Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Multiple concurrent RT renewals result in State mismatch error

See original GitHub issue

Please follow the issue template below. Failure to do so will result in a delay in answering your question.

Library

  • msal@1.x.x or @azure/msal@1.x.x
  • @azure/msal-browser@2.0.1
  • @azure/msal-angular@0.x.x
  • @azure/msal-angular@1.x.x
  • @azure/msal-angularjs@1.x.x

Important: Please fill in your exact version number above, e.g. msal@1.1.3.

Framework

React

Description

Users get an exception “State mismatch error. Please check your network. Continued requests may cause cache overflow.”

Error Message

“State mismatch error. Please check your network. Continued requests may cause cache overflow.”

Security

  • Is this issue security related?

Regression

  • Did this behavior work before? Version:

MSAL Configuration

    const publicClientApp = new PublicClientApplication({
      auth: {
        clientId: this.clientId,
        authority: this.authority,
        redirectUri: this.loginRedirectUri,
        postLogoutRedirectUri: this.postLogoutRedirectUri
      },
      cache: {
        cacheLocation: "localStorage",
        storeAuthStateInCookie: isIEOrOldEdge // https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/1188#issuecomment-634281307
      },
      system: {
        loadFrameTimeout: 30000,
        tokenRenewalOffsetSeconds: 60,
        loggerOptions: {
          loggerCallback: MsalAuthContext.msalLoggerCallback,
          piiLoggingEnabled: false,
          logLevel: LogLevel.Verbose
        }
      }
    });
    const handleRedirectPromise = publicClientApp
      .handleRedirectPromise()
      .then(response => {
        this.account = response ? response.account : this.getAccount();
        if (!this.account) {
          this.publicClientApp.loginRedirect({
            scopes: this.scopes,
            authority: this.authority
          });
        }
      })
      .catch(error => {
        if (error) {
          this.trackError(error);
        }
      });

Reproduction steps

  1. Make multiple acquireTokenSilent calls in parallel with different sets of scopes.
  2. When a new RT is needed, two requests to /authorize will be made.
  3. One of the requests will fail, as the temporary cache value will be overwritten.

Expected behavior

Browsers/Environment

these are the browsers we have observed so far with this error, may not be just these browsers

  • Chrome
  • Firefox
  • Edge
  • Safari
  • IE
  • Other (Please add browser name here)

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:12 (11 by maintainers)

github_iconTop GitHub Comments

2reactions
jasonnuttercommented, Sep 10, 2020

@jasonnutter, @jmckennon, is there a timeline on 2.1.1 release? We had to revert back to using 1.x in our app due to this issue: proposed workaround (make token fetches serial) causes perf regression so we can’t take it.

We’ll work to have this fixed soon (by next week, hopefully).

1reaction
jasonnuttercommented, Aug 24, 2020

Worked with @thoo1 to determine that this happens when multiple silent RT renewals happen in parallel, as the cached state value gets overwritten for one of the requests. Mitigation is make these requests in serial.

Read more comments on GitHub >

github_iconTop Results From Across the Web

PM86311: STATE MISMATCH RUNNING OAUTH WITH ... - IBM
State mismatch running OAuth with multiple iterations. ... PROBLEM DESCRIPTION: State mismatch error in OAuth * * application under stress conditions.
Read more >
SBC connectivity issues - Microsoft Teams
Describes how to diagnose SIP options or TLS certificate issues with SBC.
Read more >
RFC 5996: Internet Key Exchange Protocol Version 2 (IKEv2)
RFC 5996 IKEv2bis September 2010 This form of rekeying may temporarily result in multiple similar SAs between the same pairs of nodes.
Read more >
System Error Messages for Cisco Unified Communications ...
Explanation CTI Manager is unable to login to directory. As a result, the application may not be able to access the controlled device...
Read more >
OpenShift Container Platform 4.11 release notes
You can use this enhancement to simplify sharding by enabling a route to have multiple, distinct host names determined by each router deployment...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Incorrect access token for API scope when using a personal Microsoft account

Next page

Multiple iFrames spawned in case of multiple silent token fetch with refresh token expired