We too have seen this issue and I've found a way to consistently reproduce it.
- Load the Drupal site in a new window and start the login process
- Start the "Forgot password" flow to get emailed a link to reset your password
- In a new private window, use the forgot password link from the email and complete the forgot password flow. Doing so should redirect you back to Drupal, but you'll end up with with a 403 Forbidden response.
From what I can tell, the above is happening because the "state" token that was sent back from the auth provider cannot be found (see line 229 of OpenIDConnectRedirectController.php). This appears to be because the state token is stored in session, tied to a cookie that does not exist in the new private window.
It's quite likely that this is behaving as intended since the state token that gets passed to the auth provider and then back to Drupal is used for anti-forgery purposes. If the forgot password flow is started and completed in the same browser window (or if a different window, ensure cookies are not cleared) then it completes just fine. However, confirmation of this would be appreciated.
We are also seeing issues with this module after updating to Drupal 10.2. The problem looks to be related to Drupal's switch to a different HTML parser: https://www.drupal.org/node/3225468 → .
Our solution for now is to patch this module to use the old HTML parsing code from Html::load() in Drupal 10.1.8. I've attached a patch for your reference. This probably isn't a great solution but it gets us unstuck.
Also, just wanted to say thanks for contributing this module! We really needed it in order for us to upgrade to Drupal 10 and CKEditor 5.
It's great to see all the work that's been done to resolve this as it's really been annoying our users getting the wrong image selected.
Looks like it's nearly at the finish line so I'm crossing my fingers it will make it into 10.2.2! Thanks!