IAR Frontend - Can't login in Safari

Attempting to sign in in Safari takes you back to the sign in screen

changed milestone to %DevOps Sprint 105

added 1 deleted label

changed time estimate to 1d

changed milestone to %DevOps Sprint 106

added spike workflowSprint Ready labels and removed 1 deleted label

added priority3 Low label

mentioned in issue #33 (closed)

assigned to @rp431

added workflowIn Progress label and removed workflowSprint Ready label

mentioned in commit 48adab18

mentioned in merge request !27 (merged)

added workflowReview Required label and removed workflowIn Progress label

Turns out Safari's new Intelligent Tracking Protection breaks redirect based authentication because it won't allow the cookie to be set. Instead we use popup based authentication, this doesn't seem to be blocked in Chrome, Firefox, or Safari

For reference this is the description of the problem: https://github.com/google/google-api-javascript-client/issues/342

added 2h of time spent at 2020-10-06

added workflowRework label and removed workflowReview Required label

Can't merge this until https://gitlab.developers.cam.ac.uk/uis/devops/iar/webapp/-/merge_requests/26 is merged (There's a build failure that is unrelated to my changes)

Rebased and build is now successful, ready for review again

added workflowBlocked label and removed workflowRework label

mentioned in commit afb2befb

added workflowReview Required label and removed workflowBlocked label

It might actually be possible to continue to use redirects... but the redirects need to pass auth tokens back via a url fragment, not via a cookie. Need to check the gapi client library to see if that is something we can do.

This website had some interesting thoughts on redirect vs popup: https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-third-party-cookies-spas

In particular "Browsers are decreasing support for popups, so they may not be the most reliable option."

Only an id_token is passed back by google in the url. We could pass this to our server to exchange with google for an access_token but this would require server changes.

added workflowSprint Ready label and removed workflowReview Required label

unassigned @rp431

changed milestone to %DevOps Sprint 107

assigned to @rp431

added workflowIn Progress label and removed workflowSprint Ready label

mentioned in commit cddeaae1

added workflowReview Required label and removed workflowIn Progress label

mentioned in commit 03737a43

closed with merge request !27 (merged)

mentioned in commit be56149d

Tested in browserstack and smoke-tested in staging with real Safari in private browsing mode. Deploying to prod.

added 1h 30m of time spent at 2020-10-27