I can confirm that this fixed my issue with our Palo Alto Global Protect VPN client, which requires the Android WebView. I do not have a way to test the Gmail app in my QA environment but I suspect it will be the same.
Thanks Misagh if you are reading this. Hopefully this can be backported into the 7.2 branch :-) On Thu, Apr 10, 2025 at 4:24 PM Jonathon Taylor <jonath...@berkeley.edu> wrote: > Hi All, > > There appears to be a potential solution for this being worked on in the > 7.3.0-SNAPSHOT version of CAS. The commit is here: > > > https://github.com/apereo/cas/commit/bf27b046e43029666dea64aba1a866bb67c010e9 > > I just tested this by changing my 7.2.1-SNAPSHOT build to 7.3.0-SNAPSHOT. > You can then use this property: > > # This defaults to BROWSER_STORAGE > cas.authn.mfa.duo[0].session-storage-type=TICKET_REGISTRY > > This appears to work and skips the interstitial pages that read/write from > localstorage in the browser. I have not yet tested this for Android but > will. > > On Thu, Apr 10, 2025 at 8:15 AM Jonathon Taylor <jonath...@berkeley.edu> > wrote: > >> Agreed. This does not just affect Gmail on Android, but also common >> applications such as GlobalProtect VPN clients and I'm sure other commonly >> used software. I do appreciate the pull request and we will likely be >> using the solution Mark posted. >> >> On Wed, Apr 2, 2025 at 4:50 AM David Gelhar <david.gel...@gmail.com> >> wrote: >> >>> Hi Mark, >>> >>> Thank you for posting that pull request. We have encountered similar >>> problems since upgrading to CAS7 so your analysis (and workaround) is going >>> to prove very helpful. >>> >>> The attitude of the CAS project around this issue is frankly >>> incomprehensible. They have introduced a change that completely breaks >>> authentication for a very significant user population (Gmail on an Andoid >>> device is not exactly a "edge case"), and then declined to accept a fix >>> because it would be "not worth maintaining". >>> >>> Thanks, >>> >>> David >>> >>> On Wednesday, March 12, 2025 at 9:00:46 AM UTC-4 Mark Oliver wrote: >>> >>>> Hi Jonathan, >>>> >>>> Unfortunately, that was a mistake on my part—a fix isn’t in the >>>> mentioned file. >>>> >>>> I did submit a pull request for a fix here, but it was rejected because >>>> it changed the core functionality of CAS, and the project doesn’t want to >>>> maintain that, which is fair enough: >>>> https://github.com/apereo/cas/pull/6305 >>>> >>>> Going forward, we’re managing our own version of the file. Given that, >>>> I’ve simplified it by solely relying on sessionStorage. >>>> >>>> Cheers, >>>> Mark >>>> On Thursday, 6 March 2025 at 13:52:01 UTC Jonathon Taylor wrote: >>>> >>>>> Hi Mark, >>>>> >>>>> We are running into this same issue. Would you mind pointing me to >>>>> what in the master branch version resolved this issue for you? We are >>>>> seeing the issue with 7.1.4 currently. >>>>> >>>>> On Thu, Jan 9, 2025 at 9:12 AM 'Mark Oliver' via CAS Community < >>>>> cas-...@apereo.org> wrote: >>>>> >>>>>> Thanks Ray, >>>>>> >>>>>> I was able to find the latest file on the master branch which looks >>>>>> like it's been fixed: >>>>>> >>>>>> https://github.com/apereo/cas/blob/master/support/cas-server-support-thymeleaf/src/main/resources/static/js/cas.js >>>>>> >>>>>> Cheers. >>>>>> Mark >>>>> >>>>> >>>>>> >>>>>> On Tuesday, 7 January 2025 at 06:26:59 UTC Ray Bon wrote: >>>>>> >>>>>>> Mark, >>>>>>> >>>>>>> You can start with >>>>>>> https://apereo.github.io/cas/developer/Contributor-Guidelines.html >>>>>>> <https://apereo.github.io/cas/developer/Build-Process.html> >>>>>>> >>>>>>> Ray >>>>>>> >>>>>>> On Mon, 2025-01-06 at 06:30 -0800, 'Mark Oliver' via CAS Community >>>>>>> wrote: >>>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> We recently attempted to upgrade our CAS installation from 6.6 to >>>>>>> 7.x and encountered a blocking issue with Android’s embedded WebView >>>>>>> (specifically in the Gmail app). >>>>>>> >>>>>>> In CAS 7.x, the default src/main/static/js/cas.js file appears to >>>>>>> rely more heavily on localStorage. However, the Gmail app’s built-in >>>>>>> WebView which is used for registering an account does not properly >>>>>>> support >>>>>>> localStorage. This leads to errors in the authentication flow, causing >>>>>>> the >>>>>>> WebView browser to hang after CAS credentials are submitted. In CAS 6.6, >>>>>>> the code primarily used sessionStorage, and this issue never arose. >>>>>>> >>>>>>> To work around the problem, I’ve updated cas.js so that it first >>>>>>> checks if localStorage is available, and if not, it falls back to an >>>>>>> in-memory object or to sessionStorage. This resolves the problem for our >>>>>>> users. >>>>>>> >>>>>>> - So firstly is this a known issue, as of 7.1.3 that issue still >>>>>>> remains. >>>>>>> - If a fix is welcome, where should I submit a pull request for the >>>>>>> src/main/static/js/cas.js file? >>>>>>> >>>>>>> Cheers. >>>>>>> Mark >>>>>>> >>>>>>> >>>>>>> -- >>>>>> - Website: https://apereo.github.io/cas >>>>>> - List Guidelines: https://goo.gl/1VRrw7 >>>>>> - Contributions: https://goo.gl/mh7qDG >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "CAS Community" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to cas-user+u...@apereo.org. >>>>>> To view this discussion visit >>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/0f4c6d2c-a7b3-461f-9dee-d448da800e8bn%40apereo.org >>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/0f4c6d2c-a7b3-461f-9dee-d448da800e8bn%40apereo.org?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>> >>>>> >>>>> -- >>>>> Jonathon Taylor (he/him) >>>>> Information Security Office >>>>> jona...@berkeley.edu >>>>> >>>> >> >> -- >> Jonathon Taylor (he/him) >> Information Security Office >> jonath...@berkeley.edu >> > > > -- > Jonathon Taylor (he/him) > Information Security Office > jonath...@berkeley.edu > -- Jonathon Taylor (he/him) Information Security Office jonath...@berkeley.edu -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABzqDo8YBZbv9T52eGE41y8DLGL9D8SFeYPSDdieR5Z%2BryYUQQ%40mail.gmail.com.
