Setting "Allow Google login for extensions" does not work

[mariospr]

Test plan

See brave/brave-core#14069

Description

Today, @AlexeyBarabash and me have found what seems to be a bug in the "Allow Google logins for extensions" feature, or at least in how it should work according to the information published in the wiki: "When this option is enabled: It enables chrome.identity for extensions so extensions like Google Keep and Google Calendar can retrieve an OAuth token from google to authenticate users."

We know that this worked in Brave 1.14 (~9 months ago) because @jumde landed PR #5616 precisely to enable extensions to use Google's login... and even on Brave 1.20 (~5 months ago) because @AlexeyBarabash landed PR #7346 at that time and keeping extensions logging in with Google auth was one of the things he kept in mind while doing that.

Just to make sure there was not a problem with the extensions themselves we tried this with Google Chrome 90.0.4430.72 and it worked perfectly:

1. Install Google Keep extension
2. Enable "Allow Google Login for extensions" and relaunch
3. Navigate to a random page: I loaded https://arstechnica.com/
4. Log to your Google account (either from a google.com site of clicking on the extension and then clicking on "Sign in" in the popup")
5. Go back to the random page loaded in (3) and click on the extension's icon
6. After the previous step, it is possible enter a note in Google Keep right from the extension's popup

Steps to Reproduce

1. Install Google Keep extension
2. Enable "Allow Google Login for extensions" and relaunch
3. Navigate to a random page: I loaded https://arstechnica.com/
4. Log to your Google account (either from a google.com site of clicking on the extension and then clicking on "Sign in" in the popup")
5. Go back to the random page loaded in (3) and click on the extension's icon

OTHER INFO:

• Steps 1-5 fail on Brave regardless of whether you have Brave Sync enabled or not
• Steps 1-5 from Google Chrome works as expected, even if you don't turn Google Sync on

Actual result:

The extension's popup keeps asking you to "Sign in", this is how it looks on Brave 1.23.71:

Expected result:

You should be able enter a note in Google Keep right from the extension's popup, as it happens on Chrome 90.0.4430.72:

Reproduces how often:

Always

Desktop Brave version:

Brave 1.23.71

Version/Channel Information:

• Can you reproduce this issue with the current release? Yes
• Can you reproduce this issue with the beta channel? Yes
• Can you reproduce this issue with the nightly channel? Yes

Other Additional Information:

• Does the issue resolve itself when disabling Brave Shields? No
• Does the issue resolve itself when disabling Brave Rewards? No
• Is the issue reproducible on the latest version of Chrome? No

Miscellaneous Information:

Related past issues:

• Unable to authenticate or use Google Keep extension in Brave #3650
• Google Calendar Extension won't authenticate #4672

[mariospr]

Tagging @AlexeyBarabash and @jumde as people potentially interested on this issue

[mariospr]

Some extra info after debugging with @AlexeyBarabash for a bit:

It looks like this could be caused because of profile->GetPrefs()->GetBoolean(prefs::kSigninAllowed) always returning false at src/chrome/browser/extensions/api/identity/identity_get_auth_token_function.cc:

bool IsBrowserSigninAllowed(Profile* profile) {
  return profile->GetPrefs()->GetBoolean(prefs::kSigninAllowed);
}

Another interesting data point is that 7 months ago the following landed in ToT:
https://chromium-review.googlesource.com/c/chromium/src/+/2429063

...which could have an impact since now "is signing allowed" depends on the value of google_apis::HasOAuthClientConfigured(), which will return true or false depending on the API keys. Still not 100% sure whether that's the reason of this, though, but the timeline kind of makes sense as being landed 7 months ago could explain why we didn't detect it when @AlexeyBarabash landed PR #7346 back in December 2020.

[mariospr]

@jumde shared why this is happening now, and the plan in place to get it fixed:

The problem was caused by recent changes to the policy for usage of OAuth credentials: currently, Google sign in for extensions is capped to a few thousand users for Chromium derivatives, which is why we're getting the error even if we have valid OAuth credentials.

