I am working on an e-commerce website. Our website provides the option to signup using google account (using OAuth).
Our website is responsive and can be accessed using mobile devices, however it is not embedded and we do not have any Andriod or iOS apps.
Today I got the following error from one of our users. That's all I got, but it sounds like she was trying to signup to our website, when she got the following error:
You can't sign in from this screen because this app doesn't comply
with Google's embedded webview Policy. If this app has a website, you
can open a web browser and try signing in from there.
I have checked this Google page, which says:
The Google Identity team is continually working to improve Google
Account security and create a safer and more secure experience for our
users. As part of that work, we recently introduced a new secure
browser policy prohibiting Google OAuth requests in embedded browser
libraries commonly referred to as embedded webviews. All embedded
webviews will be blocked starting on September 30, 2021.
This is strange because today is 29th of September! Not entirely sure if this error is because of Google's change in OAuth? And not sure how to resolve this?
Google has announced and blocked embedded webviews since 2016, which is likely the reason for this error.
As mentioned in the error page, ask your users to open your app by visiting the website in a system browser. It may be that your users are attempting to visit your website using an app that opens up links in embedded webviews. Suggesting to your users that they use the system browser to login will get around that.
In mobile apps the optimal solution is to redirect user to native browser as specified in Google security policy guide and let them finish the registration there using SFSafariViewController:
iOS - Optimal solution
let config = SFSafariViewController.Configuration()
let safari = SFSafariViewController(url: url, configuration: config)
viewController.present(safari, animated: true)
If you are not able to do that and really need to handle the login in WebView (Android) or WkWebView (iOS) you can manually change the userAgent likewise:
Check the latest userAgent and manually add it
iOS - Not Optimal solution
let config = WKWebViewConfiguration()
config.applicationNameForUserAgent = "Mozilla/5.0 (iPhone; CPU iPhone OS 16_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 Mobile/15E148 Safari/604.1"
let webView = WKWebView(frame: .zero, configuration: config)
Android
webView.getSettings().setUserAgentString(System.getProperty("http.agent"));
Related
We are developing two new react native apps, and need to integrate Azure AD authentication at both the places. We also have existing web apps that are Azure AD enabled and the user can open the web links from our (new) native apps.
We have decided to use MSAL library (react-native-msal) to implement the authentication part mainly to support SSO between the native apps + the web apps that we open in the Safari browser.
We have followed all the steps that the react-native-msal library suggests and are able to achieve SSO between the two native apps.
However, when I login to one native app, and try to open the web app link using react linking, the web app prompts for the login credentials.
Note:
For authenticating user through native app, we are using "Authentication Session" with "prefersEphemeralWebBrowserSession = false" which ideally should share the SSO cookies with the Safari browser.
But clearly, this does not seem to work.
I would like to get some understanding on this problem and find out if others are facing this issue too? or is it just us?
In this case you need a preferred user token and send it along with the login request. For capturing the details of the user at the same time I suggest storing the details in the domain wide cookies that is known for all applications.
// Store the user details after login
document.cookie = "msal_details=Paul#xyz-corp.com;domain=.xyz-corp.com;path=/"
// use the user details
var user = getCookieByName("msal_username");
userAgentApplication.loginRedirect(scopes, "&login_hint=" + user);
Lastly, you would need to implement this in your application.
Well, it turns out to be a problem with the simulator. This functionality works only on the physical devices (iPhone/iPad) and not on the simulators.
This should have been documented in the react-native-msal's document though.
I have website hosted on domain that is associated with iOS mobile app.
Inside mobile app I want to access cookies from this website, which are stored in Chrome and Safari browsers on iPhone.
Is it even possible? And how it can be done?
If I can’t do it, maybe there is some official way of solving task of accessing some website data from app like webcredentials?
We are trying to get an iOS app approved to go into the AppStore. We are leveraging parts of the Spotify API in our app, so are using the Spotify web authorization flow.
On the sign in page provided by Spotify, it shows 'sign up' links as well as the sign in links. Apple did not like this, as it violated 'Guideline 3.1.1 - Business - Payments - In-App Purchase' as we were promoting other apps within ours. We found the adding nosignup and nolinks request parameters removed these links:
https://accounts.spotify.com/en/authorize?client_id=xxxx&redirect_uri=https:%2F%2Fapi.xxxx.com%2Fapi%2Fmobile%2Fspotify%2Fauthenticate%2Fcallback&scope=user-read-currently-playing&response_type=code&nosignup=true&nolinks=true
We're once again being rejected. We have an App Store icon appearing in the returned response, encouraging users to download the Spotify app. This is a violation of 'Guideline 3.2.2 - Business - Other Business Model Issues', imitating the functionality of the App Store! The above request parameters are undocumented from what I can see, and were found only by sniffing the traffic between existing apps.
Is there another request parameter to turn off this App Store logo or any other way to hide it?
In case anyone finds this in future...
We found that Spotify modifies the web authentication for different user agents. So if you browse to the auth screen in a desktop browser, you won't see the App Store logo appearing. How does this help the case above, where we're using mobile? Simple, override the user-agent header in the web request. Done!
We override with Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0 and it works a charm.
We developed a website in which users can sign in using their google account. This works fine. A lot of people have shared our app link on Instagram.
The problem is, when users of Instagram click on our website link, the ios webview is used (internal browser in Instagram). This prevents people from signing in to our app and are presented the following error:
What's the solution to this?
I'm developing an enterprise application for one of our clients that utilises the GoogleSignIn SDK an a login option.
During development, I was surprised to see that support for the SFSafariViewController had been added meaning that I could streamline my login process by sharing Safari cookies.
This was all great until the client raised a critical issue being that once a user logs into the app (via Google and SFSafariViewController), they could log out of our application (including the GoogleSignIn SDK (see below))
func signOut() {
...
let signIn = GIDSignIn.sharedInstance()
signIn.signOut()
}
However the user remains signed into their Google account via Safari. Something that would be extremely helpful on a personal device but i've been informed that there is the potential for 20 people on a single site to be using a single device.
I've looked at setting allowsSignInWithBrowser and/or allowsSignInWithWebView to false however I cannot get it so that the SDK will use only a web view (such as UIWebView or WKWebView) where we can ensure that credentials will only be persisted within the application.
Is there such functionality to achieve this that I am missing? I think it could be quite critical in some use cases that such configuration is available.