Google Sign-in doesn't work anymore

RESOLVED FIXED

Status

Socorro
Webapp
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: kanru, Assigned: peterbe)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

2 years ago
Starting from maybe two or a weeks ago, I can't login with google sign-in anymore. After I passed authentication the google sign-in window was closed but I was still not signed into socorro.

Persona still works.
(Reporter)

Comment 1

2 years ago
Created attachment 8790604 [details]
login-fail.mp4
(Assignee)

Comment 2

2 years ago
The mp4 file is corrupted and I can't open it. 

Also, can you check some of your other browsers, like Safari or Chome or IE?
Also, can you check in a Private Window session?
(Assignee)

Comment 3

2 years ago
In the past at least one other user had a similar problem. He managed to sign in once he used a different profile. That made me believe there might be a bug in either Firefox (or one of the addons) or in how Google has implemented it. 

I'm really interested in solving this. We'll keep the Persona button for a while longer.
Assignee: nobody → peterbe

Comment 4

2 years ago
Hi, :peterbe

You have to install an codecs for the h264 (Ubuntu detected the missing codecs for me) and this video will work.
As an alternative you could check out this link: https://www.youtube.com/watch?v=Y6ktDRYOQOI (It's a youtube version of this attachment).
(Assignee)

Comment 5

2 years ago
(In reply to Jarek from comment #4)
> Hi, :peterbe
> 
> You have to install an codecs for the h264 (Ubuntu detected the missing
> codecs for me) and this video will work.
> As an alternative you could check out this link:
> https://www.youtube.com/watch?v=Y6ktDRYOQOI (It's a youtube version of this
> attachment).

Thanks a bunch! That worked.
(Assignee)

Comment 6

2 years ago
Kan-Ru, would you mind trying again but with the Browser Console open. Perhaps there are some clues in there from Google's JS implementation.
Flags: needinfo?(kchen)

Comment 7

2 years ago
I've encountered two problems with Google sign in in the past:
* I had stale certificates/old version of ssl libraries installed in the system
* When my system for some reason didn't update time from ntp server.

However, I'm not sure if any of these is applicable in :kanru's case. Browser Console will tell more.
(In reply to Peter Bengtsson [:peterbe] from comment #3)
> In the past at least one other user had a similar problem. He managed to
> sign in once he used a different profile. That made me believe there might
> be a bug in either Firefox (or one of the addons) or in how Google has
> implemented it. 

That was me. I'm confident that it wasn't add-on related, because the problem remainined when I disabled all add-ons.

I fixed it on my Mac by doing "Refresh Firefox" (https://support.mozilla.org/en-US/kb/refresh-firefox-reset-add-ons-and-settings) which creates a new profile and imports a bunch of stuff from the old one.

On my Linux box doing "Refresh Firefox" wasn't enough -- it was still broken in the new profile. (More evidence that add-ons aren't related, because "Refresh Firefox" removes all add-ons.) I ended up having to make a totally new profile to get it working there.
(Assignee)

Comment 9

2 years ago
about.me apparently uses Google Sign-In
https://about.me/
Can you use that Kan-Ru?
Also, maybe Stackoverflow.com uses it too.
(Reporter)

Comment 10

2 years ago
I tried Private browsing mode but that didn't work. I also tried the browser console but it shows nothing.

I can reproduce this on multiple computer, they are all firefox account synced. Two of them run Debian stable, one runs Debian unstable so both stable and up-to-date system libraries. The system time is very accurate. It doesn't help if I disable all add-ons.

The only clue is that it works if I use a completely new profile. So maybe some stale cookies?

I'm not sure if comparing with other website helps, since I haven't seen any other sites using google sign-in exhibit this issue.
Flags: needinfo?(kchen)
(Reporter)

Comment 11

2 years ago
The console shows two messages if I refresh the crash-stats page, not sure if it's related

SecurityError: The operation is insecure.  2748322407-idpiframe.js:6
Use of getPreventDefault() is deprecated.  Use defaultPrevented instead.  crashstats-base.min.7e513954cbf1.js:2:12282
(Reporter)

Comment 12

2 years ago
(In reply to Kan-Ru Chen [:kanru] (UTC+8) from comment #10)
> The only clue is that it works if I use a completely new profile. So maybe
> some stale cookies?

If I remove the apis.google.com, mozilla.okta.com and google.com SNID and some other cookies then I can login again. I'm not sure if I can reduce this further. I'll save the original profile in case we want to investigate later.
> On my Linux box doing "Refresh Firefox" wasn't enough -- it was still broken
> in the new profile. (More evidence that add-ons aren't related, because
> "Refresh Firefox" removes all add-ons.) I ended up having to make a totally
> new profile to get it working there.

And now with that new profile, which is now slightly older, I can no longer sign in :(  This is no fun.
(Assignee)

Comment 14

2 years ago
Nicholas, 
Do you have the same problem with https://crash-stats.allizom.org

Also, are you using https://crash-stats.mozilla.com or https://crash-stats.mozilla.org?

