Google: Unable to sign in Again

[rubencarneiro]

Guess this user agent string is also blocked.

[mardy]

Please provide some information. What account are you trying to create? can you provide a screenshot for the error?

[rubencarneiro]

Please provide some information. What account are you trying to create? can you provide a screenshot for the error?

Google account sign in, user agent string as been blocked.

[mardy]

I just tried, and indeed it doesn't work for me either. If Google doesn't want us to use their services, I think we should just remove the account, unless someone can come up with a user-agent string that works (or any other solution, for that matter).

I'll still spend some time to investigate the issue, to make sure that the problem is indeed with the user-agent and not with some other protocol changes. But if nothing works, we should just remove it.

[mardy]

OK, I did some investigation. First I tried removing most of the OAuth scopes from /usr/share/accounts/providers/google.provider, to see if the error could be due to some permission; it didn't help.

Then I ran

OAU_LOGGING_LEVEL=2 OAU_DAEMON_TIMEOUT=9999 online-accounts-service

to collect the logs while I was trying to create the account, and when the URL for the login page was printed, I tried to open it in the Morph browser instead. Surprise surprise, it worked.

It looks like Google is actively trying to prevent the user from authenticating within webviews:
https://security.googleblog.com/2019/04/better-protection-against-man-in-middle.html
https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html
https://support.google.com/accounts/answer/7675428?co=GENIE.Platform%3DAndroid&hl=en

All this suggests me that there must be some code within the chrome engine, that is capable of detecting whether the webview is part of a browser or embedded in some application.

It would be nice if someone with more experience with Morph (@mariogrip?) could help me understand whether there's something I need to implement in the Online Accounts webview to make the chromium engine think that we are a full-fledged browser.

Maybe Google is trying to open some frame? I see this in the logs:

Invalid 'X-Frame-Options' header encountered when loading 'https://accounts.youtube.com/accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-913843931&timestamp=1586880261321': 'ALLOW-FROM https://accounts.google.com' is not a recognized directive. The header will be ignored.

The fact that the page is called CheckConnection makes me especially suspicious.

[rubencarneiro]

Remove the account, is not viable, people sync with google contacts.
Cant we implement this istead UA Strings.
https://wicg.github.io/ua-client-hints/

[rubencarneiro]

Fixed for now #43

[Flohack74]

Remove the account, is not viable, people sync with google contacts.
Cant we implement this istead UA Strings.
https://wicg.github.io/ua-client-hints/

How should implementing this draft solve a problem where Google bans embedded browser frameworks? Thats not causing any improvement.

[GI9VANNI]

I updated my Nexus 5 to OTA-12 but unfortunately it's no longer possible to connect the Google account to synchronize the contacts. Morph Browser is not supported. How can I get around this?

[rubencarneiro]

try to install this then reboot https://github.com/rubencarneiro/account-plugins/releases

[GI9VANNI]

@rubencarneiro Hi, thanks for the answer!
Unfortunately I can't install the .deb file. I tried with:
sudo dpkg -i account-plugin-google_0.15.0ubports1local.1586944513_all.deb
but this error has returned:
Read-only file system
Which command should I use to install your fix?

[rubencarneiro]

@rubencarneiro Hi, thanks for the answer!
Unfortunately I can't install the .deb file. I tried with:
sudo dpkg -i account-plugin-google_0.15.0ubports1local.1586944513_all.deb
but this error has returned:
Read-only file system
Which command should I use to install your fix?

First do sudo -s
sudo mount -o remount,rw /
sudo dpkg -i "deb file"

[GI9VANNI]

It worked!
Now Google thinks my Nexus 5 is a Nexus 4, but it did give me access.
Thanks @rubencarneiro 👍

[stanwood77]

Thank you for this great workaround solution! Will this plugin be implemented by default in a future OTA?

[rubencarneiro]

Thank you for this great workaround solution! Will this plugin be implemented by default in a future OTA?

Thats up to the Ubports team.

