New issue
Advanced search Search tips

Issue 840645 link

Starred by 2 users
Status: WontFix
Owner:
msarda@chromium.org
Closed: May 2018
Cc:
rdevlin....@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug



Sign in to add a comment

chrome.identity.getAuthToken expires after 1 hour when chosen account doesn't match profile

Reported by nicho...@jitkoff.com, May 8 2018 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36

Steps to reproduce the problem:
1. Request a token using chrome.identity.getAuthToken
2. Sign in using an account that *doesn't match the chrome profile*
3. Wait 1 hour

This extension exhibits this problem: https://chrome.google.com/webstore/detail/hourglass-new-tab-page/elooagmcjnlehboajccbdpedpcnicjch

What is the expected behavior?
Requesting an updated token using chrome.identity.getAuthToken after 1 hour should succeed without interaction. 

What went wrong?
Fetching a new token requires sign-in again if the account doesn't match the profile.

Did this work before? N/A 

Does this work in other browsers? Yes

Chrome version: 66.0.3359.139  Channel: stable
OS Version: OS X 10.13.4
Flash Version: 

The behavior appears to be clearly repeatable: when the profile and the chosen login account match, the token refresh works well. When they don't match, interaction is required after 1hr. I can
hourglass-test.zip
3.9 KB Download

Comment 1 by viswa.karala@chromium.org, May 8 2018

Labels: Needs-Triage-M66

Comment 2 by ellyjo...@chromium.org, May 17 2018

Cc: rdevlin....@chromium.org
Components: Platform>Extensions>API
Status: Untriaged (was: Unconfirmed)
Mac triage: tagging for Extensions triage

Comment 3 by rdevlin....@chromium.org, May 17 2018

Owner: msarda@chromium.org
Status: Assigned (was: Untriaged)
-> msarda@ for identity triage.

Comment 4 by msarda@chromium.org, May 23 2018

Status: WontFix (was: Assigned)
BY design, the Google auth access token is short lived and its time to live is 1 hour. So you may use it for one hour.

Chrome does not have an OAuth refresh token for the secondary account, so the user will need to reauthenticate for the other account on each attempt to fetch a new access token.

Comment 5 by nicho...@jitkoff.com, May 23 2018 

If this is by design, then Chrome should not support the selection of a secondary account in chrome.identity.getAuthToken. (Or should warn users)

It is misleading and results in a poor user experience for anyone who has more than one account. As it is, it encourages use of either, without any clear messaging as to why the auth token expires in one case but not the other. Developers have no way of disabling alternate accounts, and it is not clear that the token returned is short-lived.

I recommend that the documentation at https://developer.chrome.com/identity be updated to indicate that this case exists, and that user interaction will be required every hour. (It took a lot of effort to understand why this was happening for a random set of users)

For the time being I'll revert to using chrome.identity.launchWebAuthFlow, which is not intended for Google sign-in, but appears to be he best way accomplish this properly within an extension.

Thank you for your help!

Sign in to add a comment