Not able to perform simultaneous auth flows with different clients

[sidharthramesh]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Cloud project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

After reading this comment, I understand that Hydra didn't support this 4 years ago (Wow, that's a long time!). However, I feel that when multiple distinct clients are performing the auth flow, hydra should be able to support each of them individually.

Reproducing the bug

1. Open 2 different apps, with 2 different clients
2. Initiate the login flow in different tabs of the same browser
3. Error: The CSRF value from the token does not match the CSRF value from the data store

Version

v1.10.7

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Kubernetes with Helm

Additional Context

Here's the use case: We have multiple apps loaded in an iFrame and they all perform the authentication flow simultaneously. This is according to the SMART on FHIR specification for healthcare applications. We need to load all the iFrames simultaneously to optimize the speed of loading. Also, there are instances when multiple apps with different client ids might be opened on different tabs. We don't have control over most of these applications since they are developed by 3rd party developers.

[sidharthramesh]

How about setting the cookie name based on the client_id? Or something similar?

More discussions here: https://stackoverflow.com/questions/65493296/authorization-code-flow-concurrent-requests-from-multiple-tabs

[sidharthramesh]

For example, if instead of
using a constant cookieAuthenticationCSRFName in these places:

hydra/consent/strategy_default.go

Line 284 in b17b474

if err := createCsrfSession(w, r, s.r.CookieStore(), cookieAuthenticationCSRFName, csrf, s.c.TLS(config.PublicInterface).Enabled(), s.c.CookieSameSiteMode(), s.c.CookieSameSiteLegacyWorkaround()); err != nil {

hydra/consent/strategy_default.go

Line 360 in b17b474

if err := validateCsrfSession(r, s.r.CookieStore(), cookieAuthenticationCSRFName, session.LoginRequest.CSRF, s.c.CookieSameSiteLegacyWorkaround(), s.c.TLS(config.PublicInterface).Enabled()); err != nil {

if we can somehow make it specific for each client, cookieAuthenticationCSRFName + clientId for instance, do you see it causing any problems?

[miroljub1995]

Any updates on this? Will this resolve only for the different clients running simultaneous, but not e.g. two login sessions for the same client opened in two tabs?