"Login CISO" challenge fails when using Google login button [🐛]

[teodor440]

🐛 Bug report

Description

Logging in as CISO bypassing oauth user doesn't seem to work anymore. There is a short succesful notice when attempting to login, but afterwards I get redirected to login page and no token is issued.

🔬 Minimal Reproduction

As in the solution: make a failed login attempt as ciso@juice-sh.op with remember me box checked, refresh and login with oauth

🌳 Your Environment

Locally and heroku

Additional Information

[github-actions]

Thanks a lot for opening your first issue with us! 🧡 We'll get back to you shortly! ⏳ If it was a Support Request, please consider asking on the community chat next time! 💬

[bkimminich]

The workaround that was in place originally for domains not recognized by the Google App also works here, so the challenge is still solvable. Just not in the way it was originally intended to be solved with.

A more detailed analysis needs to be done to verify if/where the necessary HTTP header with the old email got lost or broken or why Google rejects the login attempts.

[bkimminich]

• In a normal OAuth login w/o any X-User-Email header: ✔️ 200 from https://www.googleapis.com/oauth2/v1/userinfo
• With same email of Google account email in X-User-Email header: ❌ 403 from https://www.googleapis.com/oauth2/v1/userinfo
• With different email address than the one of Google account email in X-User-Email header: ❌ 403 from https://www.googleapis.com/oauth2/v1/userinfo

[Rishabh-Kumar-07]

Hi! I would like to work on this. Will follow up soon with PR.

[bkimminich]

Hi @Rishabh-Kumar-07, did you make any progress on this or should we consider it "up for grabs" again?

[Rishabh-Kumar-07]

Hey. I am engaged otherwise. You can mark it "up for grabs". Apology for the trouble.

[prince-7]

I would like to work on this. Please Assign.

[prince-7]

I have found some instances where x-user-email is used instead of X-User-Email, Is that on purpose?

[bkimminich]

I don't know, but does it even make a difference for the Browser?

[prince-7]

Maybe. Because as I looked into the issue I found that on clicking OAuth button the success message comes up shortly before redirecting back to the login page, and the request which causes this problem seems to be this one.

[adityaofficial10]

Hey @prince-7 @bkimminich !
If this has stalled, can i work on this?

[bkimminich]

Totally, yes! 👍

[bkimminich]

After almost 1 month of inactivity, this issue is now back in "who want's to give it a shot?" status! 😁

[Krshivam25]

Hi @bkimminich this issue is related to Account linking with OAuth. Which supports two industry-standard implicit and authorization code flows.

[vibhuti019]

Hi @bkimminich, I would love to give this a shot.

[mihai02t]

Hi @bkimminich. If this is stalled and nobody picked it up yet, can I work on it?

[bkimminich]

I think I might have to add a new label for this issue... 😬

[bkimminich]

"Fixed".

[github-actions]

This thread has been automatically locked because it has not had recent activity after it was closed. 🔒 Please open a new issue for regressions or related bugs.