- 
          
- 
                Notifications
    You must be signed in to change notification settings 
- Fork 303
Support for concurrent authentication (multiple states and origins) #103
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Support for concurrent authentication (multiple states and origins) #103
Conversation
    
      
        1 similar comment
      
    
  
    
    
      
        2 similar comments
      
    
  
    | This is related to #95 and also seems like a duplicate of #88 and #75. Anyway, a lot of people seem interested in a fix for these issues. 
 | 
| This will fix a lot of issues related to the  is it anything I can do to get it merged @tmilewski ? | 
| I'll have to take a look through all of this later. That said, any help would be greatly appreciated! At first glance, the big things, at this point, would be adding specs and getting it to pass CI. | 
| Just wanted to drop a quick note that we are seeing exactly the issue described in the PR. We use a single oauth provider for authentication and do indeed trigger authentication right away. When two or more tabs are going through authentication at the same time,  Any chances to get this patch finalized? | 
| Is this gonna happen or should i cherry pick? | 
Consider a scenario where you only allow your users to authenticate against a single oauth2 provider such as Google. With this scenario it's common not to have a login page and just immediately attempt authentication against the oauth2 provider. If the user starts up his browser and restores multiple tabs of your application, all these tabs redirect to the provider login screen. If the user then signs in on each tab he gets a CSRF error on all except the last tab that opened on your application callback because this gem only allows one
stateparameter in the session. Furthermore it doesn't redirect back to the origin correctly because it only stores oneoriginas well. This pull request stores multiplestateparameters in the session and anoriginfor each of thestates.