After Chrome 80+ Cookie Set SameSite=None requires 'Secure' in Android WebView doesn't seem to complete Authorize

sswami

I was waiting for this moment, thank you for your quick reply.

1. We are using FusionAuth version 1.17.0.
2. To replicate the steps:
   We are developing a Native Android & iOS App which will use FusionAuth as OIDC Idp.
   I have implemented https://github.com/openid/AppAuth-Android and shall implement the iOS project from the same author.

Everything is working fine... Username/Email + Password login is working perfectly fine...However, when we use Google Sign-in (which is working perfectly on Desktop Chrome), but in Android when the app goes to fusionauth login screen.

1. It gives option for Google Signin
2. When clicked, It opens Google Signin Page
3. It perhaps, even signin to the google ( how i know, next time it doesn't asked me for password)
4. it closes the google signin window
5. I see the FusionAuth login form, it doesn't process anything and doesn't therefore return to the App.

PS: i tired lot for 2-3 days now to figure out, inspected the android chrome on desktop dev tools, it gave me this cookie warning, ( which i also get for desktop chrome but in desktop fusionauth processes, in android it doesn't). So i felt may be this is the issue.

Kindly let me know what can be done.

dan

Hiya,

It looks like this is being tracked in a github issue as well: https://github.com/FusionAuth/fusionauth-issues/issues/813

Thanks for providing more details.

Have you tried modifying the fusionauth-app.cookie-same-site-policy to None? It defaults to Lax. The cookie should be set to Secure as long as you are serving it from an https URL. That has some security ramifications you should be aware of:

None used to be the default value, but recent browser versions made Lax the default value to have reasonably robust defense against some classes of cross-site request forgery (CSRF) attacks.

But may be worth exploring to see if it solves your issue right now. If you pursue that in production, make sure you research the security consequences.

I looked in the github issues for https://github.com/openid/AppAuth-Android/ but didn't see anything mentioned. You might want to see if you can narrow it down and file an issue there, since it appears to be an android chrome issue.

I'd also try to see if google sign in works fine from android chrome directly (not using your application, just the native browser) as that might help focus on whether the issue is in the AppAuth-Android code, your app implementation, Android Chrome or elsewhere.

You could also see if any error messages are shown in the fusionauth logs; if so please share them.

Also, if quick turnaround times for support are crucial to you, I'd suggest one of our paid plans with support: https://fusionauth.io/pricing Doing so guarantees turnaround time and engineering team access, as opposed to best effort community support. We understand that won't work for everyone (one of the reasons the community edition is forever free) but I wanted to mention that as an option.

sswami

Hello @dan ,

Actually I did multiple things and tried debug the app on the device and found that, things are working but the flow cancels at the callback. I don't know whats the issue.

I m attaching screenshots!

dan

Hmmm. The fact the callback is what is failing is very interesting to me. Isn't that in the AppAuth-Android code (catching the redirect from FusionAuth to save off the access token? Are there any logs on the device that might be helpful?

sswami

@dan
Thanx again,

The callback fails only when the user first login with google, later it works. Like my app therefore is receiving the redirect

Edit:
Also, the regular Username/Password login is working fine, so the AppAuth-Android catching redirect seems not to be the issue, i guess.

dan

The callback fails only when the user first login with google, later it works. Like my app therefore is receiving the redirect

Can you get any logging from the app on why the callback fails? Or do you have that in the screenshots and I just missed it (there's a lot going on, so maybe I did).

sswami

Jay Swaminarayan! @dan

The only thing I could find was this

Navigation is blocked: org.gurukul.edu:/oauth2redirect?code=Bw0GtMPtlLE2C28raehtI32J8D88u_qJXr8Rk_u8QB0&locale=en_US&state=iGZVrj-TWZ2ImOgNm5Vp6w&userState=Authenticated

While I saw the logs, but doesn't seem to describe anything regarding this.