[ScardracS-zz]

I did some investigations too and found actually the chromium version of morph is v65, which is too old for Google (in fact Google is actively blocking it for access to Google accounts and so on). A solution could be to try to update chromium to latest version (at least v80)

[Flohack74]

We explained already in detail why this is no fix that will work for all users (Google seems to be pretty inconsistent about it, but I think they will close all remaining gaps soon): Morph browser uses QtWebEngine which in turn uses a Chromium browser process. And that again is started by the accounts plugin to verify the details. Now see this snippet:

Taken from https://support.google.com/accounts/answer/7675428?co=GENIE.Platform%3DDesktop&hl=en
What it basically say is: The browser cannot be secure if its embedded into another process, since that process could be a man-in-the-middle and could steal identity data during the handshake.
So I expect this User Agent workaround to stop sooner or later again. See that they wrote it "might stop login" so it sometimes works, sometimes does not. We do not want to a) make fixes that work only for a few users b) fix this thing again and again. We need a permanent solution for this, and as long as nobody comes up with a real implementation that works for all users in all cases its not an accepted solution. Maybe @mardy can give some more insights about the problem here.

[Flohack74]

@scardracs we do not have control over the Chromium version, as we use the one that comes with Qt version that is installed. We will upgrade soon to Qt 5.15 that will bump the version of CHromium probably, but the problem has nothing to do with the version. Its because Google can detect that the browser process is hosted by another app, and thats thought to have potential security risks. Read more here: https://9to5google.com/2019/04/18/google-block-man-in-the-middle/

[ScardracS-zz]

Thanks @Flohack74 for the clarifications :)

[mardy]

Hi everybody,
I would like to ask people who are affected by this bug to try out the following steps:

1. From a terminal in the device (or in a SSH session), run the following commands (just copy/paste them):

# Remount the filesystem to read-write mode:
sudo mount -o remount,rw /

# Update the Google account configuration
sudo sh -c "cat > /usr/share/accounts/providers/google.provider" <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<provider id="google">
  <name>Google</name>
  <description>Includes Gmail, Google Docs, Google+, YouTube and Picasa</description>
  <icon>google</icon>
  <translations>account-plugins</translations>
  <domains>.*google\.com</domains>

  <template>
    <group name="auth">
      <setting name="method">oauth2</setting>
      <setting name="mechanism">web_server</setting>
      <group name="oauth2">
        <group name="web_server">
          <setting name="Host">accounts.google.com</setting>
          
          <setting name="AuthPath">o/oauth2/auth?access_type=offline</setting>
          <setting name="TokenPath">o/oauth2/token</setting>
          <setting name="RedirectUri">http://localhost:6392/oauth_callback</setting>
          <setting name="ResponseType">code</setting>
          <setting type="as" name="Scope">['email','profile','https://www.google.com/m8/feeds/','https://www.googleapis.com/auth/calendar','https://www.googleapis.com/auth/carddav']</setting>
          <setting name="ClientId">1032863574955-44edra7uap3789kuc3cmplofd620ombh.apps.googleusercontent.com</setting>
          <setting name="ClientSecret">QvEYYpxvrn6Oo-mOWZ_obhre</setting>
          <setting type="as" name="AllowedSchemes">['https','http']</setting>
          <setting type="b" name="ForceClientAuthViaRequestBody">true</setting>
        </group>
      </group>
    </group>
  </template>
</provider>
EOF

2. Try creating a Google account again.

If it works, please add a thumbs up :-) If it doesn't, please describe the error you encounter in as much detail as possible.

[Flohack74]

@mardy did we forget this for the release notes of OTA-113? Its also not marked to be on the OTA-13 board.

[Flohack74]

Because somebody told me it works in OTA-13, but was that the fix with the user-agent which works sometimes probably. Should we target it for OTA-14 then ?

[mardy]

I have a couple of merge requests implementing a different solution, which is the one recommended by Google. This does not rely on any specific user-agent string, but has the cost of worsening the user experience: the user will have to login in the Morph browser, then manually switch back to the application (or System Settings, if the account creation started from there). But this is what Google mandates. :-(

Testers are welcome: please install the ubuntu-system-settings-online-accounts deb package from here and the account-plugin-google from here. Please let me know how it works.

