Sharing > Tumblr > Connect > Continue w/ Google returning an auth error

[startuptester]

Expected behavior

User should be able to connect Tumblr account using Google auth

Actual behavior

Steps to reproduce the behavior

Go to My Site > Sharing Tap on Tumblr Tap on Connect Tap Continue with Google

Moto G6, Android 10, WP 18.0-rc-2, also repro'd on a Pixel 3 using 17.9 Play Store version

[zwarm]

The detailed error message from google. Source: https://www.googleapis.com/auth/userinfo.emailopenid

You are receiving this error either because your input OAuth2 scope name is invalid or it refers to a newer scope that is outside the domain of this legacy API.

This API was built at a time when the scope name format was not yet standardized. This is no longer the case and all valid scope names (both old and new) are catalogued at https://developers.google.com/identity/protocols/oauth2/scopes. Use that webpage to lookup (manually) the scope name associated with the API you are trying to call and use it to craft your OAuth2 request.

I'll be starting my research using the developer link and I'll post details as I uncover them.

[zwarm]

This appears to be an issue with Google no longer allowing login via embedded webviews (this article has more information - dated June 29, 2021). This is an issue for both Android and iOS. Both apps show the same error for Sharing -> Tumblr -> Connect -> Google Login (I tested the latest app versions PLUS went back to an APK from 2019).

[zwarm]

Recapping my research:

• This issue is happening across app versions and affects both platforms (Android & iOS)
• It probably safe to say that the feature (Sharing → Tumblr → Connect → Google Login) stopped working when Google made a change to their policy. We are just not sure when exactly that happened.
• The issue affect a subset of users (on Tumblr only). This was verified by checking out the trends for wpios_publicize_service and wpandroid_publicize_service events over the last 90 days.

Below is a brief summary of the CONNECT flow (triggered by tapping Connect)

Launch a webview with a POST request to https://wordpress.com/wp-login.php with a post data packet as follows: log={username}&pwd=&redirect_to=https://public-api.wordpress.com/connect/?action=request&kr_nonce={value}&nonce={value}&for=connect&service=tumblr&kr_blog_nonce={value}&magic=keyring&blog={blogId}&authorization={Bearer token}

This call redirects the webview to:

https://www.tumblr.com/login?redirect_to=/oauth/authorize?oauth_token={token}&oauth_callback=https://public-api.wordpress.com/connect/?magic=keyring&action=verify&kr_nonce={value}&nonce={value}&service=tumblr&state=58321497

The gist of the problem is that having an App (WPAndroid) use a webview to render a website that has a google log-in is rubbing up against the Google oAuth security policy.

• There are quite a few stackoverflow articles about changing the user-agent to get around that issue, but I confirmed that this hack no longer is a viable solution.

• The most helpful article I found was the Google developer blog post about Upcoming security changes to Google’s OAuth 2.0 authorization endpoint in embedded webviews.

Embedded webviews implementing or extending Android WebView do not comply with Google's secure browser policy for its OAuth 2.0 Authorization Endpoint.

Recommended Next Steps for research:

• Use Android Custom Tabs (may not be supported on all Android devices)
• AppAuth for Android (external library)

FYI: @startuptester

[AliSoftware]

Hey @zwarm @startuptester 👋

Given I'm submitting 18.0 to Google today as scheduled, I'm tempted to move the issue milestone to 18.2 (since 18.1 will be frozen on Monday already).

But given the amount of work that seem to be required vs the number of affected users and impact/priority (from what I understand from the great reports and recaps above at least), I'm thinking maybe now that we have more information this issue needs to be re-triaged (i.e. set it a low priority? And maybe move the milestone not to 18.1 nor 18.2, but an even later version? or groundskeeping?)

I'll put 18.2 for now so that the issue doesn't get lost when 18.0 milestone will be closed after today's submission and 18.1 get frozen on Monday, but I'll let you update and adjust the labels and proper milestones appropriately considering ☝️ . Thanks!

[AliSoftware]

Moved the milestone to "Future" as this needs to be re-prioritized given the recap and next steps from @zwarm above. @startuptester Feel free to adjust the labels, project and milestone of that issue to match if needed.