Google: Unable to sign in Again

[rubencarneiro]

Guess this user agent string is also blocked.

[mardy]

Please provide some information. What account are you trying to create? can you provide a screenshot for the error?

[rubencarneiro]

Please provide some information. What account are you trying to create? can you provide a screenshot for the error?

Google account sign in, user agent string as been blocked.

[mardy]

I just tried, and indeed it doesn't work for me either. If Google doesn't want us to use their services, I think we should just remove the account, unless someone can come up with a user-agent string that works (or any other solution, for that matter).

I'll still spend some time to investigate the issue, to make sure that the problem is indeed with the user-agent and not with some other protocol changes. But if nothing works, we should just remove it.

[mardy]

OK, I did some investigation. First I tried removing most of the OAuth scopes from /usr/share/accounts/providers/google.provider, to see if the error could be due to some permission; it didn't help.

Then I ran

OAU_LOGGING_LEVEL=2 OAU_DAEMON_TIMEOUT=9999 online-accounts-service

to collect the logs while I was trying to create the account, and when the URL for the login page was printed, I tried to open it in the Morph browser instead. Surprise surprise, it worked.

It looks like Google is actively trying to prevent the user from authenticating within webviews: https://security.googleblog.com/2019/04/better-protection-against-man-in-middle.html https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html https://support.google.com/accounts/answer/7675428?co=GENIE.Platform%3DAndroid&hl=en

All this suggests me that there must be some code within the chrome engine, that is capable of detecting whether the webview is part of a browser or embedded in some application.

It would be nice if someone with more experience with Morph (@mariogrip?) could help me understand whether there's something I need to implement in the Online Accounts webview to make the chromium engine think that we are a full-fledged browser.

Maybe Google is trying to open some frame? I see this in the logs:

Invalid 'X-Frame-Options' header encountered when loading 'https://accounts.youtube.com/accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-913843931&timestamp=1586880261321': 'ALLOW-FROM https://accounts.google.com' is not a recognized directive. The header will be ignored.

The fact that the page is called CheckConnection makes me especially suspicious.

[rubencarneiro]

Remove the account, is not viable, people sync with google contacts. Cant we implement this istead UA Strings. https://wicg.github.io/ua-client-hints/

[rubencarneiro]

Fixed for now https://github.com/ubports/account-plugins/pull/43

[Flohack74]

Remove the account, is not viable, people sync with google contacts. Cant we implement this istead UA Strings. https://wicg.github.io/ua-client-hints/

How should implementing this draft solve a problem where Google bans embedded browser frameworks? Thats not causing any improvement.

[GI9VANNI]

I updated my Nexus 5 to OTA-12 but unfortunately it's no longer possible to connect the Google account to synchronize the contacts. Morph Browser is not supported. How can I get around this?

[rubencarneiro]

try to install this then reboot https://github.com/rubencarneiro/account-plugins/releases

[GI9VANNI]

@rubencarneiro Hi, thanks for the answer! Unfortunately I can't install the .deb file. I tried with: sudo dpkg -i account-plugin-google_0.15.0ubports1local.1586944513_all.deb but this error has returned: Read-only file system Which command should I use to install your fix?

[rubencarneiro]

@rubencarneiro Hi, thanks for the answer! Unfortunately I can't install the .deb file. I tried with: sudo dpkg -i account-plugin-google_0.15.0ubports1local.1586944513_all.deb but this error has returned: Read-only file system Which command should I use to install your fix?

First do sudo -s sudo mount -o remount,rw / sudo dpkg -i "deb file"

[GI9VANNI]

It worked! Now Google thinks my Nexus 5 is a Nexus 4, but it did give me access. Thanks @rubencarneiro 👍

[stanwood77]

Thank you for this great workaround solution! Will this plugin be implemented by default in a future OTA?

[rubencarneiro]

Thank you for this great workaround solution! Will this plugin be implemented by default in a future OTA?

Thats up to the Ubports team.

[ScardracS-zz]

I did some investigations too and found actually the chromium version of morph is v65, which is too old for Google (in fact Google is actively blocking it for access to Google accounts and so on). A solution could be to try to update chromium to latest version (at least v80)

[Flohack74]

We explained already in detail why this is no fix that will work for all users (Google seems to be pretty inconsistent about it, but I think they will close all remaining gaps soon): Morph browser uses QtWebEngine which in turn uses a Chromium browser process. And that again is started by the accounts plugin to verify the details. Now see this snippet: Taken from https://support.google.com/accounts/answer/7675428?co=GENIE.Platform%3DDesktop&hl=en What it basically say is: The browser cannot be secure if its embedded into another process, since that process could be a man-in-the-middle and could steal identity data during the handshake. So I expect this User Agent workaround to stop sooner or later again. See that they wrote it "might stop login" so it sometimes works, sometimes does not. We do not want to a) make fixes that work only for a few users b) fix this thing again and again. We need a permanent solution for this, and as long as nobody comes up with a real implementation that works for all users in all cases its not an accepted solution. Maybe @mardy can give some more insights about the problem here.