Fortunately, there's already work happening upstream to allow derivatives to use the chrome.identity API for extensions which will allow to get this problem fixed in Brave once that change lands upstream.

Therefore, this issue is waiting for that change to land before it's possible to get it fixed.

Last, whenever this gets fixed please make sure it does not introduce a second instance of IdentityManagerFactory, which was causes issues from Cr92 forward, see issue #15659 (for which we've already got a PR that will be landing soon, hopefully today: brave/brave-core#8731)

[santiyounger]

Thanks for the info in here, good to know I'm not the only one with this issue. After already enabling Allow Google login for extensions and updating Brave, I keep getting this message

I click on the Sign in button. It takes me to a new Google login page. I'm able to sign in, but after refreshing the page I want to save (or opening the new one.

it shows the same message again

I'm on Garuda Linux (Arch Based)

Thanks

[qdgiang]

I'm also in the same spot as @santiyounger. I have already tried user-agent switch extension and enabled all the mentioned settings, and it keeps asking me to log in again.

I'm on Windows 10

[santiyounger]

I saw there are a lot of reported issues on this topic, not sure which one is the best to follow updates on.

If anyone has a link of the main issue where this is being tracked I'd love to know.

Sadly because I've started to make heavy use of Google Keep. I had to sell my soul and move to Google Chrome until this issue can be fully solved in Brave.

I'm sorry for being a traitor 🤣

[PolestarWx]

As a user I can say I have the problem too

[santiyounger]

As a user I can say I have the problem too

It's a shame a simple issue like this made Brave no longer an option for me. I'll keep an eye on this issue to see if I can return to Brave one day.

[mariospr]

@jumde @iefremov Pinging you on this issue to make sure you're aware of these latest reports.

[iefremov]

Thanks @mariospr , I wasn't aware of this. Probably we could bump the priority @rebron ?

[Michael-F-Ellis]

I have the problem, too.

• Google Keep extension version 4.21292.540.1
• Brave Version 1.27.108 Chromium: 92.0.4515.107 (Official Build) (x86_64).
• OS X 10.15.7

[Tonev]

Another user having the same issue as @mariospr (actual & expected result screenshots).

https://community.brave.com/t/cant-sign-in-to-google-keep-extension/271598/

[davenir]

I have this issue too:

Brave version : 1.27.111 Chromium: 92.0.4515.131 (Official Build) (64-bit)
Keep version: 4.21302.540.1
Windows 10

[fabricapo]

I have this issue too (hanging on to Brave hoping you'll fix this soon...)
Brave: V1.28.105 on Mac OS 11.2.3

[jumde]

No updates from our friends at chromium on this change - https://chromium-review.googlesource.com/c/chromium/src/+/2704571 - Requested an updated, will share details here when available. Apologies for the delay here.

[jwashburn]

Having the same issue. Spent the last couple hours reading up on it. Following this thread now. Thank you to everyone who's helping out on this!

[creep33]

Having the same issue. Spent the last couple hours reading up on it. Following this thread now. Thank you to everyone who's helping out on this!

Have you fixed it?

[jwashburn]

Having the same issue. Spent the last couple hours reading up on it. Following this thread now. Thank you to everyone who's helping out on this!

Have you fixed it?

No. Still not working for me. On the Google keep extension in Brave, it prompts me to sign in, but when I do, nothing happens.

[hiraksarkar]

Not working for me either.

[HouserR]

Same.
Brave V1.29.77
Linux Mint 20.2

[saadatfar]

Same.
Brave V1.29.80
Windows 10

[legolasdimir]

Google Keep (and some other extensions) use a 1st party Google API that will not be available to Chromium forks (Brave, Edge, Vivaldi, etc).

