<pwa-auth> – Sign in with Google fails when Block third-party cookies or InPrivate browsing is turned on

[CetinSert]

---

👉🏻⏬ Skip straight down to the fix PoC ⏬👈🏻

---

What happened?

Sign in with Google fails when Block third-party cookies is turned on under edge:https://settings/content/cookies.

How do we reproduce the behavior?

1. Go to edge:https://settings/content/cookies
2. Turn on Block third-party cookies
3. Try to Sign in with Google
   You can try it with us at https://rt.ht

What do you expect to happen?

Sign in with Google should succeed without failure.
Sign in with all 3 other identity providers still work when Block third-party cookies is turned on.

What environment were you using?

OS: Windows 11
Browser: Edge
Version: 104

Additional context

Sign in with Google fails when Block third-party cookies is turned on under edge:https://settings/content/cookies with the following signin-completed event.detail:

{ "error": { "error": "popup_closed_by_user" }, "provider": "Google" }

---

This also happens with InPrivate browsing.

[maraah1]

Hello, unfortunately Google sign in will not work when third party cookies are disabled.

[CetinSert]

Hello, unfortunately Google sign in will not work when third party cookies are disabled.

Wow ... really? Is this documented somewhere? Thank you for looking into it!

[CetinSert]

https://stackoverflow.com/questions/62504932/allow-users-to-logon-to-my-site-with-google-account-without-3d-party-cookies

[CetinSert]

google/google-api-javascript-client#260

[CetinSert]

@maraah1 – can we at least keep the issue open so that it gets attention in the future as Chrome-like browsers will disable third-party cookies by default in the coming months? Please note that there are other projects on GitHub that have similar issues left open because they could not actually fix it and are now waiting for either a breakthrough or a sign in flow change from Google itself.

[maraah1]

Hey sure we can keep this open until changes are implemented

[CetinSert]

@maraah1 – thank you for re-opening!

---

For anyone reading this, this seems to be the authoritative reference on it (specifically, the oauth-2.0 part):
https://developers.google.com/identity/protocols/oauth2/javascript-implicit-flow#oauth-2.0-endpoints_1

[CetinSert]

@maraah1 –
Dear Mara'ah,
I have made an interesting discovery!

Please follow these steps once:

1. Go to https://pwa-auth-list.glitch.me/
   (Also works on our next-gen web playground at //rt.ht !!)
2. Open developer tools console
3. Execute: addEventListener('message', e => console.warn(e));
4. Sign in with Google

We get 2 messages (also an error in between) AND the 2nd message has the complete JWT id_token with our login info!

1st Message

{"method":"fireIdpEvent","params":{"type":"idpError","error":"Cookies are not enabled in current environment."},"rpcToken":"307848700.204509"}

Error

Uncaught {error: 'idpiframe_initialization_failed', details: 'Cookies are not enabled in current environment.'}
(anonymous) @ cb=gapi.loaded_0?le=scs:3502
setTimeout (async)
_.ij @ cb=gapi.loaded_0?le=scs:3501
(anonymous) @ cb=gapi.loaded_0?le=scs:3947
zj @ cb=gapi.loaded_0?le=scs:3676
Promise.then (async)
uj @ cb=gapi.loaded_0?le=scs:3665
_.yj @ cb=gapi.loaded_0?le=scs:3656
Yj @ cb=gapi.loaded_0?le=scs:3910
Aj @ cb=gapi.loaded_0?le=scs:3870
(anonymous) @ cb=gapi.loaded_0?le=scs:3697
(anonymous) @ cb=gapi.loaded_0?le=scs:11548
qu.dispatchEvent @ cb=gapi.loaded_0?le=scs:9461
_.nv.ct @ cb=gapi.loaded_0?le=scs:10364
(anonymous) @ cb=gapi.loaded_0?le=scs:10169
Pu @ cb=gapi.loaded_0?le=scs:9868
_.g.P1 @ cb=gapi.loaded_0?le=scs:10090
_.g.K2 @ cb=gapi.loaded_0?le=scs:10055
(anonymous) @ cb=gapi.loaded_0?le=scs:10125
VM1749:1 

2nd Message 👈 👇

Copy paste the id_token from the 2nd message (seen right below) at //jwt.io!

