Google IdP link fails on some Mac Safari and Windows Opera browsers

[robw-fusionauth]

Google IdP link fails on some Mac Safari and Windows Opera browsers

Description

With certain browsers (Safari and Opera) the login link with Google IdP hangs and does not return to the FusionAuth login page as expected.

Affects versions

This has been observed by a user and confirmed by FusionAuth Tech Support for FusionAuth v1.39. The issue has also been tested on later versions of FusionAuth, (specifically v1.41 and v1.42) but does not occur. The assumption is therefore that it may only affect versions up to v1.39.

Steps to reproduce

1. Configure Google as an upstream OIDC Identity Provider using Admin UI > Settings > Identity Provider > Google, following instructions here: (https://fusionauth.io/docs/v1/tech/apis/identity-providers/google), and enable a FusionAuth application or tenant to use this connector. The Google link should now appear on the application's login form.
2. In the application's login page, select the Login with Google button to connect to the Google login form
3. If using either Mac Safari or Windows Opera the Google login form doesn't appear and the process appears to hang and the user is not redirected bak to the FusionAuth login page.

Expected behavior

The expected behaviour is that selecting the Login with Google button should redirect to the Google login form for them to confirm their Google identity and then back to the FusionAuth login page. The Google login form should either prompt for a Google identity or skip straight to the redirection if the current browser session is already authenticated to Google. This process is mainly executed through JavaScript and should work for any (modern) browser with JS enabled

Platform

FusionAuth v1.39 and before. Also tested on v1.41 where it works correctly.
The problem has been observed with With Mac Safari, iPhone AOS Safari WIndows 10/11 Opera.
The problem has been looked for, but does not occur on Firefox, Chrome, Edge

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

Additional context

Add any other context about the problem here.

[robw-fusionauth]

Analysis of the Problem

FusionAuth Tech Support investigated this for v1.39 and confirmed that this occurs for the browsers noted. They also confirm that it doesn't appear to happen with later versions of FusionAuth, e.g.: the current version as of writing, v1.42.

They have not been to identify why this has become an issue recently, but their research indicates that this issue is probably being caused by a race condition, namely that supporting FusionAuth JavaScript Helper files later Google JavaScript files depend on appear to be loading too late. Again, this appears to be only for some browsers.

Workaround

If you have experienced this issue and do not want to upgrade your version, they suggest the following workaround which they believe will resolve the issue for this version.

Assuming you are using a custom theme for FusionAuth, you would resolve this race condition by loading the JavaScript file containing the findIdentityProviderScriptByFileName function at the top of the template. To do this follow these steps:

1. In the FusionAuth admin UI navigate to Customizations > Themes
2. Find the custom theme you are using and click the Edit button
3. Select the OAuth authorize template from the list on the left
4. You should see a [@helpers.head] macro toward the top of the template, and inside that macro it is loading scripts for the page
5. The Google.js script is loaded by the [@helpers.alternativeLoginsScript] macro
6. Before the [@helpers.alternativeLoginsScript] macro you will need to add the following <script>... </script> code to load the Helper.js script before the Google script
   <script id="idp_helper" src="${request.contextPath}/js/identityProvider/Helper.js?version=${version}"></script>
7. This will load the Helper.js script containing the missing findIdentityProviderScriptByFileName function to load before Google.js file which will now be able to find the function.

If this fix above resolves the issue, they would recommend making the same change to the OAuth register template, i.e.: to add the <script> tag above before the [@helpers.alternativeLoginsScript] macro call.