Open skuzzle opened 4 years ago
That's likely caused by the fact that we are navigating outside the scope
entry of the site.manifest
.
Setting start_url
explicitly seems to have fixed the issue o_O
Behavior also happens during a fresh google login on all devices. A fresh login happens if no google cookies have been stored on the requesting device. Not reproducible on local instance In production, the following happens during OAuth login:
https://countmy.pizza/login/oauth2/code/google?state...
Referer
header containing https://accounts.google.de/accounts/SetSID
SimpleUrlAuthenticationSuccessHandler
which is responsible for redirecting the user to the CMP page he came from, picks up the Referer header and redirects the user thereOn local deployment, the authorization response doesn't contain the misleading Referer despite all configuration values are identical to the production setup.
Comparing authorization requests: localhost
Request
https://accounts.google.com/signin/oauth/consent?authuser=0&part=<part>&as=<as>&rapt=<rapt>
Host: accounts.google.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://accounts.google.de/accounts/SetSID
Connection: keep-alive
Cookie: OCAK=...; GAPS=...; NID=...; SMSV=...; SID=...; __Secure-3PSID=...; LSID=...; __Host-3PLSID=...; HSID=...; SSID=...; APISID=...; SAPISID=...; __Secure-HSID=...; __Secure-SSID=; __Secure-APISID=...; __Secure-3PAPISID=...; ACCOUNT_CHOOSER=...; CONSENT=YES+DE.de+20150628-20-0; user_id=...; SIDCC=...
Upgrade-Insecure-Requests: 1
TE: Trailers
Response
HTTP/2 302 Found
content-type: text/html; charset=UTF-8
x-frame-options: DENY
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: Mon, 01 Jan 1990 00:00:00 GMT
date: Thu, 02 Apr 2020 09:34:11 GMT
location: http://localhost:8081/login/oauth2/code/google?state=<state>&code=<code>&scope=email+profile+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&authuser=0&prompt=consent
strict-transport-security: max-age=31536000; includeSubDomains
content-security-policy: script-src 'nonce-V/QlkmJdNe6+GoJvFlArqg' 'unsafe-inline' 'unsafe-eval';object-src 'none';base-uri 'self';report-uri /cspreport
content-encoding: gzip
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
content-length: 403
server: GSE
set-cookie: GAPS=...;Path=/;Expires=Sat, 02-Apr-2022 09:34:11 GMT;Secure;HttpOnly;Priority=HIGH
set-cookie: LSOLH=...; Expires=Fri, 02-Apr-2021 09:34:11 GMT; Path=/; Secure; SameSite=none
set-cookie: SIDCC=...; expires=Fri, 02-Apr-2021 09:34:11 GMT; path=/; domain=.google.com; priority=high
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,h3-T050=":443"; ma=2592000
X-Firefox-Spdy: h2
production
Request:
https://accounts.google.com/signin/oauth/consent?authuser=0&part=<part>&as=<as>&rapt=<rapt>
Host: accounts.google.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://accounts.google.de/accounts/SetSID
Connection: keep-alive
Cookie: NID=...; OCAK=...; GAPS=...; SMSV=...; SID=...; __Secure-3PSID=...; LSID=...; __Host-3PLSID=...; HSID=...; SSID=...; APISID=...; SAPISID=...; __Secure-HSID=...; __Secure-SSID=...; __Secure-APISID=...; __Secure-3PAPISID=...; ACCOUNT_CHOOSER=...; CONSENT=YES+DE.de+20150628-20-0; user_id=...; SIDCC=...
Upgrade-Insecure-Requests: 1
TE: Trailers
Response:
HTTP/2 302 Found
content-type: text/html; charset=UTF-8
x-frame-options: DENY
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: Mon, 01 Jan 1990 00:00:00 GMT
date: Thu, 02 Apr 2020 09:29:34 GMT
location: https://countmy.pizza/login/oauth2/code/google?state=<state>&code=<code>&scope=email+profile+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&authuser=0&prompt=none
strict-transport-security: max-age=31536000; includeSubDomains
content-security-policy: script-src 'nonce-iv3SSI4ZpV3az2oYhMDrcQ' 'unsafe-inline' 'unsafe-eval';object-src 'none';base-uri 'self';report-uri /cspreport
content-encoding: gzip
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
content-length: 401
server: GSE
set-cookie: SIDCC=...; expires=Fri, 02-Apr-2021 09:29:34 GMT; path=/; domain=.google.com; priority=high
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,h3-T050=":443"; ma=2592000
X-Firefox-Spdy: h2
Comparing authorization redirect requests:
http://localhost:8081/login/oauth2/code/google?state=<state-token>&code=<code-token>&scope=email+profile+openid+https://www.googleapis.com/auth/userinfo.email+https://www.googleapis.com/auth/userinfo.profile&authuser=0&prompt=consent
Host: localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: JSESSIONID=C8935F27F770975E6EBF818147757174
Upgrade-Insecure-Requests: 1
https://countmy.pizza/login/oauth2/code/google?state=<state-token>&code=<code-token>&scope=email+profile+openid+https://www.googleapis.com/auth/userinfo.email+https://www.googleapis.com/auth/userinfo.profile&authuser=0&prompt=none
Host: countmy.pizza
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://accounts.google.de/accounts/SetSID
Connection: keep-alive
Cookie: SESSION=ZjY0MzJmOWMtMjM3MC00MTZkLTlkNTItYzhjODQ1YzViNTc5
Upgrade-Insecure-Requests: 1
TE: Trailers
Google login redirect doesn't behave as expected as it is seemingly openend in a new tab and then the return to the callback url gets confused