The user has the Moodle login page open in a browser tab but is already authenticated to Moodle in another tab. If the user attempts to initiate the oauth2 login process from the second tab, an "invalidsesskey" error is received
STEPS TO REPLICATE
One time set-up:
1. Setup an Oauth2 Microsoft service per the documentation, https://docs.moodle.org/36/en/OAuth_2_Microsoft_service.
2. Open the Moodle login page, <rooturl>/login/index.php.
3. Click Microsoft button.
4. From Microsoft Pick an account page, use another account and enter username
5. Enter password, leave "Stay signed in" unselected, and click Sign in.
6. Successfully redirected to Moodle. A Moodle account is created for the user during this initial login.
1. Close all Internet windows.
2. Open new Chrome browser.
3. Open the Moodle login page, <rooturl>/login/index.php.
4. Click Microsoft button.
5. From Microsoft Pick an account page, use another account and enter username
6. Enter password, leave "Stay signed in" unselected, and click Sign in.
7. Successfully redirected to Moodle.
8. Logout of Moodle.
9. Open Tab2 and go to Moodle login page, <rooturl>/login/index.php
10. Tab1: Click "Log in" and then click Microsoft button. Microsoft Pick an account page briefly displays then successfully redirected back into Moodle.
11. Tab2: click Microsoft button.
Your session has most likely timed out. Please log in again.
Error code: invalidsesskey
line 494 of /lib/setuplib.php: moodle_exception thrown
line 85 of /lib/sessionlib.php: call to print_error()
line 30 of /auth/oauth2/login.php: call to require_sesskey()
User logged in in second tab without error.
Replicated on 3.5.3 and 3.6.3.
ADDITIONAL INVESTIGATION NOTES
If the user tries to visit the login page while already authenticated to Moodle, the user receives a message stating "You are already logged in as <Name>, you need to log out before logging in as different user". However if the user had already loaded the login page in multiple tabs while not authenticated to Moodle this could allow for the opportunity to attempt oauth2 authentication while already logged in.
Repeating the same process using manual authentication does not produce an error. When the user tries to login again in the second tab, the login process proceeds normally without any errors.
Based on user reports, I highly suspect that there are other scenarios with oauth2 authentication which produce this invalidsesskey error, but this is the only specific scenario I have been able to replicate.