[Flohack74]

@ScardracS we do not have control over the Chromium version, as we use the one that comes with Qt version that is installed. We will upgrade soon to Qt 5.15 that will bump the version of CHromium probably, but the problem has nothing to do with the version. Its because Google can detect that the browser process is hosted by another app, and thats thought to have potential security risks. Read more here: https://9to5google.com/2019/04/18/google-block-man-in-the-middle/

[ScardracS-zz]

Thanks @Flohack74 for the clarifications :)

[mardy]

Hi everybody, I would like to ask people who are affected by this bug to try out the following steps:

1. From a terminal in the device (or in a SSH session), run the following commands (just copy/paste them):

   
   # Remount the filesystem to read-write mode:
   sudo mount -o remount,rw /

Update the Google account configuration

sudo sh -c "cat > /usr/share/accounts/providers/google.provider" <<EOF <?xml version="1.0" encoding="UTF-8"?>

Google Includes Gmail, Google Docs, Google+, YouTube and Picasa google account-plugins .*google\.com

EOF

2. Try creating a Google account again.

If it works, please add a thumbs up :-) If it doesn't, please describe the error you encounter in as much detail as possible.

[Flohack74]

@mardy did we forget this for the release notes of OTA-113? Its also not marked to be on the OTA-13 board.

[Flohack74]

Because somebody told me it works in OTA-13, but was that the fix with the user-agent which works sometimes probably. Should we target it for OTA-14 then ?

[mardy]

The MR #44, which contains the fix suggested here, was merged only after OTA-13 was released. So the fix will be only in OTA-14.

[Flohack74]

Thats strange. But OK ;) thx

[zubozrout]

Hi, I've relatively recently reinstalled my MX4 and was unable to log in to Google to sync contacts and calendars ever since. I've even tried this a while ago https://github.com/ubports/account-plugins/issues/40#issuecomment-686608782 but with no luck at that time. Since then I've also reinstalled my phone completely through ubuntu-device-flash (without clearing the userspace, but trying to get rid of my manual modifications to the rootfs).

I guess this fix is already in devel but unfortunately it makes no difference for me.

Here is the message I was getting: saying this in English: https://support.google.com/accounts/thread/22873505

However, when I installed this: https://github.com/ubports/account-plugins/issues/40#issuecomment-629549091 as recommended to me by @lduboeuf it started working.

So I guess maybe this fix is not sufficient and user agent string also needs to change(?)

[rubencarneiro]

Hi, I've relatively recently reinstalled my MX4 and was unable to log in to Google to sync contacts and calendars ever since. I've even tried this a while ago #40 (comment) but with no luck at that time. Since then I've also reinstalled my phone completely through ubuntu-device-flash (without clearing the userspace, but trying to get rid of my manual modifications to the rootfs).

I guess this fix is already in devel but unfortunately it makes no difference for me.

Here is the message I was getting: saying this in English: https://support.google.com/accounts/thread/22873505

However, when I installed this: #40 (comment) as recommended to me by @lduboeuf it started working.

So I guess maybe this fix is not sufficient and user agent string also needs to change(?)

reinstall and reboot the device or wait for Alfred fix.

[zubozrout]

Hi @rubencarneiro, I did that using your accounts-plugin package and it worked as noted. What I was more concerned about with my post here is that the sole fix from @mardy was not enough for me and perhaps a combination of both should be merged?

[UniversalSuperBox]

Unfortunately, it appears that the fix did not actually solve the problem for many users, myself included.

This screenshot was taken on the devel image for 2020-10-23. This is shown immediately after entering your email address.

[UniversalSuperBox]

Oh, the account-plugins build failed. That's why. Unfortunately this won't be part of this release thanks to freeze, but I'll kick the build after OTA-14 is released.

[rubencarneiro]

Oh, the account-plugins build failed. That's why. Unfortunately this won't be part of this release thanks to freeze, but I'll kick the build after OTA-14 is released.

And if you install the deb, does it works?

[stanwood77]

I confirm, deb plugin works (tested on N5, OTA 13 stable). I did reinstall UT on my N5 using UBports installer and tried to login to Google: Authentication denied. Than I reinstall the deb file and logged successfully into my Google account. Calendar and contacts are well synchronized

[ghost]

Hi Everyone,

I am very, very new to Ubuntu Touch. So, I'm am sorry for the silly question. However, how do I install a deb file on this machine?

[rubencarneiro]

Hi Everyone,

I am very, very new to Ubuntu Touch. So, I'm am sorry for the silly question. However, how do I install a deb file on this machine?

Donwload, copy to your device Downloads folder then open a terminal on the device and do the following commands: sudo mount -o remount,rw / cd Downloads sudo dpkg -i *.deb after that reboot

[ghost]

It looked like a permission issue. Thanks!

[peat-psuwit]

I triggered the rebuild and it seems to build now. Please wait until the next devel image update and then please see if the issue is solved.

