At each authentication also all past codeVerifier are used to get the credential

[matteo-cristino]

When doing more than n consequent authentication it can be seen that at the n-th authentication call token endpoint n time where the first n-1 fails and have in them the codeVerifier of the previous authentications, e.g.

Looking at the code it seems to me that here

wallet/src/routes/[[lang]]/(protected)/credential-offer/+page.svelte

Lines 28 to 41 in 08560a3

	window.addEventListener('message', async function (event) {
	if (event.origin === window.location.origin) return;
	try {
	code = JSON.parse(event.data).code;
	await getCredential();
	} catch {
	feedback = {
	type: 'error',
	message: event.data,
	feedback: 'Error authenticating with the service. Please try again.'
	};
	content.scrollToTop();
	}
	});

eventListeners are added, but then never removed and this causes the multiple call on each authentication,

[matteo-cristino]

This issue is still present

[puria]

The fix caf4bd0 seems good but was part of a fix tabbar branch in a draft PR that was closed without being merged... and never part of the actual codebase!
Maybe you want to cherrypick the commit and open PR just to fix this issue.