HackerTrans
TopNewTrendsCommentsPastAskShowJobs

Aalk4308

no profile record

Submissions

Tell HN: Google OAuth consent screen issue could be costing you signups

179 points·by Aalk4308·il y a 2 ans·68 comments

Show HN: Flat – a minimalist teamwork app that protects focus (live demo)

6 points·by Aalk4308·il y a 2 ans·2 comments

comments

Aalk4308
·il y a 2 ans·discuss
They redesigned the sign in / account selection page earlier this year, but I haven't been able to find any material indicating they changed the OAuth consent screen as part of it (such as before/after screenshots), though it's certainly possible.
Aalk4308
·il y a 2 ans·discuss
Agreed that there's definitely something different in the behavior.

I looked through the HAR files I've captured comparing my company's app to Termly. After clicking "Continue", in both cases there's a redirect to a URL of the form https://accounts.google.com/signin/oauth/consent?as=redacted.... For my company's app, hitting that URL results in another redirect to my Auth0 tenant, whereas for Termly, hitting that URL results in HTML showing the loading indicator (no immediate redirect).

Why the difference? As you said, maybe it's something in the OAuth consent screen configuration (though there are no options I see that could explain it). Maybe it has to do with the age of the account.
Aalk4308
·il y a 2 ans·discuss
Very interesting. I just tried in Termly.io as well, and I do see the loading indicator you mentioned, albeit not _immediately_ (if I throttle the network speed, there is a delay before it appears). I captured a HAR file and am inspecting it to see if it has anything revealing about why the loading screen appears in some cases but not others.
Aalk4308
·il y a 2 ans·discuss
Both interesting ideas! I'll pass along in my ongoing chat with Auth0. At first thought, the security implications don't seem problematic.
Aalk4308
·il y a 2 ans·discuss
That's an interesting possible solution if you're in control of the server. If you're using a third-party vendor like Auth0 to handle the redirect callback, then of course you're beholden to their implementation.

In Auth0's case, it appears the nonce is consumed early in the handling of the callback. In my correspondence with them, I confirmed that they do see that the first request is aborted (in the form of a log), but they take no action as a consequence.
Aalk4308
·il y a 2 ans·discuss
Interesting! It's certainly possible there are additional factors at play beyond what I've found to this point.

Curiously, in all other apps I tested and mentioned, I don't see the screen changing to "loading" on them. Do you?

Meantime, I'm checking the OAuth consent screen settings to see if there's anything relevant.
Aalk4308
·il y a 2 ans·discuss
Thanks! We've worked hard to keep it simple rather dumping in lots of extra features.