Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authentication flow doesn't work with Safari #2498

Open
shsteimer opened this issue Feb 28, 2025 · 1 comment
Open

Authentication flow doesn't work with Safari #2498

shsteimer opened this issue Feb 28, 2025 · 1 comment
Labels
bug Something isn't working

Comments

@shsteimer
Copy link

shsteimer commented Feb 28, 2025
edited
Loading

Description
When running aem up with an authenticated site the auth flow never successfully completes if your default browser is safari. When clicking send on the prompt page, an error occurs which is only surfaced via the dev console.

To Reproduce
Steps to reproduce the behavior:

  1. make safari your default browser (my setup: safari 18.3 on Mac OS 15.3.1)
  2. run aem up for an authenticated site with no stored site token
  3. login with the IdP
  4. when you arrive at https://admin.hlx.page/auth/adobe/ack?code=... click send
  5. note that nothing happens
  6. open dev tools console and note the error

Expected behavior
The auth flow should complete successfully. If that isn't possible due to some safari specific restriction, the user should see a message with some info on what they can do to work around.

Screenshots

errors from console:

[Warning] [blocked] The page at https://admin.hlx.page/auth/adobe/ack?code=.... requested insecure content from http://localhost:3000/.aem/cli/login/ack. This content was blocked and must (ack, line 7)

[Error] Not allowed to request resource
	(anonymous function) (ack:7)
	sendPost (ack:6)
	(anonymous function) (ack:23)
[Error] Fetch API cannot load http://localhost:3000/.aem/cli/login/ack due to access control checks.
	(anonymous function) (ack:7)
	sendPost (ack:6)
	(anonymous function) (ack:23)
[Error] Unhandled Promise Rejection: TypeError: Load failed
	(anonymous function) (ack:7)

Version:

ssteimer@Seans-M3-Macbook-Pro ups % aem --version
16.10.1
@shsteimer shsteimer added the bug Something isn't working label Feb 28, 2025
@andreituicu
Copy link
Collaborator

It looks like Safari is the only browser that very strictly enforces not making http calls from a secure https connection, even on localhost.
The other browsers treat localhost like a secure https connection.

https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content#loading_locally_delivered_mixed-resources
https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content#browser_compatibility

Will probably need to switch the response from Helix Admin to transfer information via a redirect to localhost (assuming that's supported by Safari, will need to check).
But that has different security disadvantages, unless we use something like PKCE, which requires more effort to implement.
Will need to check what we can do...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@shsteimer @andreituicu