[Fuseteam]

@mardy could morph be opened via url dispatcher maybe? tho I guess the way back would be an open question

[mardy]

@mardy could morph be opened via url dispatcher maybe? tho I guess the way back would be an open question

Morph opens fine already via url-dispatcher, the problem is on the way back.

[Fuseteam]

@mardy could morph be opened via url dispatcher maybe? tho I guess the way back would be an open question

Morph opens fine already via url-dispatcher, the problem is on the way back.

ah sorry misread

[lduboeuf]

Tested on my side on N5, so the sync is fine, only thing is that we don't know in the app ( e.g contacts) if its ok. I don't remember if we should see something under "Add google account "

[mardy]

Tested on my side on N5, so the sync is fine, only thing is that we don't know in the app ( e.g contacts) if its ok. I don't remember if we should see something under "Add google account "

That has not been changed, unfrotunately a clear feedback has always been missing :-)

[nanu-c]

i have the same on Axolotl, i need to solve a recaptcha on a specific page. Why not load a webengineview and catch the result?

[mardy]

i have the same on Axolotl, i need to solve a recaptcha on a specific page. Why not load a webengineview and catch the result?

Can you please explain better what is happening? Are you able to solve the captcha and continue, or what exactly is the problem?

[ShadowEO]

So changing the user-agent to Microsoft Edge's agent and restarting Unity 8, then attempting to add the Google account succeeds. It seems Google is blocking the Morph user-agent completely and some older Chromium user-agents as I had to find a recent one.

[Fuseteam]

i took a look how google redirects back to a site from another window on desktop i noticed it makes use of a redirect_uri to bring the user back to the original site, could be use that to send the user back to the settings?
here's a few (url decoded) examples i tested:

https://accounts.google.com/o/oauth2/v2/auth/oauthchooseaccount?client_id=72103009834-ccrvro0kt03tpd7vrsi0c7e3gqjmsl4a.apps.googleusercontent.com&redirect_uri=https://create.kahoot.it/auth/google/popup&response_type=id_token&scope=openid email profile&state=c28dc12d332349a09728765daa63d46e&nonce=b454624daa874277a665b9a504ad4482&prompt=select_account&display=popup&flowName=GeneralOAuthFlow
https://accounts.google.com/o/oauth2/auth/oauthchooseaccount?response_type=permission id_token code&scope=profile email&openid.realm&include_granted_scopes=true&redirect_uri=storagerelay://https/www.udemy.com?id=auth186180&client_id=700206021005-as1l679sch207mp70msgjhma1krf3k9q.apps.googleusercontent.com&ss_domain=https://www.udemy.com&gsiwebsdk=shim&access_type=offline&flowName=GeneralOAuthFlow

in all the cases i tested redirect_uri and ss_domain seems to be the part that truly differs

[zubozrout]

Testers are welcome: please install the ubuntu-system-settings-online-accounts deb package ... and the account-plugin-google.

I finally gave it a try since missing calendar/contacts sync is quite painful and this is awesome, it works very well on MX4, thank you :). Hopefully this gets merged soon-ish to make the process easier. And since signing in a web browser has to be done separately this is especially convenient that I didn't actually have to enter my credentials all over again if already filled in a web browser.

[ivoxavier]

It's working now.

Tested on FP2: devel channel image (2021-11-23/2)

[ivoxavier]

Hi, it's been working correctly since 17 days ago for me.

Tested scenarios:
. phone reflashed setting up the google account.
. removed the google account then re-added it again, everything sycned.
. added the google account by the icon on contacts app worked
. add the google account by system-settings App

Since this ubports/ubuntu-system-settings-online-accounts#18 is related to his issue. Both are done.

Test info:
device: FP2
channel: devel (2021-12-06)

[Fuseteam]

i can confirm i can log into google via system settings now