OAuth2 login: strange redirect behavior after login

skuzzle commented 4 years ago

Google login redirect doesn't behave as expected as it is seemingly openend in a new tab and then the return to the callback url gets confused

skuzzle commented 4 years ago

That's likely caused by the fact that we are navigating outside the scope entry of the site.manifest.

skuzzle commented 4 years ago

Setting start_url explicitly seems to have fixed the issue o_O

skuzzle commented 4 years ago

Behavior also happens during a fresh google login on all devices. A fresh login happens if no google cookies have been stored on the requesting device. Not reproducible on local instance In production, the following happens during OAuth login:

After successful login, google correctly sends redirect to https://countmy.pizza/login/oauth2/code/google?state...
On production, the redirecting response also contains a Referer header containing https://accounts.google.de/accounts/SetSID
The SimpleUrlAuthenticationSuccessHandler which is responsible for redirecting the user to the CMP page he came from, picks up the Referer header and redirects the user there

On local deployment, the authorization response doesn't contain the misleading Referer despite all configuration values are identical to the production setup.

skuzzle commented 4 years ago

Comparing authorization requests: localhost

Request
https://accounts.google.com/signin/oauth/consent?authuser=0&part=<part>&as=<as>&rapt=<rapt>
Host: accounts.google.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://accounts.google.de/accounts/SetSID
Connection: keep-alive
Cookie: OCAK=...; GAPS=...; NID=...; SMSV=...; SID=...; __Secure-3PSID=...; LSID=...; __Host-3PLSID=...; HSID=...; SSID=...; APISID=...; SAPISID=...; __Secure-HSID=...; __Secure-SSID=; __Secure-APISID=...; __Secure-3PAPISID=...; ACCOUNT_CHOOSER=...; CONSENT=YES+DE.de+20150628-20-0; user_id=...; SIDCC=...
Upgrade-Insecure-Requests: 1
TE: Trailers

Response
HTTP/2 302 Found
content-type: text/html; charset=UTF-8
x-frame-options: DENY
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: Mon, 01 Jan 1990 00:00:00 GMT
date: Thu, 02 Apr 2020 09:34:11 GMT
location: http://localhost:8081/login/oauth2/code/google?state=<state>&code=<code>&scope=email+profile+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&authuser=0&prompt=consent
strict-transport-security: max-age=31536000; includeSubDomains
content-security-policy: script-src 'nonce-V/QlkmJdNe6+GoJvFlArqg' 'unsafe-inline' 'unsafe-eval';object-src 'none';base-uri 'self';report-uri /cspreport
content-encoding: gzip
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
content-length: 403
server: GSE
set-cookie: GAPS=...;Path=/;Expires=Sat, 02-Apr-2022 09:34:11 GMT;Secure;HttpOnly;Priority=HIGH
set-cookie: LSOLH=...; Expires=Fri, 02-Apr-2021 09:34:11 GMT; Path=/; Secure; SameSite=none
set-cookie: SIDCC=...; expires=Fri, 02-Apr-2021 09:34:11 GMT; path=/; domain=.google.com; priority=high
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,h3-T050=":443"; ma=2592000
X-Firefox-Spdy: h2

production

Request:
https://accounts.google.com/signin/oauth/consent?authuser=0&part=<part>&as=<as>&rapt=<rapt>
Host: accounts.google.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://accounts.google.de/accounts/SetSID
Connection: keep-alive
Cookie: NID=...; OCAK=...; GAPS=...; SMSV=...; SID=...; __Secure-3PSID=...; LSID=...; __Host-3PLSID=...; HSID=...; SSID=...; APISID=...; SAPISID=...; __Secure-HSID=...; __Secure-SSID=...; __Secure-APISID=...; __Secure-3PAPISID=...; ACCOUNT_CHOOSER=...; CONSENT=YES+DE.de+20150628-20-0; user_id=...; SIDCC=...
Upgrade-Insecure-Requests: 1
TE: Trailers

Response:
HTTP/2 302 Found
content-type: text/html; charset=UTF-8
x-frame-options: DENY
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: Mon, 01 Jan 1990 00:00:00 GMT
date: Thu, 02 Apr 2020 09:29:34 GMT
location: https://countmy.pizza/login/oauth2/code/google?state=<state>&code=<code>&scope=email+profile+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&authuser=0&prompt=none
strict-transport-security: max-age=31536000; includeSubDomains
content-security-policy: script-src 'nonce-iv3SSI4ZpV3az2oYhMDrcQ' 'unsafe-inline' 'unsafe-eval';object-src 'none';base-uri 'self';report-uri /cspreport
content-encoding: gzip
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
content-length: 401
server: GSE
set-cookie: SIDCC=...; expires=Fri, 02-Apr-2021 09:29:34 GMT; path=/; domain=.google.com; priority=high
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,h3-T050=":443"; ma=2592000
X-Firefox-Spdy: h2

Comparing authorization redirect requests:

http://localhost:8081/login/oauth2/code/google?state=<state-token>&code=<code-token>&scope=email+profile+openid+https://www.googleapis.com/auth/userinfo.email+https://www.googleapis.com/auth/userinfo.profile&authuser=0&prompt=consent
Host: localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: JSESSIONID=C8935F27F770975E6EBF818147757174
Upgrade-Insecure-Requests: 1

https://countmy.pizza/login/oauth2/code/google?state=<state-token>&code=<code-token>&scope=email+profile+openid+https://www.googleapis.com/auth/userinfo.email+https://www.googleapis.com/auth/userinfo.profile&authuser=0&prompt=none
Host: countmy.pizza
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://accounts.google.de/accounts/SetSID
Connection: keep-alive
Cookie: SESSION=ZjY0MzJmOWMtMjM3MC00MTZkLTlkNTItYzhjODQ1YzViNTc5
Upgrade-Insecure-Requests: 1
TE: Trailers

skuzzle / cmp

OAuth2 login: strange redirect behavior after login #40