13

Today I've got following email from Google:

We are writing to let you know that Google will discontinue support for sign-ins to Google accounts from embedded browser frameworks, starting January 4, 2021. We have detected the use of an embedded browser framework with one or more of your OAuth clients that may be blocked on or after January 4, 2021. Please review your use of Google Account authorization flows in the following Google OAuth client IDs and make any required changes before January 4, 2021:

This is strange as my B2C web application isn't loaded in an embedded browser nor in a web view. It's even not an mobile app using an embedded browser or a web view. There's no embedded browser or web view at all where users could log in. My web application is just a simple public B2C "website" which does 2 things:

  • Users can log in by Google OAuth (Google Sign-In for Websites)
  • Automatic retrieval of YouTube data by using YouTube data API via cronjob by using OAuth tokens with offline access

So I'm wondering why I've got this email. Advice is very much appreciated as it seems as Google plans to limit/block my Google API clientID and I'm a bit concerned by website will break.

Update 1:

  • On my development environment I'm testing Google OneTap Sign-In since half a year on localhost. Maybe this could be the reason?
  • I'm also using HotJar.com screen recording to optimize my website. The HotJar Javascript is dynamically generating invisible html iframes. Maybe this could be a reason?

Update 2:
The Google blog article about this topic describes that "The browser must have JavaScript enabled" and "The browser must identify itself clearly in the User-Agent" in order to do an OAuth Sign-In.

I'm wondering if an server side API call to YouTube data API with an offline access token is considered as an OAuth Sign-In (which it basically is). But offline access is made for API access without user interaction (a browser). So I think this should not be the problem but who knows...

ninsky
  • 1,772
  • 23
  • 31
  • Which web browser are users logging in with? That is the problem. – John Hanley Nov 17 '20 at 22:49
  • John, as I have thousans of users worldwide they're using the common webbrowsers. I can't imagine that this could be the root cause. Google is talking about a "embedded browser framework". This is something most commonly mobile apps are using... – ninsky Nov 18 '20 at 05:58
  • You can check this [blog post](https://developers.googleblog.com/2020/08/guidance-for-our-effort-to-block-less-secure-browser-and-apps.html) to test your application or get some clues regarding your inquiry. – Alex G Nov 18 '20 at 09:24
  • 3
    Thanks. Already checked this blog article but doesn't help as it's about embedded browsers. – ninsky Nov 18 '20 at 10:29
  • @ninsky are you using GA? You might be able to see what browsers your user are on, on our website some of them are logging in with "Android Webview" which I suspect is what is causing the warnings. – Paranoid Android Nov 18 '20 at 14:05
  • 2
    Mirko, 1.36% of my users are using Android Webview. I think in total not more than 2% use a Webview Browser. If this would be the cause it would be possible to nuke out websites by using some Zombie Webviews. I suppose that I can't prevent my site to be loaded in a webview or embedded browser? I have to check this. – ninsky Nov 18 '20 at 14:12
  • @ninsky well Android Webview IS an embedded browser, after the deadline those users will not be able to login anymore, they will have to use a supported browser. So no extra work I guess – Paranoid Android Nov 18 '20 at 14:14
  • @mirko, this would be okay. My problem is that Google says "...with one or more of your OAuth clients that may be blocked on or after January 4, 2021...". Blocking my OAuth Client would affect all users of my website. Or did I get it wrong? – ninsky Nov 18 '20 at 14:17
  • 4
    @ninsky I guess it means they are blocking the login from the embedded browsers only, not all of them. I do not see the point in dropping the OAuth Client altogether but I am just making assumptions. I am trying to get someone at Google to reply to me and update with my findings. – Paranoid Android Nov 18 '20 at 14:19
  • @Mirko, that would be great! Thanks in advance – ninsky Nov 18 '20 at 14:21
  • @Mirko Did you get any update from the google folks as even I have got the same mail for my website. Any help would be great. – Apoorva Gupta Nov 25 '20 at 12:37
  • @ApoorvaGupta I am afraid I was not able to get anyone at Google to reply to me... – Paranoid Android Nov 25 '20 at 13:55
  • 2
    Good news! Today is January 6th. It turned out that nothing happened to regular users (not in embedded browsers) – ninsky Jan 06 '21 at 11:59

2 Answers2

2

Update: on Google Analytics we see that some of our users are logging in with "Android Webview" which might be the cause of these warning emails. We are still looking into it though.

We got the same email and we are baffled.

We have a Cordova app on Android and iOS which has been using the native auth flow for years so we do not think that is the problem.

We also have a companion website with the standard Google Sign In.

Ideas are welcome

Paranoid Android
  • 4,672
  • 11
  • 54
  • 73
1

We got the same message and we are also using Google-Sign-In with OAuth2 from a browser.

Like @ninsky I also doubt it is related to web browsers, because we use the webflow with Javascript suggested by Google.

I suspect though that it may be related to "Progressive Web Apps" (PWA). If you have a service worker on your website, your website becomes a PWA and can be installed when the user "bookmarks" your website to homescreen.

In addition, we also added our website to the Google Play Store, using TWA (Trusted Web Activity). All supported by Google. So our website, which is basically also a Progressive Web App, can now be downloaded on the Google Play Store.

But since everything uses a system browser in the background, it is not clear to us what we are doing wrong.

Any ideas?

user3176455
  • 11
  • 1
  • 4
  • Are you using GA? You might be able to see what browsers your user are on, on our app some of them are logging in with "Android Webview" which I suspect it what is causing the warnings. – Paranoid Android Nov 18 '20 at 14:05
  • @Mirko 1% are using Android Webview. We are using the regular Google Sign-In with Javascript, described here: https://developers.google.com/identity/sign-in/web/reference I still don't know why we got this message. No idea where to start to debug. Anyone found more info on the console? – user3176455 Nov 18 '20 at 14:51
  • Well, Android Webview IS an embedded browser and those users will not be able to login after the deadline. I am still trying to contact someone at Google about it – Paranoid Android Nov 18 '20 at 14:56
  • So the regular Google Sign-In with Javascript (the link I put above), will stop working? – user3176455 Nov 18 '20 at 15:46
  • Only for the Webview users, as far as I know – Paranoid Android Nov 18 '20 at 16:02
  • Wouldn't this potentially break all Cordova type apps (those that frame a webview)? Feels like a pretty major breaking change... – penguinflip Nov 18 '20 at 16:18
  • Yes, I understood it in the same way: it will work for regular browsers. However, what I find confusing is that their blog has a link that says: "use browser-based OAuth 2.0 flows" which then points to a document titled: "OAuth 2.0 for Mobile & Desktop Apps". The Google-Sign In is also a browser based login flow. – user3176455 Nov 18 '20 at 16:28
  • 2
    @penguinflip you are correct, on Cordova you need to use native OAuth via a plugin like https://github.com/EddyVerbruggen/cordova-plugin-googleplus The old way was to use an embedded browser but that does not work anymore – Paranoid Android Nov 19 '20 at 15:02