{
  "method": "fireIdpEvent",
  "params": {
    "type": "authResult",
    "clientId": "535371030919-i0fns6kc49ovit7cob0k7cbpste49ksk.apps.googleusercontent.com",
    "id": "auth959432",
    "authResult": {
      "scope": "email profile https://www.googleapis.com/auth/userinfo.profile openid https://www.googleapis.com/auth/userinfo.email",
      "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjE3MjdiNmI0OTQwMmI5Y2Y5NWJlNGU4ZmQzOGFhN2U3YzExNjQ0YjEiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiYXpwIjoiNTM1MzcxMDMwOTE5LWkwZm5zNmtjNDlvdml0N2NvYjBrN2NicHN0ZTQ5a3NrLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiYXVkIjoiNTM1MzcxMDMwOTE5LWkwZm5zNmtjNDlvdml0N2NvYjBrN2NicHN0ZTQ5a3NrLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwic3ViIjoiMTAyNjI4NDU1NDkwOTAxOTQ1MjYyIiwiZW1haWwiOiJjZXRpbi5zZXJ0QGdtYWlsLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJpYXQiOjE2NjA4NDY0MDgsImV4cCI6MTY2MDg1MDAwOCwianRpIjoiZTYwZWZkOGM3Yjk5YzFiMmE0ZWUyY2FkNjg5M2MyMzMwOTAzY2M5MyJ9.Z8qRdjuxVxNWwb1B6FgSq8S0VPbTQFoStrv50ShBEPk4xg94QfRL84ZR2HBS_94qyAjP1yc19OfjShQdj1pSus53ndH5CW3svRysCV34eaBJYj4IxPKJitl7sv1n8rZY1FlKRGpOSJnN2STpWDe3lPUwQaN5--I0S3ow0U_Jeysmm1oerFQyVyqje-cIzmOjo5TAYGdhj8Q_mkUQ2NhadUk1_qi9-zgEmiBoc3sd_mG5Q3TA-EX97P2qXxhFpYFpCtWAaCtshSESB1QbLainMQAbfVlxm3zP8jOYaWk59Of0MPeGyFAaoD7LUFnMF7xRq1u4D96t_i4iSdNPXtVLvQ",
      "login_hint": "AJDLj6L0FTeCIZ8mrYfJzErz5Pk7pYgIN71wgpUXbc3wPEnACUzY3WJ-Ye0YfHzefMUEA85Tlr0NsolXfnAdICMrFAbXsQHX6R6zhlErEm-cWTtrRY6wbbI",
      "client_id": "535371030919-i0fns6kc49ovit7cob0k7cbpste49ksk.apps.googleusercontent.com"
    }
  }
}

Copy paste the id_token from the 2nd message (seen right above) at //jwt.io!

---

I think this concludes it! We do have a workaround.

How likely are we to have this in <pwa-auth> proper quickly?

---

Confirmed on these browsers: (can add more)

• Edge
  • Block third-party cookies
  • InPrivate Browsing
• Firefox
  • Private mode

[CetinSert]

I have done a quick PoC!

• create an intercept/proxy server
  • intercept /google-provider-e3c8088c.js to serve a modified version
    • handle user cancellations (say, by closing the oauth popup)
    • handle regular logins in the same way
    • handle strict privacy mode logins with a reduced response
      ➖ without name, imageUrl
      ✅ You already accept a reduced response for Apple logins
  • proxy other paths unmodified from https://cdn.jsdelivr.net/npm/@pwabuilder/pwaauth@latest/dist

---

The above is now live on our playground at https://rt.ht 👈🏻
It works for all cases! @maraah1 – please see for yourself!

---

Click/tap here to see how to test it on pwa-auth-list.glitch.me 👈🏻 (click/tap to expand)

 

1. Go to https://pwa-auth-list.glitch.me/
2. Edit the HTML in DevTools > Sources to apply this single-line change

- <script type="module" src="https://cdn.jsdelivr.net/npm/@pwabuilder/pwaauth@latest/dist/pwa-auth.min.js"></script>
+ <script type="module" src="https://ic.rt.ht/pwa-auth.min.js"></script>

3. Use the edited HTML file with DevTools > Overrides

---

In simpler words, I have

• modified 1 file: /google-provider-e3c8088c.js
  • handled existing (cancellation/login) cases exactly the same way
  • handled the new strict privacy mode case with a reduced response

and I will

• send a pull request with the cleaned up PoC

soon™ 😎

[CetinSert]

@maraah1 –
Closing due to the replacement notice on top of this page: https://developers.google.com/identity/sign-in/web/reference
I will follow up with a separate issue requesting <pwa-auth> to start using the new Google API.

---

Our reduced response solution will stay in production on our next-gen web playground https://rt.ht in the mean time.

[maraah1]

Thanks for your work on investigating this issue. The team won't be able to get to this soon, would you be open to creating a pr with the changes and we can review and merge?