Closed infojunkie closed 6 years ago
That's how I was able to reproduce it:
Actually I was able to reproduce in a simpler way now...
Maybe related to this error:
Refused to execute script from 'https://accounts.google.com/o/oauth2/revoke?token=...&callback=angular.callbacks._0' because its MIME type ('application/json') is not executable, and strict MIME type checking is enabled.
So, this is the problem:
revoke
endpointrevoke
endpoint was called, but that token is not valid anymore - so the user is not able to log back inI can confirm that this happens because no HTTP request is made to get a fresh token during the interval in which the token should be valid. Also, it works well in an incognito window. Need to find out where the token is cached (and it keeps cached even if the page is reloaded): I already verified it's not on localStorage
or cookies.
I tried hard and for hours to be able to continue using gapi.auth.authorize
for authentication, although this method is not encouraged by Google (from https://developers.google.com/identity/sign-in/web/reference#gapiauth2authorizeparams-callback):
Warning: do not use this method alongside the recommended gapi.auth2.init and signIn flow. These are two distinct behaviors (Authorization for gapi.auth2.authorize vs Authentication for gapi.auth2.init/signIn) and will have unexpected issues if used within the same application.
Basically, the code was using for authentication something that is for authorization only. I tried many hacks to make it work for a real authentication flow, but didn't work.
I replaced the auth.authorize
method by auth2.signIn
for login and the manual way of logout (which is call the REST API revoke
endpoint manually) by auth2.signOut
. I didn't change the library version. Now everything works well. I pushed the code to a new branch. I'll test a little more, record a screencast, merge to develop
and close this issue.
Merged. The fix is available on develop
. This video shows the problem: https://www.youtube.com/watch?v=hnDDQkRmNXY. After we logout and refresh the page, we are still logged in for some seconds. Another refresh, and we are at the login page. But if we try to login, we can't, and we get a "Invalid token" error message. This other video shows that the flow works after the fix: https://www.youtube.com/watch?v=a5xnIAxihTk.
I confirm that:
Labeled as pending test deployment
. Will close as soon as this is deployed to the test server and verified by QA people.
Deployed to QA, please verify.
Verified
Verified on live :heavy_check_mark:
We have received reports that some users aren't able to login. This issue is to track those occurrences.