fix: add two-tier locking to prevent iframe race conditions

- Add global iframe lock to serialize iframe authorization requests
- Keep per-audience locking for refresh token flows (preserves MRRT performance)
- Fixes 'Invalid state' errors when multiple audiences requested in parallel
- Resolves regression introduced in v2.8.0 by PR #1408

Two-tier locking strategy:
- Outer lock (per-audience): Prevents duplicate calls for same audience
- Inner lock (global iframe): Prevents Auth0 session state conflicts

Refresh token flows bypass the inner lock and remain fully parallel.
Iframe flows acquire both locks to ensure correctness.

Author: yogeshchoudhary147

src/Auth0Client.ts

@@ -98,6 +98,7 @@ import {
   cacheFactory,
   getAuthorizeParams,
   buildGetTokenSilentlyLockKey,
+  buildIframeLockKey,
   OLD_IS_AUTHENTICATED_COOKIE_NAME,
   patchOpenUrlWithOnRedirect,
   getScopeToRequest,
@@ -1023,32 +1024,44 @@ export class Auth0Client {
       authorizationParams: AuthorizationParams & { scope: string };
     }
   ): Promise<GetTokenSilentlyResult> {
-    const params: AuthorizationParams & { scope: string } = {
-      ...options.authorizationParams,
-      prompt: 'none'
-    };
+    const iframeLockKey = buildIframeLockKey(this.options.clientId);
 
-    const orgHint = this.cookieStorage.get<string>(this.orgHintCookieName);
+    // Acquire global iframe lock to serialize iframe authorization flows
+    const lockAcquired = await retryPromise(
+      () => lock.acquireLock(iframeLockKey, 5000),
+      10
+    );
 
-    if (orgHint && !params.organization) {
-      params.organization = orgHint;
+    if (!lockAcquired) {
+      throw new TimeoutError();
     }
 
-    const {
-      url,
-      state: stateIn,
-      nonce: nonceIn,
-      code_verifier,
-      redirect_uri,
-      scope,
-      audience
-    } = await this._prepareAuthorizeUrl(
-      params,
-      { response_mode: 'web_message' },
-      window.location.origin
-    );
-
     try {
+      const params: AuthorizationParams & { scope: string } = {
+        ...options.authorizationParams,
+        prompt: 'none'
+      };
+
+      const orgHint = this.cookieStorage.get<string>(this.orgHintCookieName);
+
+      if (orgHint && !params.organization) {
+        params.organization = orgHint;
+      }
+
+      const {
+        url,
+        state: stateIn,
+        nonce: nonceIn,
+        code_verifier,
+        redirect_uri,
+        scope,
+        audience
+      } = await this._prepareAuthorizeUrl(
+        params,
+        { response_mode: 'web_message' },
+        window.location.origin
+      );
+
       // When a browser is running in a Cross-Origin Isolated context, using iframes is not possible.
       // It doesn't throw an error but times out instead, so we should exit early and inform the user about the reason.
       // https://developer.mozilla.org/en-US/docs/Web/API/crossOriginIsolated
@@ -1104,6 +1117,8 @@ export class Auth0Client {
         });
       }
       throw e;
+    } finally {
+      await lock.releaseLock(iframeLockKey);
     }
   }
 

src/Auth0Client.utils.ts

@@ -21,6 +21,16 @@ export const buildGetTokenSilentlyLockKey = (
   audience: string
 ) => `${GET_TOKEN_SILENTLY_LOCK_KEY}.${clientId}.${audience}`;
 
+/**
+ * @ignore
+ * Builds a global lock key for iframe-based authentication flows.
+ * This ensures only one iframe authorization request runs at a time per client,
+ * preventing "Invalid state" errors from concurrent iframe requests overwriting
+ * each other's state in the Auth0 session.
+ */
+export const buildIframeLockKey = (clientId: string) =>
+  `auth0.lock.iframe.${clientId}`;
+
 /**
  * @ignore
  */