[UniversalSuperBox]

It is not fixed, I still receive "Couldn't sign you in: This browser or app may not be secure..."

[stanwood77]

Did you allow the access to "less secured applications" in your Google account?

[UniversalSuperBox]

Toggling this feature does not seem to change anything for OAUTH access. Indeed, Google states that it is meant for "Apple's Mail app, Mozilla Thunderbird, or Microsoft Outlook" on this page: https://support.google.com/accounts/answer/6009563

[stanwood77]

Regarding the .deb plugging: I regret to inform you that the Google Calendar synchronization works only when you first activate your Google Account in the settings; but does not synchronize anymore afterwards. No error message, just nothing happens when I add a new event in Google or in UT calendar. I tried to manually refresh the data in calendar, deactivate/reactivate the calendar sync in settings, uncheck / check my google calendar account in the calendar settings,.....Unsuccessfully. No problem with Google contacts. I have each time to delete the Google account and then recreate it to synchronize the calendar data again. Tested on 2 devices: Nexus 5 OTA-15 Stable + Vollaphone OTA-15 Stable Hope this feedback will help. Regards, Steve

[rubencarneiro]

Regarding the .deb plugging: I regret to inform you that the Google Calendar synchronization works only when you first activate your Google Account in the settings; but does not synchronize anymore afterwards. No error message, just nothing happens when I add a new event in Google or in UT calendar. I tried to manually refresh the data in calendar, deactivate/reactivate the calendar sync in settings, uncheck / check my google calendar account in the calendar settings,.....Unsuccessfully. No problem with Google contacts. I have each time to delete the Google account and then recreate it to synchronize the calendar data again. Tested on 2 devices: Nexus 5 OTA-15 Stable + Vollaphone OTA-15 Stable Hope this feedback will help. Regards, Steve

You need to authorize third party applications on your google account.

[ginggs]

@stanwood77 this issue is still marked Open, so surely not expected to be fixed in OTA-15.

[UniversalSuperBox]

It is interesting that the behavior has changed for the worse, though. Thank you for your report.

[stanwood77]

You need to authorize third party applications on your google account.

Third party access is well authorized in main Google account settings. Sync does indeed work immediately at the initial Google account set-up in Ubuntu Touch settings => Online accounts. Than, no more automatic sync between Google and UT calendar (but works 100% with Google Contacts).

[rubencarneiro]

Regarding the .deb plugging: I regret to inform you that the Google Calendar synchronization works only when you first activate your Google Account in the settings; but does not synchronize anymore afterwards. No error message, just nothing happens when I add a new event in Google or in UT calendar. I tried to manually refresh the data in calendar, deactivate/reactivate the calendar sync in settings, uncheck / check my google calendar account in the calendar settings,.....Unsuccessfully. No problem with Google contacts. I have each time to delete the Google account and then recreate it to synchronize the calendar data again. Tested on 2 devices: Nexus 5 OTA-15 Stable + Vollaphone OTA-15 Stable Hope this feedback will help. Regards, Steve

ok so i created a new event on ubuntu desktop calendar and it was automaticly synk on ubuntu touch calendar, the problem seems to the inverse if you create on ubuntu touch it will not push the event to google account.

[Fuseteam]

it might be interesting that logging in still works in online accounts plugin from the unity 7 desktop enviroment on ubuntu 18.04 maybe we could find a hint to fix this permenantly

[Fuseteam]

Invalid 'X-Frame-Options' header encountered when loading 'https://accounts.youtube.com/accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-913843931&timestamp=1586880261321': 'ALLOW-FROM https://accounts.google.com' is not a recognized directive. The header will be ignored.

The fact that the page is called CheckConnection makes me especially suspicious.

appearently its a webstandard that differentiates between the two: https://support.mozilla.org/en-US/kb/xframe-neterror-page?as=u&utm_source=inproduct

[mardy]

I have a couple of merge requests implementing a different solution, which is the one recommended by Google. This does not rely on any specific user-agent string, but has the cost of worsening the user experience: the user will have to login in the Morph browser, then manually switch back to the application (or System Settings, if the account creation started from there). But this is what Google mandates. :-(

Testers are welcome: please install the ubuntu-system-settings-online-accounts deb package from here and the account-plugin-google from here. Please let me know how it works.

[Fuseteam]

@mardy could morph be opened via url dispatcher maybe? tho I guess the way back would be an open question

[mardy]

@mardy could morph be opened via url dispatcher maybe? tho I guess the way back would be an open question

Morph opens fine already via url-dispatcher, the problem is on the way back.

[Fuseteam]

@mardy could morph be opened via url dispatcher maybe? tho I guess the way back would be an open question

Morph opens fine already via url-dispatcher, the problem is on the way back.

ah sorry misread

[lduboeuf]

Tested on my side on N5, so the sync is fine, only thing is that we don't know in the app ( e.g contacts) if its ok. I don't remember if we should see something under "Add google account "