Hi,
I got this error Validating access_token failed, wrong state/nonce when login again after session expired with multiple tabs opened.
- ABP Framework version: v8.2.0
- UI Type: Angular
- Database System: EF Core (Oracle)
- Tiered (for MVC) or Auth Server Separated (for Angular): yes
- Exception message and full stack trace: Validating access_token failed, wrong state/nonce
- Steps to reproduce the issue:
- Start Angular and .NET server and login
- Open second FE tab after login
- Wait for session to end or delete access_token key in local storage (easiest way to reproduce)
I also notice this only happen in Chrome and Edge. Does not happen in Firefox.
Thanks.
7 Answer(s)
-
0
This error, "Validating access_token failed, wrong state/nonce," typically occurs in ABP Angular applications when multiple tabs are open and the session expires or the access_token is deleted. The root cause is that the OAuth2/OIDC state and nonce values are stored in browser storage (localStorage/sessionStorage), and having multiple tabs can cause these values to become out of sync, especially after a session timeout or manual token removal. Chrome and Edge are more aggressive in synchronizing storage across tabs, which is why the issue is more visible there compared to Firefox.
Solution / Workaround
Single Tab Recommendation:
This is a known limitation of SPA OAuth2/OIDC flows. Advise users to avoid logging in again in multiple tabs simultaneously after session expiration.Custom State/Nonce Storage:
Consider customizing the storage mechanism for state/nonce to be tab-specific (e.g., using sessionStorage instead of localStorage, or using a unique key per tab).Session Management Module:
ABP Commercial provides a Session Management feature to help prevent concurrent login/session issues. See the documentation for more details.Logout Handling:
Ensure that your logout implementation clears all relevant tokens and state in all tabs, possibly by broadcasting a logout event using localStorage or another mechanism.Reference Issues:
This is a common scenario in OAuth2/OIDC SPAs and is discussed in the community and GitHub issues. See the following for more details and possible workarounds:- [ABP Issue #19576: Incorrect Session Handling – Insufficient Session Termination](https://github.com/abpframework/abp/issues/19576)
- ABP OpenIddict Angular Migration Guide
- ABP Support: Session/Token Issues
Sources:
- [ABP Issue #19576](https://github.com/abpframework/abp/issues/19576)
- OpenIddict Angular Migration Guide
- ABP Support: Session/Token Issues
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
-
0
hi, I don't think these AI answers solve my problem.
please help.
thanks
-
0
hi
Can you share the debug logs from the authserve project?
https://abp.io/support/questions/8622/How-to-enable-Debug-logs-for-troubleshoot-problems
Thanks.
-
0
Hi,
Sorry for the late response.
Here the logs.
You can download it as text file. This is the only way I can share the logs in my org.
-
0
hi
This seems related to the Chrome & angular-oauth2-oidc
https://github.com/manfredsteyer/angular-oauth2-oidc/issues/728#issuecomment-1914817242
Can you try to set
disableOAuth2StateChecktotrue?https://manfredsteyer.github.io/angular-oauth2-oidc/docs/classes/LoginOptions.html#disableOAuth2StateCheck
Thanks.
-
0
Hi,
Not sure how to set disableOAuth2StateCheck to false. I'm using abp angular template.
As for
This seems related to the Chrome & angular-oauth2-oidc
https://github.com/manfredsteyer/angular-oauth2-oidc/issues/728#issuecomment-1914817242
I have check the thread and it seems there no real fix for the issue.
-
0
Hi,
You can add the
disableOAuth2StateCheckparameter under theoAuthConfigsection in the environment file as followsoAuthConfig: { issuer: 'https://localhost:44305/', clientId: 'MyProjectName_App', scope: 'offline_access MyProjectName', redirectUri: baseUrl, disableOAuth2StateCheck: true }However, this is not a recommended solution due to security reason .I’m currently looking into alternative ways to solve this issue more securely
