After Chrome 80+ Cookie Set SameSite=None requires 'Secure' in Android WebView doesn't seem to complete Authorize



  • I was waiting for this moment, thank you for your quick reply.

    1. We are using FusionAuth™ version 1.17.0.
    2. To replicate the steps:
      We are developing a Native Android & iOS App which will use FusionAuth as OIDC Idp.
      I have implemented https://github.com/openid/AppAuth-Android and shall implement the iOS project from the same author.

    Everything is working fine... Username/Email + Password login is working perfectly fine...However, when we use Google Sign-in (which is working perfectly on Desktop Chrome), but in Android when the app goes to fusionauth login screen.

    1. It gives option for Google Signin
    2. When clicked, It opens Google Signin Page
    3. It perhaps, even signin to the google ( how i know, next time it doesn't asked me for password)
    4. it closes the google signin window
    5. I see the FusionAuth login form, it doesn't process anything and doesn't therefore return to the App.

    PS: i tired lot for 2-3 days now to figure out, inspected the android chrome on desktop dev tools, it gave me this cookie warning, ( which i also get for desktop chrome but in desktop fusionauth processes, in android it doesn't). So i felt may be this is the issue.

    Kindly let me know what can be done.



  • Hiya,

    It looks like this is being tracked in a github issue as well: https://github.com/FusionAuth/fusionauth-issues/issues/813

    Thanks for providing more details.

    Have you tried modifying the fusionauth-app.cookie-same-site-policy to None? It defaults to Lax. The cookie should be set to Secure as long as you are serving it from an https URL. That has some security ramifications you should be aware of:

    None used to be the default value, but recent browser versions made Lax the default value to have reasonably robust defense against some classes of cross-site request forgery (CSRF) attacks.

    But may be worth exploring to see if it solves your issue right now. If you pursue that in production, make sure you research the security consequences.

    I looked in the github issues for https://github.com/openid/AppAuth-Android/ but didn't see anything mentioned. You might want to see if you can narrow it down and file an issue there, since it appears to be an android chrome issue.

    I'd also try to see if google sign in works fine from android chrome directly (not using your application, just the native browser) as that might help focus on whether the issue is in the AppAuth-Android code, your app implementation, Android Chrome or elsewhere.

    You could also see if any error messages are shown in the fusionauth logs; if so please share them.

    Also, if quick turnaround times for support are crucial to you, I'd suggest one of our paid plans with support: https://fusionauth.io/pricing Doing so guarantees turnaround time and engineering team access, as opposed to best effort community support. We understand that won't work for everyone (one of the reasons the community edition is forever free) but I wanted to mention that as an option.



  • Hello @dan ,

    Actually I did multiple things and tried debug the app on the device and found that, things are working but the flow cancels at the callback. I don't know whats the issue.

    I m attaching screenshots!

    Login after Code.png

    Cancelled Request - 1.png

    Cancelled Request - 2.png



  • Hmmm. The fact the callback is what is failing is very interesting to me. Isn't that in the AppAuth-Android code (catching the redirect from FusionAuth to save off the access token? Are there any logs on the device that might be helpful?



  • @dan
    Thanx again,

    The callback fails only when the user first login with google, later it works. Like my app therefore is receiving the redirect

    Edit:
    Also, the regular Username/Password login is working fine, so the AppAuth-Android catching redirect seems not to be the issue, i guess.



  • The callback fails only when the user first login with google, later it works. Like my app therefore is receiving the redirect

    Can you get any logging from the app on why the callback fails? Or do you have that in the screenshots and I just missed it (there's a lot going on, so maybe I did).



  • Jay Swaminarayan! @dan

    The only thing I could find was this

    Navigation is blocked: org.gurukul.edu:/oauth2redirect?code=Bw0GtMPtlLE2C28raehtI32J8D88u_qJXr8Rk_u8QB0&locale=en_US&state=iGZVrj-TWZ2ImOgNm5Vp6w&userState=Authenticated
    

    Navigation is Blocked.png

    While I saw the logs, but doesn't seem to describe anything regarding this.

