Spring Security Multiple /authorize requests in the same session are not supported. Why?

Describe the bug In a new session when hit /authorize requests in multiple tabs of the same browser session, I get IDP login screen in both all the tabs. After entering credentials, I login to IDP is successful, but failure occurs at spring security class OAuth2LoginAuthenticationFilter in attemptAuthentication method along the following lines -

Auth2AuthorizationRequest authorizationRequest = this.authorizationRequestRepository .removeAuthorizationRequest(request, response); if (authorizationRequest == null) { OAuth2Error oauth2Error = new OAuth2Error(AUTHORIZATION_REQUEST_NOT_FOUND_ERROR_CODE); throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString()); }

I see that this was supported in older versions of spring security (< 6.x) but this support was removed in 6.x versions

To Reproduce In a new browser session when hit /authorize requests in multiple tabs of the same browser session Login to IDP in all tabs Login is successful Failure occurs at spring security class OAuth2LoginAuthenticationFilter as stated above

Expected behavior code should be returned in the /authorize call of each tab

Sample

A link to a GitHub repository with a minimal, reproducible sample.

Reports that include a sample will take priority over reports that do not. At times, we may require a sample, so it is good to try and include a sample up front.

Comment From: pankajkumar80

Do we have any update on this? We are also facing the same issue