This project has moved. For the latest updates, please go here.

OAuth2 CSRF CorrelationId with parallel requests

Jul 15, 2014 at 9:45 AM
We are facing to a problem with the MS/FB OAuth2 authentication middlewares.

Our application is sending 2 or more ajax requests to our API.
The API is protected by a custom OAuth2 middleware (same as the MS OAuth client middleware).

Here is the workflow :
App send request1 to API.
App send request2 to API.
API return a 401 challenge with a random CorrelationId #1 for the 1st request.
API return a 401 challenge with a random CorrelationId #2 for the 2nd request.
OAuth2 server supply access code for the 1st request.
OAuth2 server supply access code for the 2nd request.
API try to validate CorrelationId #2 for the 1st request and fail (bad id) ! <== Here is the problem !
API try to validate CorrelationId #2 for the 2nd request and fail (no more correlation cookie) !

Is there a way to avoid this problem ?
Coordinator
Jul 15, 2014 at 3:46 PM
I'd argue that trying to execute two concurrent OAuth2 flows is not a good idea regardless. These flows often require user interaction, where concurrency is likely to cause problems as well. I think your app needs to complete the login flow before attempting submit multiple concurrent requests.
Jul 15, 2014 at 5:01 PM
You confim my idea that it is to the application to take care of this.
I think that it will be possible with javascript promises chain.

Thanks for your advice!