Skip to content

Session Storage Conflict Causes Authentication Failure When Switching Users with Different Organizations #48

New issue
New issue
Open
Open
Session Storage Conflict Causes Authentication Failure When Switching Users with Different Organizations#48
@gtrrz-victor

Description

@gtrrz-victor
gtrrz-victor
opened on Feb 7, 2025

When switching between users associated with different organizations, the workos_organization_id stored in sessionStorage causes a conflict, preventing the new user from logging in successfully. Specifically, the workos_organization_id from the previous user's session is incorrectly included in the authentication request for the new user, resulting in a 400 error.

Steps to Reproduce:

  1. Log in as User A, who is associated with Org1 and Org2.
  2. Switch between Org1 and Org2 during the session. Observe that workos_organization_id is stored in sessionStorage.
  3. Log out of User A.
  4. Log in as User B, who is associated with Org3.
  5. Observe that the authentication request to https://{WORKOS_API_HOSTNAME}/user_management/authenticate fails with a 400 error.
  6. Inspect the request payload and note that the organization_id corresponds to the previous user's organization (Org1 or Org2).
  7. Manually delete the workos_organization_id item from sessionStorage.
  8. Attempt to log in as User B again. Observe that the login succeeds.

Expected Behavior:

When logging in as a new user, the workos_organization_id from the previous user's session should not interfere with the new user's authentication process.

The authentication request for User B should not include the organization_id of User A.

Actual Behavior:

The workos_organization_id from the previous user's session persists in sessionStorage and is incorrectly included in the authentication request for the new user.

This results in a 400 error, preventing User B from logging in.

Workaround:

Manually delete the workos_organization_id item from sessionStorage before logging in as a new user.

Additional Context:

This issue occurs consistently when switching between users with different organizations.

The workos_organization_id appears to be used for token refresh functionality, but it is not being cleared or updated correctly when a new user logs in.

Environment: Observed in the 0.9.0 version of the library.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions