ID modules initialized before requestBidsHook do not receive consentData

[smenzer]

Type of issue

Bug

Description

There are a few ways that ID submodules are initialized - via the requestBidsHook and in the getUserIds(), getUserIdsAsEids(), and refreshUserIds() functions. Whichever one of these that are called first is what dictates how the submodule is initialized and subsequent calls to another function doesn't reinitialize them.

The problem is that if a call to getUserIds() or getUserIdsAsEids() is called before the requestBidsHook fires, then it's not guaranteed that the CMP would have returned consent data to prebid-core yet and the submodules get initialized with consentData being undefined. When the requestBidsHook fires, the submodules are already initialized and are not called again. This means that the submodules never get consent data and, assuming the submodule follows GDPR properly, there would be no ID available from the provider, even if the user did consent.

Steps to reproduce

I have two test pages to show the behavior

1. Consent Data correctly passed into the ID5 submodule: https://samples.id5.io/prebid/basic

   • In the Console, you can see that a valid ID5 ID is made available with pbjs.getUserIds()
   • You can also see Network calls to ID5 with the gdpr consent string in the body of the payload

2. Consent Data missing because getUserIdsAsEids() is called at the bottom of the page prior to the requestBidsHook: https://samples.id5.io/prebid/basic-with-bug.html

   • You'll see in the box that the ID5 ID is "0", indicating no consent from ID5
   • You can see this in the Network calls to ID5 that the gdpr flag is set to 0 and no gdpr consent string is passed

If you are flipping back and forth between these pages, make sure to refresh a few times to clear out the cache - the ID5 module will make new calls to ID5 every 10 seconds.

Expected results in the "Prebid Bug" page

I'm open to two different approaches here:

1) Delay the functions until after the modules are initialized properly with consent data

• If a call to getUserIds() or getUserIdsAsEids() is called before the submodules are initialized by the requestBidsHook, they should be put in a queue and responses delayed until the modules are initialized, then they return like normal
• If there is cached data available, then the functions could return the cached data only and skip the rest of the initialization process

2) Re-initialize with consent data if it becomes available

• The initial call to getUserIdsAsEids() should call ID5 if there is no data in cache, or use the ID from cache if available (this works as expected today)
• If the submodules are initialized prior to the requestBidsHook, and consent data is available when the requestBidsHook fires, then the submodules should be reinitialized and allow the modules to use the consent data

I think option 1) is a better approach, but open to other ideas as well.

cc @padurgeat

[dgirardi]

@smenzer I don't see the difference between the two pages you provided (except for the textarea). What I see is:

• pbjs.getUserIds() returns a valid id5 id in both pages (after the page loads)
• the call to id5 has "gdpr": 0 for both pages.

Is it because I am implicitly declining consent? I am not prompted about it.

[smenzer]

@dgirardi are you based in the EU? If not, gdpr doesn't apply and the page will work fine.

[dgirardi]

@smenzer OK, so I tried again with an EU-based VPN and I do see the issue on the test page, but I don't if I swap prebid with master. Is this still an issue, or was it fixed with #6760?

[patmmccann]

appears to be solved by #8201

[patmmccann]

also appears to be a dupe of #5447