I think I'm going to increase the console logging in our JS code to see if that leaves any clues. It might get chatty but it might be something we only enable on stage.
> Do you have the same problem with https://crash-stats.allizom.org

Yes :(  And my local instance.

> Also, are you using https://crash-stats.mozilla.com or
> https://crash-stats.mozilla.org?

.com
(Assignee)

Comment 16

2 years ago
(In reply to Nicholas Nethercote [:njn] from comment #15)
> > Do you have the same problem with https://crash-stats.allizom.org
> 
> Yes :(  And my local instance.
> 

So it's likely to be something very "poisonous" about your profile. 
Perhaps the next thing is to go after Google and have them look at it. Obviously, they're unlikely to be able reproduce it too but last time you mentioned it got resolved when you deleted certain cookies. Is that right? If so, it would be interesting if you could open you web console and delete one at a time...

HOLD ON! As I was writing this comment I went to crash-stats.mozilla.com to inspect what cookies *I* have with *.google.com and when I did that I an interesting error and now I can't sign in either. Screenshot to come. 

> > Also, are you using https://crash-stats.mozilla.com or
> > https://crash-stats.mozilla.org?
> 
> .com

Good.
(Assignee)

Comment 17

2 years ago
(In reply to Kan-Ru Chen [:kanru] (UTC+8) from comment #11)
> The console shows two messages if I refresh the crash-stats page, not sure
> if it's related
> 
> SecurityError: The operation is insecure.  2748322407-idpiframe.js:6

That's the error I get too now! Right now I can't log in either.
(Assignee)

Comment 18

2 years ago
Created attachment 8792983 [details]
Screen Shot 2016-09-20 at 1.56.52 PM.png
(Assignee)

Comment 19

2 years ago
Oh, so this is getting somewhat clearer. 
If you change to disallow all third-party cookies you get that SecurityError about idpiframe.js. If you allow third party cookies, the error goes away and you can sign in again. 

Now the question is, how do we guide users in some better way??
I can confirm that the "accept third-party cookies" setting is the issue! On both my Mac and my Linux box, if it's set to "From visited" then I can't login, but if it's set to "Always" then I can.

AFAICT once I've successfully logged in once with it set to "Always", then I can change it to "From visited" and subsequent logins will work. Presumably because the appropriate third-party cookie is present on my machine.
Here's a new annoyance:
- I have my personal gmail account open in a tab
- I do a Google sign-in to crash-stats
- I switch back to my gmail tab, and it boots me out of my personal gmail account and reloads to show my Mozilla gmail account instead

peterbe, any ideas about how to fix this one?
Flags: needinfo?(peterbe)
(Assignee)

Comment 22

2 years ago
(In reply to Nicholas Nethercote [:njn] from comment #21)
> Here's a new annoyance:
> - I have my personal gmail account open in a tab
> - I do a Google sign-in to crash-stats
> - I switch back to my gmail tab, and it boots me out of my personal gmail
> account and reloads to show my Mozilla gmail account instead
> 
> peterbe, any ideas about how to fix this one?

Oh sigh how I miss Persona already. 

This is a well known challenge for all sorts of Google apps. E.g. opening Gmail AND Google Calendar. 
It is also the motivation for why I always dedicate Chrome for all my personal stuff, like inbox.google.com and my G-Suite (formerly Google Apps) related to my person. 

By the way, Persona used to do this too in the early days. It caused so much confusion. If you signed in, loaded a report, and wanted to compare that with a report loaded when NOT signed in. You'd open a second tab, sign out and suddenly you got signed out in the original tab (that you didn't touch) too. 

Perhaps we can fix it. But it makes me nervous. Google APIs trigger my "onSignedIn" callback function and that's when I do a server-side AJAX verification and potentially refresh the page. I could maybe do a condition "Were you already happily signed in?" and if so, void the callback. 

I'll need to think about it and do some experimentation. For example, it needs to work if you genuinely do want to log in as someone else (e.g. you accidentally signed in with your personal Google account)
Flags: needinfo?(peterbe)
(Assignee)

Comment 23

2 years ago
Sorry everyone who's participated but this is getting out of hand.

1) The problem is with people blocking third-party cookies. Our implementation is as good as it can be. It would be lovely to have some additional hacks in place that can figure out if you have 3rd party cookies disabled and if so it could pop up a message hinting that "Logging might not work. Consider adding ... and ... to your whitelisted cookie domains"

2) The fact that you can't be sign in to different Google accounts in different tabs is tricky. Partly because if I try to prevent it, I might break other important functionality such as the account being shut down (e.g. Mozilla staff leaving) or if the user really does want to sign in with a different account. Also, this is how Google prefers things to work. I've had similar horribly confusing problems with being signed to my work Gmail in one tab and personal Google Calendar in another tab. I suggest we sit and brew on this and try to understand why Google has made it like this. 

Last but not least, I'm going to work on https://bugzilla.mozilla.org/show_bug.cgi?id=1283295 this week.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.