Login issues for academic sites using figshare
Categories
(Web Compatibility :: Knowledge Base, defect, P1)
Tracking
(firefox133 fixed)
| Tracking | Status | |
|---|---|---|
| firefox133 | --- | fixed |
People
(Reporter: jgraham, Assigned: timhuang)
References
(Depends on 1 open bug, Blocks 5 open bugs, )
Details
(Keywords: webcompat:contact-complete, webcompat:site-report)
User Story
outreach-assignee:mbalfanz outreach-contact-date:2024-09-30 outreach-response-date:2024-09-30
Attachments
(1 file)
Academic library sites based on figshare have an unsupported warning for Firefox, relating to problems with SSO redirect loops when logging in. This can make the site unusable.
The banner has the text:
We are currently experiencing issues with logging in using the Firefox browser. Firefox has updated the way they handle single sign-ons. To avoid any issues, please use an alternative browser such as Google Chrome.
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Comment 1•1 year ago
|
||
Support sent me this link for more information: https://help.figshare.com/article/issues-with-sso-and-firefox
|
|
||
Updated•1 year ago
|
|
Assignee | |
Comment 2•1 year ago
|
||
|
||
Updated•1 year ago
|
|
||
Comment 4•1 year ago
|
||
| bugherder | ||
|
Reporter | |
Comment 5•1 year ago
|
||
Reopening because we don't have a fix in the upstream version of figshare yet.
|
|
Assignee | |
Comment 6•1 year ago
|
||
Could we close this bug after Bug 1923288 landed?
|
|
Reporter | |
Comment 7•1 year ago
|
||
Has it shipped to release, and are we confident that it's a long term fix (i.e. even if the site is updated in a way that makes the intervention to hide the warning break, will logins continue to work)?
In general for interventions we just mark the site report as webcompat:sitepatch-applied while we wait for a core fix. But maybe the shim is the long-term fix in this case.
|
|
Assignee | |
Comment 8•1 year ago
|
||
Yes, the shim has been shipped to the release because of the out-of-train release of the webcompat extension. Per my test, the login will continue with shim enabled.
I think the shim is the long-term from from our side. Figshare has to update their implementation using StorageAccess API to properly fix this problem. We have proposed this idea to them, and they are considering it. But we haven't heard of any concrete timeline for when they will do this.
|
||
Comment 9•1 year ago
|
||
Hi Tim & James,
My name is Eduard Gabor and I work as an Implementation Engineer at Figshare. Please note that we've deployed today (27th of November) a fix for the figshare platform that includes the usage of StorageAccess API.
@james, can you please test the log in and let us know the outcome of this? Before starting, we kindly ask you to undo any updates done from https://help.figshare.com/article/issues-with-sso-and-firefox (if applies to your case).
As a separate note, we'll start some threads with other clients that complained about this matter and, once confirmed, we'll proceed on taking down the Firefox Banner warning.
Looking forward to hearing from you.
Best,
Eduard
|
|
Reporter | |
Comment 10•1 year ago
|
||
We've deployed today (27th of November) a fix for the figshare platform that includes the usage of StorageAccess API.
That's really great to hear, thanks!
@james, can you please test the log in and let us know the outcome of this?
I don't think I have any access credentials to figshare-based sites, so I can't test. I've spoken to our QA team and they also don't seem to have any valid credentials. So unless there's some way to get credentials, I unfortunately don't think I can help with testing.
I don't know if Tim was able to access any sites when developing the intervention?
|
|
Assignee | |
Comment 11•1 year ago
|
||
I've tested it using a credential that Figshare provided to us on https://lilliput.figsharelabs.io/. I still see the same issue on this site if I disable the Figshare shim.
Eduard, Has your fix been deployed to this site?
|
|
||
Comment 12•1 year ago
|
||
Hi Tim,
A fix was deployed on our side, but, unfortunately, it seems that the issue persists. I've passed this to our QA team; I'll come back to you once I have an input from their side.
Best,
Eduard
|
|
||
Comment 13•1 year ago
|
||
Hi Tim,
Please note that we've indeed found some issues in terms of the log in process. One of our Developments might take this matter and join this thread ASAP.
|
||
Comment 14•1 year ago
|
||
Hi Tim,
Based on the docs, and your shim, we've added this code to request storage access before a login on our side, during a user interaction:
try {
await document.requestStorageAccess({ cookies: true, localStorage: true });
// proceed with login
} catch () { //prevent
I'll recheck the conditions we have for this call to be made (is firefox browser and sso login), but is this call enough on our side ? Or do we need to do something else ?
|
|
Assignee | |
Comment 15•1 year ago
|
||
The document.requestStorageAccess() function has to be called inside the embedded iframe to get storage access. So, you need to call document.requestStorageAccess() when a user interacts with a figshare.com embedded iframe(It might be clicking the login button).
Once the storage access has been acquired, it doesn't need to be behind a user interaction in the following loads. You can just rely on an embedded iframe and call document.requestStorageAccess() in a figshare.com embedded iframe to access unpartitioned cookies.
|
||
Comment 16•1 year ago
|
||
Hello Tim, we tried calling the API inside an embedded iframe with the target origin as you specified, but unfortunately we had to reverse the solution you gave us, as we would receive the following error
Failed to execute 'postMessage' on 'DOMWindow': The target origin provided ('https://figshare.com') does not match the recipient window's origin ('https://figshare.swinburne.edu.au'). Could you provide us with further assistance, or a different way to tackle this issue? Thank you!
|
|
||
Updated•11 months ago
|
|
|
Assignee | |
Comment 17•11 months ago
|
||
From the error message, it doesn't seem to be related to the document.requestStorageAccess(). But it's an error caused by providing a mismatched target origin when calling postMessage(). See the postMessage() MDN article, the targetOrigin has to be either '*' or the origin of the window where the postMessage targets. So, I think you need to update the code that calls postMessage() with the appropriate targetOrigin. Per the error message, it has to be https://figshare.swinburne.edu.au.
Description
•