[Bug]: concurrent silent-renew and normal authorize cause 400 bad request on connect/token endpoint

[RubMertens]

What Version of the library are you using?
Angular 14.0.4 with angular-auth-oidc-client 14.0.4

Describe the bug
When navigating a auto-login guarded route just before a silent-renew is running the library incorrectly sends the silent-renew redirect_uri to the /connect/token endpoint instead of the oidc-callback endpoint causing a 400 Bad Request with the server error invalid_redirect_uri.

To Reproduce
I've setup a repro repo on here

• Start the application.
• Monitor the console to see when the silent refresh is about to trigger
• start switching between the first and second child routes

With some luck you trigger the right sequence of events causing the issue. This might take some tries however...

Expected behavior
I don't think the silent renew is supposed to trigger during a normal authorize flow.

Screenshots
Debug logs + error in console

Desktop (please complete the following information):

• OS: widows 11
• Browser edge (chromium)
• Version 103.0.1264.44

Additional context

I've been digging around in the code and have found the following potential issue.

The code-flow-callback-handler checks if a silent renew is running when handling the callback for a code flow.

Here a flowsDataService is checked to see wether a silent renew is currently running. Setting the redirect_uri to /silent-renew.html instead of the oidc-callback redirect_uri.

IdentityServer4 checks this and throws a 400 on the token request as a result of them being different (and thus not belonging to the same code flow).

The isSilentRenewRunning by default uses sessionStorage to check if a silent-renew is running.

I think the offending setSilentRenewRunning happens here

[FabianGosebrink]

Is this issue still persistent?