For example,
If my app, which is scaled automatically by GCR, has OAuth 2.0 + PKCE authorization code flow against a third party identity provider, can I guarantee that after the user has logged in on the third party's site and is redirected back they are redirected back to the same instance?
If they are not, the new instance they are redirected back to will know nothing about the code_verifier, and authentication will fail.
Cloud Run load balancing does not guarantee landing to the same instance on successive requests for a user (i.e. sticky sessions). Between the two requests, the container might have crashed, scaled down, and scaled up again.
Cloud Run containers are meant to be stateless. So if there are any multi-step authentication, or session IDs you’re storing in your application, you should store such state in external storage (like Cloud Memorystore, Redis, Memcached, or a database).