search

dotnet / aspnetcore

ASP.NET Core is a cross-platform .NET framework for building modern cloud-based web applications on Windows, Mac, or Linux.
https://asp.net
MIT License
35.19k stars 9.93k forks source link

External Google login breaks when logging from mobile device where there are multiple google accounts #39513

Open feugen24 opened 2 years ago

feugen24 commented 2 years ago

Is there an existing issue for this?

Describe the bug

I'm working on a asp.net core (.net 5, Authentication v5.0.13 packages ), app that uses Google login. All seemed to be working ok until I noticed android login from chrome no longer works.

This happened only when there are multiple logon accounts on mobile both android and safari on ipad (android chrome/settings- click on your account, add account). If I remove accounts and leave only one it works again.

The problem:

When /signin-google?state= path is called for single account I have in Request header "Referer: https://my-site.com/" but when there are multiple accounts it introduces the account pick screen and that changes "Referer: https://accounts.google.com/", because of this the cookie from response "Identity.External" is ignored because it has samesite=lax (see attached pic)

The next request is to ExternalLogin with no "Identity.External" cookie so "await _signInManager.GetExternalLoginInfoAsync();" will return null.

The fix: same as issue 318

services.ConfigureExternalCookie(options =>
{
    // Other options
    options.Cookie.SameSite = SameSiteMode.None;
});

I could not find this in docs or issues from other users, and it was very difficult to debug (~3 days) but the problem seems very general so maybe I'm missing something.

Expected Behavior

Google login should work with multiple accounts.

Steps To Reproduce

I assume a basic .net 5 (not sure about 6), nuget for authentication libs v5.0.13, project with Google authentication, multiple google accounts but without the code: 

 services.ConfigureExternalCookie(options =>
{
    // Other options
    options.Cookie.SameSite = SameSiteMode.None;
});

Exceptions (if any)

await _signInManager.GetExternalLoginInfoAsync(); returns null

.NET Version

5

Anything else?

google_multiple_login

adityamandaleeka commented 2 years ago

Triage: Let's document this behavior in the docs to help others who will hit the same thing.

Might also consider changing the default for the External cookie to having SameSite None.

ghost commented 2 years ago

Thanks for contacting us.

We're moving this issue to the .NET 7 Planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s). If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues. To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

ghost commented 2 years ago

Thanks for contacting us.

We're moving this issue to the .NET 8 Planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s). If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues. To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.