Skip to content

Fix false login failures caused by stale OAuth session state#26

Merged
CarensirA-MF merged 1 commit intomasterfrom
fix/oauth-stale-session-handling
Apr 8, 2026
Merged

Fix false login failures caused by stale OAuth session state#26
CarensirA-MF merged 1 commit intomasterfrom
fix/oauth-stale-session-handling

Conversation

@CarensirA-MF
Copy link
Copy Markdown
Contributor

@CarensirA-MF CarensirA-MF commented Apr 8, 2026

Summary

  • Catch MismatchingStateError separately from generic OAuth errors in both Google and Keycloak
    callbacks - Auto-retry the OAuth flow on stale session instead of showing "Authentication failed" to the user
  • Log stale session events as INFO with reason "stale_session" instead of WARNING with
    "oauth_error"
  • Update ProxyFix comment to reflect Heroku deployment (also needs BEHIND_PROXY=true set in Heroku
    config to fix 10.1.x.x IPs in audit logs)

Context

Audit logs were showing many login failures with {"reason": "oauth_error", "email": null, "provider": "keycloak"}, each paired with a successful login from the same IP moments later. These are caused by
users returning to the app after their Flask session expires but while their Keycloak SSO session is
still active — the OAuth state token no longer matches, causing a benign MismatchingStateError.

@CarensirA-MF CarensirA-MF merged commit 7994e06 into master Apr 8, 2026
3 checks passed
@CarensirA-MF CarensirA-MF deleted the fix/oauth-stale-session-handling branch April 8, 2026 23:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@CarensirA-MF