Details were shared back in January 2021 via blog (https://blog.chromium.org/2021/01/limiting-private-api-availability-in.html). The embedder-dev mailing list had discussions too - and in February, Google shared a patch which allows chrome.identity api to be used for 3rd party APIs: https://chromium-review.googlesource.com/c/chromium/src/+/2704571

Developers at Google confirmed that non-Google access to 1st party APIs using chrome.identity (previously available until it was shut down March 21) is considered wontfix by Google ☹️

We are working on updating the the code to allow chrome.identity to work with Google APIs meant for 3rd party (see patch by @mariospr in brave/brave-core#10103). This will allow extensions which use Google Logins to work - but unfortunately won't solve cases where 1st party authentication is needed

If you look at the post I quoted above, I believe that sadly, Brave is hosed with Google keep. It's not working in ANY chromium browser except edge now because of changes Google made to their API.

I have been dealing with the same frustration. To the point where I barely use keep anymore because the extension stopped working and I don't want to use chrome because of how much it tracks you and does not even respect your own settings regarding things like DNS.

[stephendonner]

Verification PASSED using

Brave	1.43.56 Chromium: 104.0.5112.81 (Official Build) dev (x86_64)
Revision	5b7b76419d50f583022568b6764b630f6ddc9208-refs/branch-heads/5112@{#1309}
OS	macOS Version 11.6.8 (Build 20G730)

Steps:

1. installed 1.43.56
2. launched Brave
3. toggled Allow Google login for extensions to Enabled
4. loaded https://chrome.google.com/webstore/detail/drive-sample/jpabeekbjicamajjcfejnochhmlbpgjh/related?pli=1
5. clicked on Add to Brave
6. clicked on Add app
7. double-clicked on Drive Sample
8. clicked on Authorize
9. entered my Google credentials

Confirmed I was able to upload files to my Google Drive by dragging and dropping them on the Drive Sample app.

example	example	example	example	example	example	example	example

Also tested with Google Keep:

example	example	example	example

[legolasdimir]

I tried the google keep extension on the nightly version (1.44.37) on mac os Montery 12.5 and i get a pop up when i click sign in as well as when the extension loads that throws an error stating 'custom uri scheme not allowed'. If i click go to keep in the extension menu it asks you to sign in which i can do and it then takes me to keep but if i go back to a page and click the keep icon i still get the 'you must sign in message'

@stephendonner is this the expected behavior?

[TrySpace]

Confirmed on nightly 1.44.40 on Windows 10 (Version 10.0.18363 Build 18363) I can now login to a google account with extension.
Previously I did not get a google login popup, now I do (although the popup is as large as the browser window)

[spylogsster]

@legolasdimir yes, more info here #15754 (comment)

[legolasdimir]

so essentially what i feared. keep is broken on anything that's not chrome

[UjCbFwtBayFM]

Also tested with Google Keep:

example example example example

What did you test exactly there?

[spylogsster]

@UjCbFwtBayFM PTAL #15754 (comment)

[erick-jeronimo]

This issue was solved? I'm having the same problem

[legolasdimir]

@erick-jeronimo are you talking about keep not letting you save? The recently referenced comment basically says they can't fix it. Google changed their API so extensions that require a certain form of login won't work outside of chrome anymore. So we're just hosed.i went back to chrome because of this. And reliability issues with sending pages between devices

[erick-jeronimo]

yes @legolasdimir, thanks a lot for the clarification!

[TrySpace]

I have noticed an annoyance/deviation with this from google-chrome: I have to re-enter my google credentials, including the username, whereas normally (in chrome) I get the dialog to select the account, and don't have to enter my password.
It might be because of different security measures.
I've only had it when I switch the extension I'm developing between production and development, which have a different oauth2 client_id in the manifest.

[kdenhartog]

I have noticed an annoyance/deviation with this from google-chrome: I have to re-enter my google credentials, including the username, whereas normally (in chrome) I get the dialog to select the account, and don't have to enter my password.

This is to be expected from my understanding of how we decided to implement this versus Google. In Google's case they grant themselves an exception because Chrome is given access to restricted APIs which make it possible for their browser to effectively behave like the client in OAuth rather than treating each individual extension in that way.

You can read more into this from their blog post and the chromium docs.