Symptom
In our regular regression testing, we have uncovered a change in policy with Google Authentication.
Google have revoked SSO support for applications written in the open source Chromium Embedded Framework (CEF) framework, stating that this embedded framework carries a potential security risk (MITM).
Therefore, it is no longer advisable to recommend using Google for SSO when using the Curator Connect or Curator for Adobe panel.
Google state:
"One form of phishing, known as “man-in-the-middle”, is hard to detect when an embedded browser framework (e.g., Chromium Embedded Framework - CEF) or another automation platform is being used for authentication. MITM presents an authentication flow on these platforms and intercepts the communications between a user and Google to gather the user’s credentials (including the second factor in some cases) and sign in. To protect our users from these types of attacks Google Account sign-ins from all embedded frameworks will be blocked starting on January 4, 2021. This block affects CEF-based apps and other non-supported browsers."
The full article is available here.
Resolution
IPV have embraced OAuth 2.0 OAuth 2.0 — OAuth, which by definition gives us many advantages for the world of increasing security arrangements.
From Curator Arrival 3.0, a user can choose to sign in with providers of this standard, so the choice of using Google as a provider was an option.
Google have decided that the Chromium framework, using in our Curator Connect and by Adobe, carries the MITM treat risk and have now introduced a block for any of the applications using this framework. So for Google, IPV has no options to use them as an authentication authority.
All other providers to our knowledge, continue to work. Such as Okta Okta | Identity for the internet for example.
Users can continue to login using their Curator login, or with other authentication providers. We believe the annoyance will be with SSO whereby a user may have chosen to use their Google account for single sign on to all their desktop applications, and this will no longer work for Curator Connect or any Adobe extension panel, including IPV’s Curator for Adobe.
IPV support has not changed. Google has decided to block the CEF frameworks and one might hope that in time, they (Google) might offer some resolution for these widely used frameworks.