Not Authorized error with External Authentication Strategy

[Swampy469]

Describe the bug
I am using a custom class that implements "AuthenticationStrategy" interface for a custom authentication flow.
After the first access (when there is no ChannelToken saved in the browser) each initial APIs call return 403 error code.
I find out that, even if the ChannelToken is saved (after the login), the initial (first 5 requests) APIs header requests doesn't contains "Vendure-Token".
After reloading the page (CTRL + R / F5) all is fine, each request contains the Vendure-Token as header.

The first 5 requests after loading doen't contains the "Vendure-Token" inside the headers

To Reproduce
Steps to reproduce the behavior:

1. Make sure there is no Vendure data in the browser (Token, sessions, etc..)
2. Access the Admin UI using an External Authentication strategy
3. Go to any section
4. See "not authorized" error

Expected behavior
You must be authorized immediatly after the first login with an external authentication strategy.

Environment (please complete the following information):

• @vendure/core version: 2.0.9
• Nodejs version: 18.16.1
• Database (mysql/postgres etc): postgres

Additional context
Installed plugins:

• MultiVendor
• AssetServer
• Email

[michaelbromley]

/bounty $50

[oliverqx]

/attempt #2363, can i get assigned?

[oliverqx]

I was able to reproduce the bug after a couple of hours setting up a fake environment.

I'm still working on it though, will have a solution by eod tomorrow. Def an issue with middleware but i still havent been able to pin point it.

[michaelbromley]

Listing duplicates:

• Keycloak authentication - cannot mantain session #2580
• SSO Login on Admin UI with bearer token - initial requests don't include authToken #1427