OAuth redirect URL fails in Developer Edition but works in normal FF

vitosamson · November 17, 2017, 11:23pm

I have a signed and self-distributed extension (web extension format) which uses launchWebAuthFlow to grab an OAuth token. When the OAuth provider redirects back to the redirect URL (https://<id>.extensions.allizom.org as returned by getRedirectURL()) in DE 58.0b4, I receive a 403 Forbidden error. However in normal FF Quantum 57.0 the request completes successfully.

Any idea why the extensions.allizom.org request is failing in DE?

Edit to add: the SSL cert check for the allizom.org redirect URL fails as well in DE:

e8dd248662ffce379a122e1416e16a0266347994.extensions.allizom.org uses an invalid security certificate.

The certificate is only valid for the following names:
  *.allizom.org, allizom.org

Error code: SSL_ERROR_BAD_CERT_DOMAIN

Again, in normal FF there are no SSL errors on the redirect URL.

freaktechnik · November 18, 2017, 12:01am

Does this only happen with the first try and the second try works in dev edition (in the same session)?

vitosamson · November 18, 2017, 1:34am

No, I’m seeing this issue for every attempt in every session, including multiple attempts in a single session.

Note also that I can’t even get to the 403 error until I add an exception for the SSL issue, which also doesn’t present in non-dev FF.

vitosamson · November 18, 2017, 5:22pm

Some new info.

It turns out regular FF wasn’t succeeding, but it was silently failing. The webAuthFlow popup would close (as opposed to dev where it remained open but showed the error) but the oauth flow didn’t actually succeed.

Looking in the extension debug console in non-dev FF, I see two errors: one is the same SSL cert error I posted above, and the second is: The resource at “https://www.reddit.com/api/v1/access_token” was blocked because tracking protection is enabled.

For some reason tracking protection blocks access to reddit’s oauth endpoint. After disabling tracking protection in non-dev, the oauth flow completes successfully.

However in DE, even with tracking protection disabled, the oauth flow does not succeed and I continue to get the 403 Forbidden error (after adding an exception for the SSL cert issue). There are no logs in the extension console regarding this failure - it doesn’t mention tracking protection as non-dev does.

jenny.yin01 · December 19, 2017, 3:16am

I have run into the same issue.

vhanla · February 11, 2018, 6:29pm

Same here on FF 59

It is not allowing to authenticate