Public bug reported: Current handling of OAuth tokens in the system is quite poor, especially in failure cases.
The way webapp authentication works via online-accounts, is a complete facade. The OAuth tokens are not even used, but instead the cookies are copied from the account plug-in's web view, and stored under ~/.config/ for the app. This means that when the cookies expire, and you still have an account configured you end up being presented with a logged out experience on the web site, depending on what URL is being used, and what site it is. For example, on Untappd, it has happened several times where, despite having my account existing and enabled in system settings, that upon opening Untappd, I have been presented with the page requiring me to log in. In Twitter, one is simply redirected to a fairly simplistic page requesting entry of username and password, with no explanation at all. Conversely, if for these services, one does go to the site's settings page, and revokes access for the OAuth token, absolutely nothing changes. The online accounts UI does not pop up requiring one to log in again. The app will continue working just fine, until the cookies in question expire, the webapp's configuration is deleted, or the account is removed. Furthermore, in scopes which do use the account, behavior is very unacceptable when a token is revoked/expired on the server side. For example, if one opens the YouTube scope, and logs in, everything seems to be fine. But if one goes to https://security.google.com/settings/security/permissions for the account in question, and revokes the token access for Ubuntu to use YouTube, the result upon refresh of the scope is a blank view. There is no way to log in again. There are no videos to watch. All that appears in the scope-registry.log for this situation is the following: YouTube scope is authenticated Something weird happened ERROR: HTTP request timeout ** Affects: canonical-devices-system-image Importance: Undecided Status: New ** Affects: unity-scope-youtube Importance: Undecided Status: New ** Affects: ubuntu-system-settings-online-accounts (Ubuntu) Importance: Undecided Status: New ** Also affects: unity-scope-youtube Importance: Undecided Status: New ** Also affects: canonical-devices-system-image Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-system-settings- online-accounts in Ubuntu. https://bugs.launchpad.net/bugs/1594841 Title: Systemic failure in handling of OAuth revocations Status in Canonical System Image: New Status in YouTube Scope: New Status in ubuntu-system-settings-online-accounts package in Ubuntu: New Bug description: Current handling of OAuth tokens in the system is quite poor, especially in failure cases. The way webapp authentication works via online-accounts, is a complete facade. The OAuth tokens are not even used, but instead the cookies are copied from the account plug-in's web view, and stored under ~/.config/ for the app. This means that when the cookies expire, and you still have an account configured you end up being presented with a logged out experience on the web site, depending on what URL is being used, and what site it is. For example, on Untappd, it has happened several times where, despite having my account existing and enabled in system settings, that upon opening Untappd, I have been presented with the page requiring me to log in. In Twitter, one is simply redirected to a fairly simplistic page requesting entry of username and password, with no explanation at all. Conversely, if for these services, one does go to the site's settings page, and revokes access for the OAuth token, absolutely nothing changes. The online accounts UI does not pop up requiring one to log in again. The app will continue working just fine, until the cookies in question expire, the webapp's configuration is deleted, or the account is removed. Furthermore, in scopes which do use the account, behavior is very unacceptable when a token is revoked/expired on the server side. For example, if one opens the YouTube scope, and logs in, everything seems to be fine. But if one goes to https://security.google.com/settings/security/permissions for the account in question, and revokes the token access for Ubuntu to use YouTube, the result upon refresh of the scope is a blank view. There is no way to log in again. There are no videos to watch. All that appears in the scope-registry.log for this situation is the following: YouTube scope is authenticated Something weird happened ERROR: HTTP request timeout To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-devices-system-image/+bug/1594841/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
