Unable to reselect Google account

[altano]

If a user picks the wrong Google account or just doesn't have access, they'll get a "Not Authorized" 401. How do they reattempt authorization at that point?
I tried manually deleting the _forward_auth cookie both from example.com and oauth.example.com (I am using an AUTH_HOST as I have lots of subdomains) and that didn't work. Where else does this cookie persist? Can I somehow provide a "try again" button?

[thomseddon]

Deleting the CSRF cookie should be enough - I have noticed that this is a bit of a bug though (the cookie should deleted if the flow fails).

At the moment, if I do this I just type my original request in again to start the flow again I think if we complete the new redirect validation in #77 (I have picked this up this week) then this should be a safe and expected behaviour?

[altano]

Can you repro that deleting the cookie does NOT do anything and the cookie just gets set again on the next load of the Not Authorized page? I can repro in both Firefox and Chrome.

[altano]

I was curious what was going on under the covers so I snooped on the traffic with Fiddler. Here's what I'm seeing:

1. Delete _forard_auth cookie
2. Navigate to mydomain.com
3. traefik-forward-auth 307s me to https://accounts.google.com/o/oauth2/auth?client_id=.... UPDATE: this 307 includes a Set-Cookie header for _forward_auth_csrf=... and the redirect URL includes the following fields:
   1. client_id
   2. redirect_uri
   3. response_type
   4. scope
   5. state
4. That URL gives me a 302 Found which sends me to https://accounts.google.com/signin/oauth?client_id=...
5. That URL gives me a 302 Moved Temporarily to https://oauth.mydomain.com/_oauth?state=.... This 302 includes a Set-Cookie for both _forward_auth and _forward_auth_csrf
6. By here I'm back on my page, I have the 401 Unauthorized, and the _forward_auth cookie is set again.

At no point was I given the Google login prompt, I progressed through all the steps above automatically.

[altano]

Okay so one more tidbit: I don't understand what is maintaining my being logged in here, and I can't find any affordance in the OAuth spec for the requesting server (as opposed to the authorizing server) to reject the token based on the credentials, so I don't know how this is supposed to work.

I'm sure you know how the flow progresses and what is going wrong here, but I'll add one more tidbit I'm seeing: Google's API has an affordance for the requester to specify that they'd like to retrigger the account select. By specifying prompt: select_account along with the other params in the 307, instead of just blindly redirecting Google will instead present the account selection prompt. I was able to test this by tampering with the /o/oauth2/auth and injecting this param and it totally works.

[thomseddon]

Yep, the default behaviour by Google is to automatically select the last selected auth if the session is still active.

There's an argument that prompt: select_account should be the default behaviour. Although it means that your login isn't cached - you only need to login when your traefik-forward-auth cookie has expired or been removed. In the first case (cookie expired) unless you have modified your tfa cookie expiration, your google session will have expired so you will need to select the account anyway (this is the behaviour I see anyway). In the second care (cookie removed) - your probably doing this as something has gone wrong and you either want to select your login again, or it's certainly not an inconvenience if you do have too.

So, I think this prompt should be added by default - happy for any other feedback!

[altano]

I was actually thinking it would happen whether the cookie was removed or not as long as the user wasn’t authorized despite receiving a token successfully from google. You’d have to prevent a redirect loop because on the initial failure you’d want to show Not Authorized but on subsequent navigations you’d want to provide the account selector. I think.

Right now the behavior for my users is “get stuck on 403 page and have no recourse” so anything would be better than that.

[thomseddon]

Yep, my first comment regarding deleting the CSRF cookie was wrong - google will maintain the account previously selected until the session expires (so you just have to wait).

I would like to make prompt: select_account the default behaviour based on the justification here: #103 (comment)

This is a change in behaviour, but I don't believe it's "backwards incompatible" as I view the current situation as a bug, so I will aim to land this soon.

[altano]

That roughly sounds good but there's one piece I'm missing: when will you trigger the redirect to Google's auth server and when will you let them through to the Not Authorized page?

Will you ALWAYS send unauthorized users back to the Google auth server with prompt: select_account, even on the first login attempt that fails? I think that sounds fine to me.

Thanks again btw for both this package and investigating this issue with me. It is extremely appreciated.