Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

When using Oauth with 2FA, the redirect_uri is not called #106

Closed
sofianegargouri opened this issue May 8, 2020 · 15 comments
Closed

When using Oauth with 2FA, the redirect_uri is not called #106

sofianegargouri opened this issue May 8, 2020 · 15 comments
Labels
product: authentication ticketed Has been given an internal tracking ticket

Comments

@sofianegargouri
Copy link

Brief description

When using Oauth with 2FA, the redirect_uri is not called

How to reproduce

  • Open an app
  • "Sign in with Twitch"
  • Browser is opened on Twitch email / password signin
  • I type username and password
  • I get redirected to 2FA confirmation code
  • I type the code
  • The browser is redirected to Twitch homepage

Expected behavior

  • The browser is redirected to Twitch homepage while it should be redirecting to my redirect_url
@Marenthyu
Copy link

Slight correction: It should redirect to the oauth confirmation page at that point - this works perfectly fine on PC, but it seems on mobile this is flawed.

Expected result: https://lowee.de/2020-05-09_00-20-53.mp4
Result on mobile: https://lowee.de/Screen_Recording_20200509-001454.mp4

@jbulava
Copy link
Member

jbulava commented May 8, 2020

Ticketed internally on IDPLAT-3143.

@jbulava jbulava added the ticketed Has been given an internal tracking ticket label May 8, 2020
@jbulava
Copy link
Member

jbulava commented May 19, 2020

@sofianegargouri Is your app publicly available? Trying to reproduce the problem and want to see the different between having the app and not having the app downloaded.

@Marenthyu
Copy link

The issue pops up even without the app installed and a "normal" redirect uri.

This is with a fresh Client-ID and the redirect uri set to http://localhost or https://localhost https://lowee.de/Screen_Recording_20200519-195812.mp4

The only way i get it to work properly is by forcing chrome into the "show Desktop page" mode: https://lowee.de/Screen_Recording_20200519-201214.mp4

@jbulava
Copy link
Member

jbulava commented May 20, 2020

Got it. I was already logged in when testing and I assume the team might have been doing the same.

@sofianegargouri
Copy link
Author

@jbulava Sorry, the app is not public yet 😕

@rizwan95
Copy link

@jbulava Any update on this? It is a show stopper for so many apps out there. It would be great if this issue is fixed asap.

@dawilliams-gpsw
Copy link

+1 to @rizwan95
Users encounter this on first login with 2FA.

@snovell-gpsw
Copy link

Yes Please fix this, bad first time experience

@jbulava
Copy link
Member

jbulava commented May 28, 2020

No update at the moment on timeline for resolution. I can say that this is consistently reproducible for the following conditions:

  • User is not logged into Twitch on mobile to begin
  • The OAuth URL is visited in the Chrome browser within iOS or Android (Safari is not affected)
  • User is redirected to log into Twitch
  • If they have 2FA enabled, they are redirected to the front page of Twitch after logging in

@rizwan95
Copy link

No update at the moment on timeline for resolution. I can say that this is consistently reproducible for the following conditions:

  • User is not logged into Twitch on mobile to begin

  • The OAuth URL is visited in the Chrome browser within iOS or Android (Safari is not affected)

  • User is redirected to log into Twitch

  • If they have 2FA enabled, they are redirected to the front page of Twitch after logging in

The points which you have mentioned are correct. I would like to add that the problem exists for Safari (SFSafariViewController) in iOS as well.

@dawilliams-gpsw
Copy link

It also affects the ASWebAuthenticationSession API used to facilitate an oauth flow within an iOS application, under the conditions listed by @jbulava (with the exception of the chrome comment).

@GoodnightPandas
Copy link

I have an Android app available in the Google Play store, Greasy Gamer that can replicate this issue. Basically, the user can click the chat box on the embedded twitch chat, sign in, and then it doesnt go to my app with the token. As of now, i am having to redirect to the web version of my app (it works on web browser, but this issue persists inside of a webview)

@jbulava
Copy link
Member

jbulava commented Jun 9, 2020

A fix for this issue was added to production on June 4. Please do let us know however if you see any further redirect issues.

@jbulava jbulava closed this as completed Jun 9, 2020
@rizwan95
Copy link

Yes, this fixes the problem :) Thanks a lot @jbulava

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
product: authentication ticketed Has been given an internal tracking ticket
Projects
None yet
Development

No branches or pull requests

7 participants