HackerTrans
TopNewTrendsCommentsPastAskShowJobs

Aalk4308

no profile record

Submissions

Tell HN: Google OAuth consent screen issue could be costing you signups

179 points·by Aalk4308·2 anni fa·68 comments

Show HN: Flat – a minimalist teamwork app that protects focus (live demo)

6 points·by Aalk4308·2 anni fa·2 comments

comments

Aalk4308
·2 anni fa·discuss
They redesigned the sign in / account selection page earlier this year, but I haven't been able to find any material indicating they changed the OAuth consent screen as part of it (such as before/after screenshots), though it's certainly possible.
Aalk4308
·2 anni fa·discuss
Agreed that there's definitely something different in the behavior.

I looked through the HAR files I've captured comparing my company's app to Termly. After clicking "Continue", in both cases there's a redirect to a URL of the form https://accounts.google.com/signin/oauth/consent?as=redacted.... For my company's app, hitting that URL results in another redirect to my Auth0 tenant, whereas for Termly, hitting that URL results in HTML showing the loading indicator (no immediate redirect).

Why the difference? As you said, maybe it's something in the OAuth consent screen configuration (though there are no options I see that could explain it). Maybe it has to do with the age of the account.
Aalk4308
·2 anni fa·discuss
Very interesting. I just tried in Termly.io as well, and I do see the loading indicator you mentioned, albeit not _immediately_ (if I throttle the network speed, there is a delay before it appears). I captured a HAR file and am inspecting it to see if it has anything revealing about why the loading screen appears in some cases but not others.
Aalk4308
·2 anni fa·discuss
Both interesting ideas! I'll pass along in my ongoing chat with Auth0. At first thought, the security implications don't seem problematic.
Aalk4308
·2 anni fa·discuss
That's an interesting possible solution if you're in control of the server. If you're using a third-party vendor like Auth0 to handle the redirect callback, then of course you're beholden to their implementation.

In Auth0's case, it appears the nonce is consumed early in the handling of the callback. In my correspondence with them, I confirmed that they do see that the first request is aborted (in the form of a log), but they take no action as a consequence.
Aalk4308
·2 anni fa·discuss
Interesting! It's certainly possible there are additional factors at play beyond what I've found to this point.

Curiously, in all other apps I tested and mentioned, I don't see the screen changing to "loading" on them. Do you?

Meantime, I'm checking the OAuth consent screen settings to see if there's anything relevant.
Aalk4308
·2 anni fa·discuss
Thanks! We've worked hard to keep it simple rather dumping in lots of extra features.