authkit icon indicating copy to clipboard operation
authkit copied to clipboard
verified publisher icon workos

Session Storage Conflict Causes Authentication Failure When Switching Users with Different Organizations

Open gtrrz-victor opened this issue 11 months ago • 0 comments

When switching between users associated with different organizations, the workos_organization_id stored in sessionStorage causes a conflict, preventing the new user from logging in successfully. Specifically, the workos_organization_id from the previous user's session is incorrectly included in the authentication request for the new user, resulting in a 400 error.

Steps to Reproduce:

  1. Log in as User A, who is associated with Org1 and Org2.
  2. Switch between Org1 and Org2 during the session. Observe that workos_organization_id is stored in sessionStorage.
  3. Log out of User A.
  4. Log in as User B, who is associated with Org3.
  5. Observe that the authentication request to https://{WORKOS_API_HOSTNAME}/user_management/authenticate fails with a 400 error.
  6. Inspect the request payload and note that the organization_id corresponds to the previous user's organization (Org1 or Org2).
  7. Manually delete the workos_organization_id item from sessionStorage.
  8. Attempt to log in as User B again. Observe that the login succeeds.

Expected Behavior:

When logging in as a new user, the workos_organization_id from the previous user's session should not interfere with the new user's authentication process.

The authentication request for User B should not include the organization_id of User A.

Actual Behavior:

The workos_organization_id from the previous user's session persists in sessionStorage and is incorrectly included in the authentication request for the new user.

This results in a 400 error, preventing User B from logging in.

Workaround:

Manually delete the workos_organization_id item from sessionStorage before logging in as a new user.

Additional Context:

This issue occurs consistently when switching between users with different organizations.

The workos_organization_id appears to be used for token refresh functionality, but it is not being cleared or updated correctly when a new user logs in.

Environment: Observed in the 0.9.0 version of the library.

gtrrz-victor avatar Feb 07 '25 00:02 gtrrz-victor