As per this issue from github it is clear, that
Hydra doesn’t support two simoultaneous oauth2 auth code flows from the same browser.
I have client SPA application in browser, and login through hydra. Imagine the case, when someone opens two links to my application (let’s say its url is https://myapp.com). As he is not logged in, he will be redirected to https://login.myapp.com on both tabs, which is where my login-consent app is located. Hydra uses cookie for csrf protection. In my case csrf cookie from second tab will replace cookie from first tab. If user tries to login from first tab, he will get “The CSRF value from the token does not match the CSRF value from the data store” error.
Can I somehow fix this behavior? Any suggestions or workarounds?