Breaks Google SSO

[uri-canva]

Not sure how the extension hooks into the search, but if I have it enabled and log into google using an SSO provider it redirects to kagi instead to the google auth callback.

[doytch]

Also seems to break other Google services like GCP.

[marcocebrian]

Could you provide an example / scenario that I can test myself to reproduce the issue?

Thanks in advance

[doytch]

@marcocebrian, I can't help you reproduce my exact usage since it's logging into our client's VPN'd GCP instance, but I can share some the redirects that are happening to me. While stepping through them it looks like the exact same issue that @uri-canva is seeing.

1. While logged out, load GCP via an https://console.cloud.google.com/kubernetes/... URL.
2. You'll be redirected to Google's SSO page at https://accounts.google.com/ServiceLogin/signinchooser
3. Enter your details and hit enter and you'll enter into some redirect pinball. I see a request to accounts.google.com/_/bscframe
4. A redirect to accounts.youtube.com/accounts/CheckConnection
5. A redirect to accounts.google.com/ServiceLogin
6. A redirect to www.google.com/a/${MY_CLIENT}/acs. Google is now presumably looking up my client's SSO configs.
7. A redirect to https://MY_CLIENT.okta.com/app/google/..../sso/saml. My client uses Okta for auth so we're now authing through that and responding with a successful auth. (In case it's useful, the continue parameter in the /saml request contains the original GCP URL of https://console.cloud.google.com/kubernetes/...)
8. And finally, a redirect to kagi.com/search

So it seems like the response/redirect from the SAML authorization is being picked up by the plugin and incorrectly routing to Kagi. I'd be curious to know if @uri-canva 's SSO scenario is also SAML auth.

Let me know if you need more info.

[uri-canva]

Yup, mine is exactly the same, also with Okta.