Subject from payload does not match subject from previous authentication revisit

I have a problem similar to Subject from payload does not match subject from previous authentication however the solution given is not what I want to do.

We are doing something similar to the op of above where we want to immediately accept the login and consent of user. In our case the user has already authenticated (we know from the session cookie) and we just want to set the sso cookie. In my login provider I accept the login without displaying a login page. In my consent provider I accept the consent. I set the remember flag on both login and consent.

Upon the call to accept the login , I am getting intermittently 400 Bad Request response with the error “Subject from the payload does not match subject from the previous authentication” in the hydra log. This problem goes away if I don’t set remember on the login accept payload. However, then I don’t get the sso login cookie, which is the objective.

Hoping someone can provide some help or advice on what could be causing the 400.

This isn’t really possible unfortunately as it has security implications. This should be referenced somewhere in the docs - if you find it helpful I can try to find where that was.

I was able to solve this. The problem was that i was not requesting openid scope so did not have an id_token to use for logout. Since I wasn’t cleanly logging out the previous session cookie was still alive. When the user (thinking he had logged out) attempted to log in with a different username, the error was getting generated. Solution was to add openid scope and save the id_token to pass as the id_token hint to end-session.

1 Like