Use of ActionToken without Authentication Session for user activation will result in cookie errors

[twobiers]

Hello Keycloak Community,

we're currently relying on a customized user activation process where a user registration will be performed by a backend call and sends out an activation email. Therefore we don't have an active authentication session for the user and it is also not present in the token. Every newly registered user has an required action to set an initial password for itself. Therfore will be redirected to the required action during action token handling.

A problem comes into play when the user uses the action token in two separate tabs. Because the LoginActionsService will perform a fresh login everytime the action token is used, the authentication state is only valid for the most recent opened tab. When the password is being set in one of the previous tabs, it will result in a cookie_not_found CUSTOM_REQUIRED_ACTION_ERROR, because the new cookie is not associated with the Tab ID.
We see that this happens regular in our systems.

Currently we plan to introduce an intermediate verification step for fresh authentication sessions like it is in the default VerifyEmail action token handler, but is there anything else that can be done to mitigate this? Is it maybe something which should be covered in the authChecker script?