Error with Forgotten Callback URI

[harrisj]

@leahbannon has identified an issue with MyUSA and Google Oauth when attempting to login to Tock. Basically, if you are logged into Google with an account that is not accepted as a valid user by the remote app (in this case, it's her personal Gmail account, but Tock only accepts specific GSA accounts), the user gets stuck in an annoying feedback cycle where Google automatically logs in the user on that one email account and passes the authorization to MyUSA which then authorizes for that account but the authorization is then rejected with a 403 by the remote application. This seems like it would lead to an unbreakable cycle until the user explicitly logs out of Gmail in a separate tab, but after a few minutes, MyUSA somehow loses the thread and just logs the user into MyUSA for that personal gmail (as opposed to trying to authorize a third-party application). This is not what we want and really confusing. Why does it forget? It's possible there is some timeout on the authentication process.

To reproduce, try the following (for 18F employees only):

1. Open the browser in incognito mode. This should start you on a blank slate with Tock, MyUSA and Google.
2. Go to Tock. It will prompt you to login with MyUSA. Select the option to login with Google.
3. In Google, log in with your personal gmail account
4. This should then redirect back to a callback in MyUSA which will then go to a callback in Tock which will then give you a big blue HTTP 403 error screen. Do not click the log back in using the correct account but use your browser's back button to return to the MyUSA Google login button. Press it again. If you do this a few times, it will eventually
5. Just log you into MyUSA and put you on the main page for editing your profile.

In essence, it loses the callback it is supposed to hit after authenticating into MyUSA, which is why it becomes a login instead. This is confusing, but it is only an issue because of the combination of Google signin and post-login requirements against the email address. We could however imagine similar scenarios if an integrator threw 500 errors on repeated login attempts.