GrapheneOS I'm a developer myself, so I completely agree with you on technical matters. That said, let me clarify.
What I wrote before:
I'm inclined to say that either way, this is a Vanadium bug.
Mea culpa. Re-reading this now, what I should have written to express what I had in mind was either way, this is a regression likely triggered by a Vanadium change. I did not really meant to lay the blame on Vanadium, I just wanted to express that:
- I'm completely sure that Vanadium used to work
- Then at some point it stopped working (not sure when, I re-tested when I saw the reports here)
- Other Chromium-based browsers still work
- I checked the commit log in Vanadium and I seemed possible that some of the changes from when it used to work may have upset MitID
I'm happy that you finally clarified that additional hardening in Vanadium regarding the headers is what triggered the change in behaviour from the MitID side. This proves that my hunch was right.
It's incredibly strange to start blaming something you say happened in Firefox with it before on Vanadium now.
No, it's not "incredibly strange". It's exactly what was happening:
- In the past, it was not possible to log in with MitID inside any app if Firefox was the default browser in the phone (as it becomes the default in-app browser as well). After authentication, when the control was sent back to the app, the app couldn't detect that the log-in succeeded. Note that this was only for apps; authentication in Firefox itself (for websites) was working.
- Changing the default browser to Vanadium (which became also the default in-app browser) fixed the authentication issue for apps. Authentication for websites also worked.
- At some point, Firefox started working, both in websites and as the in-app browser inside other apps.
- Now Vanadium no longer works, neither in websites, nor inside other apps.
This is not laying blame. I was just stating the facts: for authenticating with MitID, Firefox used to be broken and Vanadium used to work, and now the situation has reversed and Firefox works but Vanadium doesn't.
I have enough experience with MitID that 99% of the time the problem is with MitID. But more often than not, it's also true that changes elsewhere trigger some overzealous security theater MitID checks. When that's the case, even though the blame almost always lies with MitID, it's often important to understand what changed and how it upset MitID (to report it to them and to see what's the best workaround).
Ask them to fix their buggy software again. They seem to be willing to do that since they fixed all the other issues in the past eventually.
Report them problem to them and emphasize that supporting only specific browsers is anti-competitive.
I have done this multiple times and I am still doing it. But to get the message across, each time MitID stops working we need to understand (1) what broke this time and (2) why it broke now so we can formulate in some way that hopefully they can understand. Hence the discussions here.
To conclude, @GrapheneOS, I would like to express a few extra points:
- We all love GrapheneOS, that's why we use it and that's why we're here.
- This thread is for the community to find solutions, not a support request towards GOS developers, so please assume good intentions by default. Nobody is trying to blame GOS (even if poorly worded, see above) — and we do understand that almost every change made to GOS is to improve privacy for users — but at the same time I am trying to understand any GOS changes that may start tripping MitID: (1) because I'm a curious technical person and (2) to document this for other users.
- No matter how brain-dead MitID is (and I do completely agree with you regarding all technical points), it's very difficult for someone not living in Denmark to grasp how essential MitID is to daily life. It's not an app that you use simply for convenience. This is basically a digital version of your ID and you need it to authenticate with virtually every important local service, even offline ones (for example, if you try to call your bank they will not do anything before they validate your identity with MitID). The Nordic countries have almost completely moved towards a society that is cashless and almost every service is digital only, and you must be authenticated via a government-mandated authentication solution that is tied to your real identity (MitID in the case of Denmark).
So it's not a question of stopping to use apps, or changing banks, or changing services, because all of them use MitID. That is why we're so eager to discuss any breakages here, because it impacts us strongly and at the same time we love GOS and want to keep using it if we can without having to carry an alternative device for the sake of MitID only.
P.S.: Don't shoot the messenger, I'm just stating how things are, not that the should be this way. Unfortunately, I'm powerless to change this status quo and I have to live within these parameters.