Closed Bug 1505585 Opened 6 years ago Closed 6 years ago

Tracking cookie blocking + Strict list breaks the Google Plus sign-in flow

Categories

(Firefox :: Protections UI, defect, P2)

Product:
Firefox
Component:
Protections UI
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1505212

People

(Reporter: englehardt, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [privacy65]) 

Tracking cookie blocking + the strict list breaks Google Plus' sign-in flow for sites that use a custom button. This sign-in flow is documented deprecated in favor of their new flow (also broken, Bug 1505571). Documentation for the old sign in flow can be found here: https://web.archive.org/web/20150317143723/https://developers.google.com/+/web/signin/customize and https://developers.google.com/+/web/signin/

I added the demo code from the archived documentation here: https://senglehardt.com/test/identity_providers/google_plus.html

STR:
1. Click the Google button
2. Nothing happens

Expected result:
A pop-up should be shown. Note that I haven't properly integrated google plus with my domain, so the pop-up will show an error message.

This appears to be the root cause of the breakage observed in Bug 1502316 as well as on https://9gag.com/login. In all three cases, we see a click handler on the login button with the following code:

function() {
  _.Ix(f, g)
}

This handler will fail as described in Bug 1502316 Comment 12.
Depends on: 1502316
See Also: → 1505571
See Also: → 1504690
Priority: -- → P2
Whiteboard: [privacy65]
With bug 1505212 fixed, the google_plus.html test page opens a popup pointing to <https://accounts.google.com/o/oauth2/auth?response_type=permission%20id_token%20code&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fplus.login%20profile%20email&openid.realm=&include_granted_scopes=true&redirect_uri=storagerelay%3A%2F%2Fhttps%2Fsenglehardt.com%3Fid%3Dauth787097&client_id=841077041629.apps.googleusercontent.com&ss_domain=https%3A%2F%2Fsenglehardt.com&gsiwebsdk=shim&access_type=offline> with the following text:

400. That’s an error.

Error: redirect_uri_mismatch

The JavaScript origin in the request, https://senglehardt.com, does not match the ones authorized for the OAuth client. Visit https://console.developers.google.com/apis/credentials/oauthclient/841077041629.apps.googleusercontent.com?project=841077041629 to update the authorized JavaScript origins.

Learn more
Request Details

That’s all we know.

Does this mean the bug is fixed?
Flags: needinfo?(senglehardt)
Yes that error is expected since I didn't fully configure the Google Plus integration. The important part is that we're now able to trigger a pop-up. If Bug 1502316 and 9gag's logins are fixed, I think it's safe to close this. If we see more breakage we can file a new bug to investigate.
Flags: needinfo?(senglehardt)
Thanks!
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.