So i had a little time to further inspect this issue.
I was able to reproduce this every time in following setup: Firefox 70.0.1 (64-Bit), Privacy setting "strict"
Typing in the adressbar: my.xxx.tld forwards me to https://my.xxx.tld/api/v1/session/login?returnTo=https://my.xxx.tld/login_callback.html
Normal login-screen appears, i fill in my credentials and getting forwarded to https://my.xxx.tld/login_callback.html?token=[STRING]&state=[STRING]
This site then does nothing.
This is the source-code:
<html>
<head>
<title> Cloudron OAuth Callback </title>
<script>
'use strict';
var search = decodeURIComponent(window.location.search).slice(1).split('&').map(function (item) { return item.split('='); }).reduce(function (o, k) { o[k[0]] = k[1]; return o; }, {});
if (!search.token) {
console.error('No token found');
} else if (!search.state || !window.localStorage.oauth2State || search.state !== window.localStorage.oauth2State ) {
console.error('OAuth2 state error');
} else {
// the actual app picks up the access token from localStorage
localStorage.token = search.token;
// clear oauth2 state
delete window.localStorage.oauth2State;
var returnTo = window.localStorage.returnTo;
delete window.localStorage.returnTo;
if (returnTo) window.location.href = returnTo;
else window.location.href = '/';
}
</script>
</head>
<body>
</body>
</html>
As @murgero said, yes; when i then just remove the "/login_callback.html?token=[STRING]&state=[STRING]" in address-bar everything works fine.
This is the Browserlog, if it helps:
Content Security Policy: 'x-frame-options' wird wegen 'frame-ancestors'-Direktive ignoriert.
Content Security Policy: 'x-frame-options' wird wegen 'frame-ancestors'-Direktive ignoriert.
[Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDOMWindowUtils.removeSheetUsingURIString]" nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: resource://gre/modules/ExtensionCommon.jsm :: runSafeSyncWithoutClone :: line 75" data: no] 2 ExtensionCommon.jsm:75:12
runSafeSyncWithoutClone resource://gre/modules/ExtensionCommon.jsm:75
cleanup resource://gre/modules/ExtensionContent.jsm:402
close resource://gre/modules/ExtensionContent.jsm:925
destroyed resource://gre/modules/ExtensionContent.jsm:1010
observe resource://gre/modules/ExtensionContent.jsm:1028
Content Security Policy: 'x-frame-options' wird wegen 'frame-ancestors'-Direktive ignoriert.
Content Security Policy: 'x-frame-options' wird wegen 'frame-ancestors'-Direktive ignoriert.
Content Security Policy: 'x-frame-options' wird wegen 'frame-ancestors'-Direktive ignoriert.
[Exception... "Favicon at "https://my.xxx.tld/favicon.ico" failed to load: Not Found." nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: resource:///modules/FaviconLoader.jsm :: onStopRequest :: line 236" data: no]