    Google IdP Response Debug Log
    
    8/19/2020 04:32:10 PM IST Call the [https://www.googleapis.com/oauth2/v3/tokeninfo] endpoint.
    8/19/2020 04:32:11 PM IST Endpoint returned status code [200]
    8/19/2020 04:32:11 PM IST Endpoint response:
    {
      "iss" : "accounts.google.com",
      "azp" : "711963816597-kkc0k63qtq8pbavj53no1sjccuj2k6nb.apps.googleusercontent.com",
      "aud" : "711963816597-kkc0k63qtq8pbavj53no1sjccuj2k6nb.apps.googleusercontent.com",
      "sub" : "108223291158399663939",
      "hd" : "gurukul.org",
      "email" : "9845195000@gurukul.org",
      "email_verified" : "true",
      "at_hash" : "DczmNxXerelpioPZYvGKUA",
      "name" : "PRO Bangalore",
      "picture" : "https://lh3.googleusercontent.com/-Laz1akUFXm4/AAAAAAAAAAI/AAAAAAAAAAA/AMZuuclWarqwOmyfvlH9Q63dejOSvCpDXw/s96-c/photo.jpg",
      "given_name" : "PRO",
      "family_name" : "Bangalore",
      "locale" : "en",
      "iat" : "1597834930",
      "exp" : "1597838530",
      "jti" : "da94e36cb732b3222dfca247b437a57cd4c6403b",
      "alg" : "RS256",
      "kid" : "6bc63e9f18d561b34f5668f88ae27d48876d8073",
      "typ" : "JWT"
    }
    8/19/2020 04:32:11 PM IST The user with the email address [9845195000@gurukul.org] already exists.
    8/19/2020 04:32:11 PM IST Invoke configured lambda with Id [66353336-3034-6465-3563-323730343666]
    8/19/2020 04:32:11 PM IST Updating user: 
    {
      "breachedPasswordLastCheckedInstant" : null,
      "breachedPasswordStatus" : null,
      "encryptionScheme" : null,
      "factor" : null,
      "id" : "383a31a6-104c-4ea3-ad08-6fd035e609fd",
      "password" : null,
      "passwordChangeReason" : null,
      "passwordChangeRequired" : false,
      "passwordLastUpdateInstant" : 1597669720748,
      "salt" : null,
      "verified" : true,
      "preferredLanguages" : [ ],
      "memberships" : [ ],
      "registrations" : [ ],
      "active" : true,
      "birthDate" : null,
      "cleanSpeakId" : null,
      "data" : { },
      "email" : "9845195000@gurukul.org",
      "expiry" : null,
      "firstName" : "PRO",
      "fullName" : "PRO Bangalore",
      "imageUrl" : "https://lh3.googleusercontent.com/-Laz1akUFXm4/AAAAAAAAAAI/AAAAAAAAAAA/AMZuuclWarqwOmyfvlH9Q63dejOSvCpDXw/s96-c/photo.jpg",
      "insertInstant" : 1597669720711,
      "lastLoginInstant" : 1597834822651,
      "lastName" : "Bangalore",
      "middleName" : null,
      "mobilePhone" : null,
      "parentEmail" : null,
      "tenantId" : "64326262-6536-3663-3737-373861366366",
      "timezone" : null,
      "twoFactorDelivery" : "None",
      "twoFactorEnabled" : false,
      "twoFactorSecret" : null,
      "username" : null,
      "usernameStatus" : "ACTIVE"
    }
    8/19/2020 04:32:11 PM IST User is already registered for application with Id [30d6e7be-407d-4b63-8b98-33a2ae8e2b56].
    8/19/2020 04:32:11 PM IST User has successfully been reconciled and logged into FusionAuth.
    8/19/2020 04:32:11 PM IST Authentication type: GOOGLE
    8/19/2020 04:32:11 PM IST Authentication state: Authenticated
    


  • Even this:

    Well, can you kindly tell me what should be a redirect_uri for android app and the respective intent-filter for AndroidManifest? I want to be sure, that is not causing all this.

