When using Oauth with 2FA, the redirect_uri is not called

[sofianegargouri]

Brief description

When using Oauth with 2FA, the redirect_uri is not called

How to reproduce

• Open an app
• "Sign in with Twitch"
• Browser is opened on Twitch email / password signin
• I type username and password
• I get redirected to 2FA confirmation code
• I type the code
• The browser is redirected to Twitch homepage

Expected behavior

• The browser is redirected to Twitch homepage while it should be redirecting to my redirect_url

[Marenthyu]

Slight correction: It should redirect to the oauth confirmation page at that point - this works perfectly fine on PC, but it seems on mobile this is flawed.

Expected result: https://lowee.de/2020-05-09_00-20-53.mp4
Result on mobile: https://lowee.de/Screen_Recording_20200509-001454.mp4

[jbulava]

Ticketed internally on IDPLAT-3143.

[jbulava]

@sofianegargouri Is your app publicly available? Trying to reproduce the problem and want to see the different between having the app and not having the app downloaded.

[Marenthyu]

The issue pops up even without the app installed and a "normal" redirect uri.

This is with a fresh Client-ID and the redirect uri set to http://localhost or https://localhost https://lowee.de/Screen_Recording_20200519-195812.mp4

The only way i get it to work properly is by forcing chrome into the "show Desktop page" mode: https://lowee.de/Screen_Recording_20200519-201214.mp4

[jbulava]

Got it. I was already logged in when testing and I assume the team might have been doing the same.

[sofianegargouri]

@jbulava Sorry, the app is not public yet 😕

[rizwan95]

@jbulava Any update on this? It is a show stopper for so many apps out there. It would be great if this issue is fixed asap.

[dawilliams-gpsw]

+1 to @rizwan95
Users encounter this on first login with 2FA.

[snovell-gpsw]

Yes Please fix this, bad first time experience

[jbulava]

No update at the moment on timeline for resolution. I can say that this is consistently reproducible for the following conditions:

• User is not logged into Twitch on mobile to begin
• The OAuth URL is visited in the Chrome browser within iOS or Android (Safari is not affected)
• User is redirected to log into Twitch
• If they have 2FA enabled, they are redirected to the front page of Twitch after logging in

[rizwan95]

No update at the moment on timeline for resolution. I can say that this is consistently reproducible for the following conditions:

• User is not logged into Twitch on mobile to begin

• The OAuth URL is visited in the Chrome browser within iOS or Android (Safari is not affected)

• User is redirected to log into Twitch

• If they have 2FA enabled, they are redirected to the front page of Twitch after logging in

The points which you have mentioned are correct. I would like to add that the problem exists for Safari (SFSafariViewController) in iOS as well.

[dawilliams-gpsw]

It also affects the ASWebAuthenticationSession API used to facilitate an oauth flow within an iOS application, under the conditions listed by @jbulava (with the exception of the chrome comment).

[GoodnightPandas]

I have an Android app available in the Google Play store, Greasy Gamer that can replicate this issue. Basically, the user can click the chat box on the embedded twitch chat, sign in, and then it doesnt go to my app with the token. As of now, i am having to redirect to the web version of my app (it works on web browser, but this issue persists inside of a webview)

[jbulava]

A fix for this issue was added to production on June 4. Please do let us know however if you see any further redirect issues.

[rizwan95]

Yes, this fixes the problem :) Thanks a lot @jbulava