Why oauth sign-in page's Google sign-in button has to open on a new page?

coffeeocean · ‎Mar 27, 2018

This has blocked an important user scenario we are trying to support. The user can't sign-in as a result.

I'm embedding the oauth sign-in page below in an iframe in my integration. When the user clicks on "Sign in with Google" it opens the google sign-in in a new page instead of navigating to google sign-in. This is problematic because Mac OS Excel opens the new page on a totally new browser process that doesn't share cookie with the embedded browser inside Excel, so after google sign-in there is no way the embedded browser inside Excel to get the cookie token. As a result, it is impossible to sign-in via Google. I looked at the code of hubspot sign-in page and found that opening google sign-in in a new page is on purpose when it is in an iframe. When using the sign-in page directly in the browser without iframe, it navigates to Google sign-in instead of opening in a new page. Why is that? Is there a way to make hubspot sign-in page loaded inside an iframe to also navigate to Google sign-in? Thanks!

Derek_Gervais · ‎May 29, 2018

Hi @coffeeocean,

This isn't something that we support directly; if a user traditionally signs in using Google, allowing integrators to hide the Google sign in button would force these users into an incorrect username/password situation. The only resolution would be for them to complete the forgotten password flow to create a 'regular' HubSpot login, and then sign into HubSpot from your iframe that way. Is there a way way for your integration to push users to complete the OAuth flow in a browser instead of within Mac OS Excel?

coffeeocean · ‎May 22, 2018

Any comments about the ask? Thanks!

coffeeocean · ‎Apr 11, 2018

I understand that Google sign-in page has "X-Frame-Options: sameorigin" HTTP header, so when hubspot sign-in page detects itself is loaded inside an iframe instead of the parent browser window, it will launch Google Sign-in on a new page/window instead of navigating to it in order to avoid a dead-end for users. However, our integration will only run inside an iframe that is locked down and can't share cookies with browser window it launches. So technically we can't get Google Sign-in to work for our scenario.

The ASK: could you please provide a URL parameter for the Hubspot Sign-in page for hiding the Google Sign-in button? This will help us a lot so our users won't end up in a dead-end when they clicks on the Google Sign-in button. Thank you!

APIs & Integrations