oidc-client: State not valid error in step-up authentication

Issue and Steps to Reproduce

In a step-up scenario, the user is already logged in using username/password. If the user logout/login with the TOTP, everything works fine and the user can access the protected resource. If instead the user does not logout and login requesting the TOTP, the authentication happens but after the callback, the oidc library throws an error.

Method used to login requesting a specific acr:

// the loa value is the string configured on the Identity Provider: "pwd" or "mfa" or "hwk"
await login({
   acr_values: loa
});

Error returned by the library"

Error: state not valid
  at login.ts:113:1
  at Generator.next (<anonymous>)
  at fulfilled (initWorker.ts:152:1)

GET https://localhost:3443/OidcKeepAliveServiceWorker.json net::ERR_FAILED
TypeError: Failed to fetch
  at keepAlive (initWorker.ts:112:1)
  at Object.startKeepAliveServiceWorker (initWorker.ts:227:1)
  at login.ts:91:1
  at Generator.next (<anonymous>)
  at fulfilled (initWorker.ts:152:1)

Versions

6.15.8

Additional Details

I suspect the library gets confused when the user is already logged in but the new token (the one with the higher acr value) is returned from the identity provider.

Thank you

About this issue

  • Original URL
  • State: open
  • Created a year ago
  • Reactions: 1
  • Comments: 18 (9 by maintainers)

Most upvoted comments

Hi @raffaeler , thank you very much for your issue. It look like a bug like previous state is keeped instead of new state.

+1
guillaume-chervet on Mar 14, 2023
Read more comments on GitHub
← oidc-client: ServiceWorker errors: inactive tab, keepAlive
oidc-client: The script has an unsupported MIME type ('text/html'). DOMException: Failed to register a ServiceWorker →