New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 677887 link

Starred by 41 users

Issue metadata

Status: WontFix
Owner:
Closed: Jan 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 2
Type: Bug-Regression



Sign in to add a comment

Chromium Anrdoid - Sign-in / sync not working

Reported by devinlam...@gmail.com, Jan 3 2017

Issue description

Steps to reproduce the problem:
1. Build Chromium for Android from source with API keys (either current stable or canary/master)
2. Attempt to sign into your Google account

What is the expected behavior?
You should be signed into your Google account and data should sync to browser

What went wrong?
Sign in will appear to work however it will eventually give you an error asking you to "update your sign-in details" even though they are correct.

Checking logs on Android, you will see:

cr_sync_Signin Failed to perform auth task
cr_sync_Signin org.chromium.components.signin.AuthException: com.google.android.gms.auth.a: INVALID_SCOPE

Also, checking signin-internals, under "sync" you will see the following error: "Failure: invalid credentials"

Under sync-internals you will see: SYNC_AUTH_ERROR

Did this work before? Yes 

Chrome version: 55.0.2883.91  Channel: stable
OS Version: 7.1
Flash Version: N/A

Note: the credentials are correct in all situations. I have tested the same API keys building the desktop version of Chromium with success (signin works as intended).
 
signin-internals.png
241 KB View Download
sync-internals.png
213 KB View Download
Signin-Credentials.png
152 KB View Download

Comment 1 Deleted

Can confirm the same issue on my builds. Hope Google it's not blocking the sync api...
Same on my builds

Comment 4 by bpnoo...@gmail.com, Jan 3 2017

Can confirm the same issue on every chromium based build i have tried so far.

Comment 5 by s...@chromium.org, Jan 3 2017

Components: Services>SignIn

Comment 6 by moham...@sarraf.ca, Jan 4 2017

I have the same problem since the past 2 weeks
Cc: maxbogue@chromium.org ew...@chromium.org
Cc: anthonyvd@chromium.org

Comment 9 by ew...@chromium.org, Jan 5 2017

Cc: bzanotti@chromium.org zea@chromium.org msarda@chromium.org
+on-call sign-in triager

zea@ - could this have anything to do with the changes we made to the sync scoped refresh tokens?
Same on my builds
same here, can't sync contacts
Owner: zea@chromium.org
Zea,

Ping for comment #9.

Thanks,
Labels: Restrict-View-Google
I think this is a result of the recent change to sync scoped refresh tokens as Eli suggests. The change, which set a flag named disallowed_on_consent_page to true, made it so that only first party apps can request the chromesync scope. This works fine for official builds, but dev builds won't be recognized as first party unless they're whitelisted. Following the example of the zine team, I think our next step is to create a whitelist group and configure it to ignore the problematic flag. Then anyone needing to use the chromesync API from a dev build can be added to the group.
Status: Untriaged (was: Unconfirmed)

Comment 15 by ew...@chromium.org, Jan 11 2017

Owner: ew...@chromium.org
Status: Assigned (was: Untriaged)
Re-assigning to myself for now
This didn't repro for my local build of android, although I'm not sure why. I don't  fully understand the logic that distinguishes between 1P and 3P apps. I will ask the FI team. 
@pnoland - that was my result as well, however, I determined that if your builds were working *before* this change, they will continue to work unless you wipe your phone or change the apk package name.

Comment 18 by zea@chromium.org, Jan 12 2017

Owner: pnoland@chromium.org
Reassigning to Patrick to investigate how reliable this repros, and difference between Android and Desktop behavior.
After more investigation and a repro, the scope of this more or less as devinlamothe@gmail.com describes; Android-specific, and only if you haven't granted the chromesync scope to the app. 

Desktop and Android differ in how they are granted access to various oauth scopes. Android uses GMSCore, which for non-first party builds pops a consent dialog when signing into chromium. It first checks that the requested scopes are valid, which fails now that chromesync isn't allowed on the consent dialog. Official builds don't pop the dialog, so they bypass the issue. 

Practically speaking, anyone who wants to use sync with their android dev builds will either need to use only accounts with the scope already granted or be added to a whitelist. 
Thanks pnoland@chromium.org, that is what I figured. Any idea how the white-list is going to work? There are numerous third party Chromium browsers on the Play Store that include sync. Will end users who want to use chrome sync need to register for the list, or will the dev just need to register? Thanks again for looking into this.
The unfortunate thing about the (current) whitelist approach is that it works only for manually configured groups of users. Third party apps wouldn't be able to automatically add their users, nor would we be able to add them all manually.  I'm going to investigate alternatives to this approach.

Comment 22 by ew...@chromium.org, Jan 23 2017

Status: WontFix (was: Assigned)
An update for everyone:

We locked down access to chromesync scoped refresh tokens to address a security vulnerability. When we did so, we knew that this may break some 3P browsers which made use of chromesync scoped refresh tokens to leverage Chrome Sync for their users.

Chrome Sync has never officially been supported for 3P browsers. We do not intend to create a solution by which 3P browsers can whitelist themselves or their users so that they can get chromesync scoped refresh tokens. Note that Chromium for Android is technically considered a 3P browser.

Marking as WontFix, accordingly.
 Issue 688028  has been merged into this issue.
Labels: -Restrict-View-Google

Comment 25 Deleted

Comment 26 Deleted

Is there a way to manually add Chromium for Android to the whitelist if I have root access on my device? 
No, the whitelist is server-based.
Sync isn't working
Screenshot_20180412-174956.png
143 KB View Download
If that is from a third party Chromium browser, sync will not work.

Comment 31 Deleted

Sign in to add a comment