Silent refresh with multiple tabs

[eduardocalixtoviasoft]

The question
I currently having a problem using silent-refresh with multiple tabs and localStorage. As far as I know, the "bug" occurs due to nonce be shared between tabs, making all silent-refresh fail because of wrong nonce. Thus, should I change something in my code? My current probable solution is to set only nonce to be saved in sessionStorage, this way no conflict would happen between tabs.

To Reproduce
Steps to reproduce the behavior:

1. Have an app with silentRefresh and set localStorage as oauth Storage
2. Wait for silent-refresh request
3. In Console, there will be a error due to wrong nonce

Desktop (please complete the following information):

• OS: Windows
• Browser Chrome
• Version 80.0.3987.149

Edit 1
Forgot to say that I'm using angular-oauth2-oidc 8.0.2 version, not the latest (released this month)

[jeroenheijmans]

This is expected behavior currently I think. If your app shares login state between tabs via a certain OAuthStorage (e.g. localStorage), and multiple tabs start login at the same time, some of them will fail when they return and other tabs already updated things.

The options I can think of that you have:

1. Just let it be. There's no effect for your users.
2. Just let it be, but provide your own logger to the library's logging dependency, and filter out this stuff.
3. Prevent your app from trying login on multiple tabs at the same time, by having some form of cross-tab communication.
4. Switch to each tab using its own storage.

We could certainly leave this issue open, as it might make sense to have a Feature Request (?) open for the library to support option 3?

[EraYaN]

Authentication servers can decide to invalidate your grant when you reuse refresh tokens so this breaks them, because often if the refreshes are close enough they will result in token reuse (And thus cause a log out event).

EDIT: seems like what I meant is more like #850 or #1148