Google IdP Response Debug Log

8/19/2020 04:32:10 PM IST Call the [https://www.googleapis.com/oauth2/v3/tokeninfo] endpoint.
8/19/2020 04:32:11 PM IST Endpoint returned status code [200]
8/19/2020 04:32:11 PM IST Endpoint response:
{
  "iss" : "accounts.google.com",
  "azp" : "711963816597-kkc0k63qtq8pbavj53no1sjccuj2k6nb.apps.googleusercontent.com",
  "aud" : "711963816597-kkc0k63qtq8pbavj53no1sjccuj2k6nb.apps.googleusercontent.com",
  "sub" : "108223291158399663939",
  "hd" : "gurukul.org",
  "email" : "9845195000@gurukul.org",
  "email_verified" : "true",
  "at_hash" : "DczmNxXerelpioPZYvGKUA",
  "name" : "PRO Bangalore",
  "picture" : "https://lh3.googleusercontent.com/-Laz1akUFXm4/AAAAAAAAAAI/AAAAAAAAAAA/AMZuuclWarqwOmyfvlH9Q63dejOSvCpDXw/s96-c/photo.jpg",
  "given_name" : "PRO",
  "family_name" : "Bangalore",
  "locale" : "en",
  "iat" : "1597834930",
  "exp" : "1597838530",
  "jti" : "da94e36cb732b3222dfca247b437a57cd4c6403b",
  "alg" : "RS256",
  "kid" : "6bc63e9f18d561b34f5668f88ae27d48876d8073",
  "typ" : "JWT"
}
8/19/2020 04:32:11 PM IST The user with the email address [9845195000@gurukul.org] already exists.
8/19/2020 04:32:11 PM IST Invoke configured lambda with Id [66353336-3034-6465-3563-323730343666]
8/19/2020 04:32:11 PM IST Updating user: 
{
  "breachedPasswordLastCheckedInstant" : null,
  "breachedPasswordStatus" : null,
  "encryptionScheme" : null,
  "factor" : null,
  "id" : "383a31a6-104c-4ea3-ad08-6fd035e609fd",
  "password" : null,
  "passwordChangeReason" : null,
  "passwordChangeRequired" : false,
  "passwordLastUpdateInstant" : 1597669720748,
  "salt" : null,
  "verified" : true,
  "preferredLanguages" : [ ],
  "memberships" : [ ],
  "registrations" : [ ],
  "active" : true,
  "birthDate" : null,
  "cleanSpeakId" : null,
  "data" : { },
  "email" : "9845195000@gurukul.org",
  "expiry" : null,
  "firstName" : "PRO",
  "fullName" : "PRO Bangalore",
  "imageUrl" : "https://lh3.googleusercontent.com/-Laz1akUFXm4/AAAAAAAAAAI/AAAAAAAAAAA/AMZuuclWarqwOmyfvlH9Q63dejOSvCpDXw/s96-c/photo.jpg",
  "insertInstant" : 1597669720711,
  "lastLoginInstant" : 1597834822651,
  "lastName" : "Bangalore",
  "middleName" : null,
  "mobilePhone" : null,
  "parentEmail" : null,
  "tenantId" : "64326262-6536-3663-3737-373861366366",
  "timezone" : null,
  "twoFactorDelivery" : "None",
  "twoFactorEnabled" : false,
  "twoFactorSecret" : null,
  "username" : null,
  "usernameStatus" : "ACTIVE"
}
8/19/2020 04:32:11 PM IST User is already registered for application with Id [30d6e7be-407d-4b63-8b98-33a2ae8e2b56].
8/19/2020 04:32:11 PM IST User has successfully been reconciled and logged into FusionAuth.
8/19/2020 04:32:11 PM IST Authentication type: GOOGLE
8/19/2020 04:32:11 PM IST Authentication state: Authenticated

sswami

Even this:

Well, can you kindly tell me what should be a redirect_uri for android app and the respective intent-filter for AndroidManifest? I want to be sure, that is not causing all this.

Currently, I am using

AndroidManifest.xml

<activity android:name="net.openid.appauth.RedirectUriReceiverActivity" tools:node="replace">
            <intent-filter>
                <action android:name="android.intent.action.VIEW"/>
                <category android:name="android.intent.category.DEFAULT"/>
                <category android:name="android.intent.category.BROWSABLE"/>
                <data android:scheme="org.gurukul.edu"/>
            </intent-filter>
</activity>

and redirect_uri = org.gurukul.edu:/oauth2redirect

Please do help for this, I may seem silly here, but am into a hard troubleshooting all these days & nights.

dan

@sswami said in After Chrome 80+ Cookie Set SameSite=None requires 'Secure' in Android WebView doesn't seem to complete Authorize:

Navigation is blocked:

Hmmm. This isn't my area of expertise, but some googling turned up:

https://github.com/openid/AppAuth-Android/issues/324 (2018)
https://github.com/EddyVerbruggen/Custom-URL-scheme/issues/156

It might make sense to post these details in the AppAuth-Android github issues and see if anyone there can help you.

We just published a guest post about this: https://fusionauth.io/blog/2020/08/19/securing-react-native-with-oauth so you might want to see if that would be helpful.

sswami

Jay Swaminarayan! @dan

Something that I have learnt a hard way, after a week long troubleshooting was surprising silly, at least for you or other experienced members of fusionauth community.

However, little I knew the security concerns of the browser, It turns out that,

• A javascript cannot directly redirect to any com.android.app:/redirect_uri.

• There must be a User Manual Interactivity for the Redirect to complete, A Button Click or Ancher Link Click

• That was the Reason Chrome Cancelled the redirect from FusionAuth Screen

What I could find,

One of the reasons, that there are consent screens,

Basically Allow Button, redirect back to the app.

My conclusion:

• It would be Great if this Consent Screen Mechanism is available for Native Redirects after 1st Authorization within FusionAuth.
• Time-being I have made a Consent Screen of my own, which is the redirect_uri and than in turn that redirects back to the APP.

I don't know, if what I am doing is best practice or was there something else I should have done, at least this is working for me as now.

Thank you once again.

PS: There is another issue, calling /api/logout?global=true&refreshToken={refresh_token} only signs out of the app, but doesn't signout from the FusionAuth completely, making it redirecting back to the App instead of the Login Screen?

dan

I'm so glad you solved it!

@sswami said in After Chrome 80+ Cookie Set SameSite=None requires 'Secure' in Android WebView doesn't seem to complete Authorize:

I don't know, if what I am doing is best practice or was there something else I should have done, at least this is working for me as now.

In the blog post I mention, the app uses the react-native-app-auth library, that may be worth investigating as it provides the hooks into the native browser.

This may be worth investigating so you don't have to support your own solution, though of course I'm glad you have it working.

There is another issue, calling /api/logout?global=true&refreshToken={refresh_token} only signs out of the app, but doesn't signout from the FusionAuth completely, making it redirecting back to the App instead of the Login Screen?

You should remove your access tokens in your client when the logout button is pressed. The FusionAuth logout API only removes cookies. This post may be helpful: https://fusionauth.io/community/forum/topic/270/logout-questions