> > > > > You'll end up in a similar situation to what we were encountering with > > SAML+TOTP where anti-replay defenses conflict. You can work around that > > with the same approach (pending merge): allow reuse of the code/link > > while authentication is being refused only for transient reasons > > (insufficient credentials, non-security client exceptions), and fully > > invalidate the code/link only after authentication has 100% succeeded > > (auth success event) or 100% failed (auth failure event from any other > > exception). > > Yeah, five minutes after I sent this original e-mail I saw the update > to the PR from James for that issue and went, "Huh, I bet these are > related." I was looking at that PR and it seems like I'll need to do > something similar to what James did with the EventListener class.
The EventListener seems to be the ticket - shamelessly copied James's work on that and it seems to take care of this issue :-D. -Nick
