-
Notifications
You must be signed in to change notification settings - Fork 259
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SameSite=Strict cookies break the oauth flow (Grant: missing session or misconfigured provider) #199
Comments
A few thing I have tried: Use the same express settings as in the example: Try to get debug traces by running There is absolutely no traces on the first attempt. Seconds attempt looks good:
No traces on the first attempt looks weird. It means that grant does not even tried to get the token. |
The playground seems to works ok. It could be either a different config or a different framework... or more likely some error on my side ! |
A few things to note here:
My only assumption right now is that for some reason the session is not being loaded when you get back to the redirect URL |
Could you please point me to what point in the code I should check that ? |
You can put a simple handler before grant: .use('/oauth/:provider/:callback?', (req, res, next) => {
console.log(req.session.grant)
next()
}) This will tell you what's loaded inside the session before entering the Grant handler. If that key is missing or empty, or otherwise the data inside it does not match the
|
Yep there is definitely something fishy with the session:
Before connection:
On trying to login
When back to google/callback:
For some reason the session is retrieved ( |
You can try setting up |
I think I found the culprit:
It looks like I did a quick test and it seems to be the root cause. I'll confirm later today when I have time to test extensively. Thanks for your help ! |
I confirm that this solves the problem. Would you like me to send a PR to add a warning in the examples and the doc ? |
'strict' break the oauth flow. See simov/grant#199
Thanks for the feedback @vicb, that was really helpful. I don't think we need to update the examples, as they strive to be short and simple, not necessarily with the best setup for production. As for the docs, probably additional Cookies section under Misc? We definitely need some info about this somewhere, I'm just not sure yet. Otherwise we can keep this issue open for now as a reference too, probably with updated title? |
I have updated the title and description of the issue. I think a "FAQ" or "Troubleshooting" section in the docs might be helpful to explain the most common errors people encounters. Explaining why/when "Grant: missing session or misconfigured provider" error is generated would be great. One the the thing this entry should tell to check is the SameSite setting. |
Same thing happens with |
TL;DR do no use strict SameSite cookies.
From MDN:
This means that the session cookie will not be sent when the oauth provider redirects to your oauth callback (
.../connect/<provider>/callback
) at the end of the Authorization Request.It means that at that point grant will not be able to get the configuration information as those are stored in the session. As a result grant will redirect you to the root of your site with an
Grant: missing session or misconfigured provider
error, i.e.https://example.com/?error=Grant%3A%20missing%20session%20or%20misconfigured%20provider
.Using
SameSite=Lax
which is the default value in modern browsers solve this issue.I thought everything was finally working until I tried to login from an incognito window.
My app is at flyxc.app
Grant is mounted on oauth
You can see my config and the express server on github.
So the first time I tried to authenticate, I have:
Request URL:
[10ms] https://flyxc.app/oauth/google?x=85&y=24
Request URL:
[215ms] https://accounts.google.com/o/oauth2/auth?client_id=754556983658-qscerk4tpsu8mgb1kfcq5gvf8hmqsamn.apps.googleusercontent.com&response_type=code&redirect_uri=https%3A%2F%2Fflyxc.app%2Foauth%2Fgoogle%2Fcallback&scope=openid%20email%20profile&state=72773a896d3aa87c33fe82ba58f25b5988b92966&nonce=247053f8ca6cd2fe238cb64e1de0ff3340395cea&code_challenge_method=S256&code_challenge=blH_5sDhwsE9-ZRoGA2fD12HT1MY-WeNr4GnoP0DiZc
Then it takes some time to enter the email, do the 2 step verification.
There are a few more requests during this time:
Request URL:
[28.56s] https://accounts.google.com/CheckCookie?hl=en&checkedDomains=youtube&[...]
Request URL:
[28.66s] https://accounts.youtube.com/accounts/SetSID?ssdc=1&[...]
Request URL:
[28.85s] https://accounts.google.com/signin/oauth/consent?authuser=0&[...]
Request URL:
[29.22s] https://flyxc.app/oauth/google/callback?state=72773a896d3aa87c33fe82ba58f25b5988b92966&code=[...]&scope=email+profile+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&authuser=0&prompt=none
At this point grant redirect to "/"
[29.41s] https://flyxc.app/?error=Grant%3A%20missing%20session%20or%20misconfigured%20provider
Question: Why would grant ever want to redirect me to
/
instead of my callback (/device.html
) ?If I initiate the login again:
Request URL:
[5.2m] https://accounts.google.com/o/oauth2/auth?client_id=754556983658-qscerk4tpsu8mgb1kfcq5gvf8hmqsamn.apps.googleusercontent.com&response_type=code&redirect_uri=https%3A%2F%2Fflyxc.app%2Foauth%2Fgoogle%2Fcallback&scope=openid%20email%20profile&state=31c00ed60daa1488cc348763a895c285a0692ed1&nonce=0556040886b7f73a8a16546d83795deeacee1375&code_challenge_method=S256&code_challenge=V3xFedAexGB30MY3ZUFbjdS23ghNds9lXv9h_Rf8ooI
Request URL:
[5.2m] https://flyxc.app/oauth/google/callback?state=31c00ed60daa1488cc348763a895c285a0692ed1&code=[...]&scope=email+profile+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&authuser=0&prompt=none
And grant finally logged me in without any error:
Request URL:
[5.2m] https://flyxc.app/devices.html
, auth ok.I do see the session cookie created the first time I navigate to the
/oauth/google
Do you have any idea of what could wrong when grant receives the code ?
Is there a timeout that could cause the issue ?
Otherwise any idea on how I can debug this ? What should I log ?
Thanks !
The text was updated successfully, but these errors were encountered: