Lockbox sign-in sometimes requires me to sign into FxA twice

[cpeterso]

The Lockbox extension sometimes requires me to sign into FxA twice. I need to re-confirm my device and enter my FxA password a second time before Lockbox will show my saved usernames and passwords. I don't know under which conditions. Maybe I haven't signed into FxA for a while?

1. I click the Lockbox toolbar menu's "Sign In" button.
2. The FxA login window opens.
3. I try to log into FxA, but it says I need to confirm my new sign-in (even though I have logged into FxA from this laptop and Firefox profile before).
4. I receive the FxA "Confirm new sign-in to Firefox" email.
5. I click the email's "Confirm sign-in" button, which opens a new tab confirming that I am now signed into FxA.
6. I expand the Lockbox toolbar menu again and click the "Sign In" button, which opens the FxA login window again (from step 2) and forces me to enter my FxA password a second time.

[linuxwolf]

Having to sign in again is a bug somewhere. If you can remember or determine a sequence or scenario that reliably reproduces, it would greatly help.

The verification requirement is a little bothersome, right now we rely on cached cookies to hint to FxA. We've discussed with FxA on potentially better alternatives but haven't implemented anything there yet.

Including @rfk for notice and feedback.

[rfk]

We've discussed with FxA on potentially better alternatives but haven't implemented anything there yet.

Yep, this is definitely on the FxA team to do better here, we've got some proposals in the works and hopefully will ship the first improvements in our next release...

I try to log into FxA, but it says I need to confirm my new sign-in (even though I have logged into FxA from this laptop and Firefox profile before).

@cpeterso were you signed in to sync on this Firefox profile at the time, or had you previously been signed in to sync?

I click the email's "Confirm sign-in" button, which opens a new tab confirming that I am now signed into FxA.

Did this open in the same browser where you were trying to access lockbox? I'm wondering if we somehow failed to complete the OAuth flow on this first attempt (which required the confirmation email) and that's why you were prompted for your password again.

[cpeterso]

@cpeterso were you signed in to sync on this Firefox profile at the time, or had you previously been signed in to sync?

I'm not sure. The problem is not consistent. I use Sync on this profile, so I assume I'm always signed in "enough" for Sync to work. For security, Lockbox requires me to sign into FxA every time the browser restarts. Usually Lockbox requires only one sign in after restarting the browser, but sometimes two.

It feels like there are two problems here:

1. FxA requiring me to re-confirm my device (via email). I use Firefox Nightly, so maybe that the frequent updates cause FxA to need to re-confirm my device often? This is probably just a fact of life and not a bug. I only sign into Lockbox 1-2 times per week.

2. After confirming my device, Lockbox should recognize that I'm now signed into FxA instead of showing its Sign In button.

Did this open in the same browser where you were trying to access lockbox? I'm wondering if we somehow failed to complete the OAuth flow on this first attempt (which required the confirmation email) and that's why you were prompted for your password again.

Yes. I access the FxA confirmation email in Gmail in the same browser session where I am trying to sign into Lockbox.

[rbillings]

During testing I got into the create/confirm email loop and have narrowed down the repro steps: 1) npm run run > new browser opens w/lockbox extension 2) create new account > new window opens 3) fill out new account data, submit > confirmation screen displays explaining email has been sent 4) open email > COPY the activate link 5) return to the new window with the email sent message > PASTE activate link into urlbar

expected: account confirmed actual: url routes user to create account/signup page, account is never confirmed

** I initially found this as my email lives in a separate browser than the testing browser. I confirmed that if the user has their email in the lockbox original browser window, clicking 'Activate' will confirm the account. However pasting the link into the create account browser window will create the loop.

[rbillings]

Here is the email verification link: https://accounts.firefox.com/verify_email?uid=b6769958f18347a79fef434862e647da&code=acf6bb1648ef5a7067f3cd90b224574f&service=1b024772203a0849&resume=eyJlbWFpbCI6InJiaWxsaW5ncyswMjA3NUBtb3ppbGxhLmNvbSIsImVudHJ5cG9pbnQiOm51bGwsImZsb3dCZWdpbiI6MTUxODAyMTQxMTA0OSwiZmxvd0lkIjoiNjE0ZjZmMTU1ZjkzMjY1OWQ4ZmI0YjQ3MTFjYjg1YjUxZThjYzc3NmZhZWZlZTdkZTJhMDNjZDU3NDNmYWY0ZCIsIm5lZWRzT3B0ZWRJblRvTWFya2V0aW5nRW1haWwiOmZhbHNlLCJyZXNldFBhc3N3b3JkQ29uZmlybSI6dHJ1ZSwidW5pcXVlVXNlcklkIjoiNDI0ZmY1NDgtYzFiNi00NGY0LThmODgtZGQ3ZjQzNTBlYjlhIiwidXRtQ2FtcGFpZ24iOm51bGwsInV0bUNvbnRlbnQiOm51bGwsInV0bU1lZGl1bSI6bnVsbCwidXRtU291cmNlIjpudWxsLCJ1dG1UZXJtIjpudWxsfQ%3D%3D&utm_source=email&utm_medium=email&utm_campaign=fx-welcome&utm_content=fx-activate

Here is where I was redirected after pasting the verification linK https://accounts.firefox.com/oauth/signup?response_type=code&client_id=1b024772203a0849&redirect_uri=https%3A%2F%2F2aa95473a5115d5f3deb36bb6875cf76f05e4c4d.extensions.allizom.org%2F&access_type=offline&scope=openid%20profile%20https%3A%2F%2Fidentity.mozilla.com%2Fapps%2Flockbox&state=vAYqTKLymizeStpNESZ2gQ&code_challenge=GGO7Xio9AEsrv2e4GmyqZ_GVF4k80JAkuZ3yUycWqC8&code_challenge_method=S256&keys_jwk=eyJrdHkiOiJFQyIsImtpZCI6IjF6VDJycjF6TnNsVVNGRUZ3RVl0VkFyakpzSE8teWcxY05JX1dONTdiZWsiLCJjcnYiOiJQLTI1NiIsIngiOiJZR0JvTEVMd2JKUmlJZnBmR0VaYUNEQlR5eU5iVDNYLWYybWlRTDMzQU9RIiwieSI6IkZTVkllZXhMVmFiWllBdGhZc05KcVJsUUNONkxpdXhtcDVockFyVllRVk0ifQ

[linuxwolf]

@rbillings when you copy and pasted that URL link, did you put it in a new tab, or in the same window as the "confirm email" page/window?

@rfk It looks more like a bug in FxA somewhere. Would you like us to file it under fxa-content-server or somewhere else?

[rbillings]

@linuxwolf I pasted it in the confirm email window. If you paste it in the window w/the lockbox extension it correctly verifies the account.

[rfk]

@rfk It looks more like a bug in FxA somewhere. Would you like us to file it under fxa-content-server or somewhere else?

Agreed; I've gone ahead and copied the details across to a new bug here:

https://github.com/mozilla/fxa-content-server/issues/5891

[rfk]

@linuxwolf pinging you here in case you don't get the notification from the other issue; I'd be interested in your thoughts on the latest explorations in https://github.com/mozilla/fxa-content-server/issues/5891#issuecomment-365406566