const session = initSession(oidc.configurationName, configuration.storage ?? sessionStorage);
+      const session = initSession(
+        oidc.configurationName,
+        configuration.storage ?? sessionStorage,
+        configuration.login_state_storage ?? configuration.storage ?? sessionStorage,
+      );
       const { tokens } = await session.initAsync();
       if (tokens) {
         // @ts-ignore

packages/oidc-client/src/login.ts

@@ -69,7 +69,11 @@ export const defaultLoginAsync =
           serviceWorker.startKeepAliveServiceWorker();
           storage = serviceWorker;
         } else {
-          const session = initSession(configurationName, configuration.storage ?? sessionStorage);
+          const session = initSession(
+            configurationName,
+            configuration.storage ?? sessionStorage,
+            configuration.login_state_storage ?? configuration.storage ?? sessionStorage,
+          );
           session.setLoginParams({ callbackPath: url, extras: originExtras, scope: scope });
           await session.setNonceAsync(nonce);
           storage = session;
@@ -131,6 +135,7 @@ export const loginCallbackAsync =
         const session = initSession(
           oidc.configurationName,
           configuration.storage ?? sessionStorage,
+          configuration.login_state_storage ?? configuration.storage ?? sessionStorage,
         );
         await session.setSessionStateAsync(sessionState);
         nonceData = await session.getNonceAsync();
@@ -186,7 +191,11 @@ export const loginCallbackAsync =
           const jwk = await generateJwkAsync(window)(
             configuration.demonstrating_proof_of_possession_configuration.generateKeyAlgorithm,
           );
-          const session = initSession(oidc.configurationName, configuration.storage);
+          const session = initSession(
+            oidc.configurationName,
+            configuration.storage,
+            configuration.login_state_storage ?? configuration.storage,
+          );
           await session.setDemonstratingProofOfPossessionJwkAsync(jwk);
           headersExtras['DPoP'] = await generateJwtDemonstratingProofOfPossessionAsync(window)(
             configuration.demonstrating_proof_of_possession_configuration,
@@ -251,7 +260,11 @@ export const loginCallbackAsync =
           );
         }
       } else {
-        const session = initSession(oidc.configurationName, configuration.storage);
+        const session = initSession(
+          oidc.configurationName,
+          configuration.storage,
+          configuration.login_state_storage ?? configuration.storage,
+        );
         loginParams = session.getLoginParams();
         if (demonstratingProofOfPossessionNonce) {
           await session.setDemonstratingProofOfPossessionNonce(demonstratingProofOfPossessionNonce);