    Currently, I am using

    AndroidManifest.xml

    <activity android:name="net.openid.appauth.RedirectUriReceiverActivity" tools:node="replace">
                <intent-filter>
                    <action android:name="android.intent.action.VIEW"/>
                    <category android:name="android.intent.category.DEFAULT"/>
                    <category android:name="android.intent.category.BROWSABLE"/>
                    <data android:scheme="org.gurukul.edu"/>
                </intent-filter>
    </activity>
    

    and redirect_uri = org.gurukul.edu:/oauth2redirect

    Please do help for this, I may seem silly here, but am into a hard troubleshooting all these days & nights.



  • @sswami said in After Chrome 80+ Cookie Set SameSite=None requires 'Secure' in Android WebView doesn't seem to complete Authorize:

    Navigation is blocked:

    Hmmm. This isn't my area of expertise, but some googling turned up:

    https://github.com/openid/AppAuth-Android/issues/324 (2018)
    https://github.com/EddyVerbruggen/Custom-URL-scheme/issues/156

    It might make sense to post these details in the AppAuth-Android github issues and see if anyone there can help you.

    We just published a guest post about this: https://fusionauth.io/blog/2020/08/19/securing-react-native-with-oauth so you might want to see if that would be helpful.



  • Jay Swaminarayan! @dan

    Something that I have learnt a hard way, after a week long troubleshooting was surprising silly, at least for you or other experienced members of fusionauth community.

    However, little I knew the security concerns of the browser, It turns out that,

    • A javascript cannot directly redirect to any com.android.app:/redirect_uri.

    • There must be a User Manual Interactivity for the Redirect to complete, A Button Click or Ancher Link Click

    • That was the Reason Chrome Cancelled the redirect from FusionAuth Screen

    What I could find,

    One of the reasons, that there are consent screens,
    5a4e2399-7f24-4db6-a798-be02a6b7538f-image.png

    Basically Allow Button, redirect back to the app.

    My conclusion:

    • It would be Great if this Consent Screen Mechanism is available for Native Redirects after 1st Authorization within FusionAuth.
    • Time-being I have made a Consent Screen of my own, which is the redirect_uri and than in turn that redirects back to the APP.

    8f6acb59-c8c7-43bc-a720-ec2a813cfe5a-image.png

    I don't know, if what I am doing is best practice or was there something else I should have done, at least this is working for me as now.

    Thank you once again.

    PS: There is another issue, calling /api/logout?global=true&refreshToken={refresh_token} only signs out of the app, but doesn't signout from the FusionAuth completely, making it redirecting back to the App instead of the Login Screen?



  • I'm so glad you solved it!

    @sswami said in After Chrome 80+ Cookie Set SameSite=None requires 'Secure' in Android WebView doesn't seem to complete Authorize:

    I don't know, if what I am doing is best practice or was there something else I should have done, at least this is working for me as now.

    In the blog post I mention, the app uses the react-native-app-auth library, that may be worth investigating as it provides the hooks into the native browser.

    This may be worth investigating so you don't have to support your own solution, though of course I'm glad you have it working.

    There is another issue, calling /api/logout?global=true&refreshToken={refresh_token} only signs out of the app, but doesn't signout from the FusionAuth completely, making it redirecting back to the App instead of the Login Screen?

    You should remove your access tokens in your client when the logout button is pressed. The FusionAuth logout API only removes cookies. This post may be helpful: https://fusionauth.io/community/forum/topic/270/logout-questions


Log in to reply
 

Looks like your connection to FusionAuth Forum was lost, please wait while we try to reconnect.