Google OAuth 2.0 client ID authorization via embedded webview - android

Setup:
Website with Google login button
Backend: nodejs + express
Frontend: Google Sign-in for Web (I know it is deprecated and I need to upgrade) https://developers.google.com/identity/sign-in/web/build-button
There is NO additional native Android or iOS app available
Situation:
I have received an email from Google stating that my web application client ID is receiving OAuth requests within an embedded webview, and I need to make some changes to these webviews to avoid man-in-the-middle attacks. This is a similar email: https://groups.google.com/g/omegaup-soporte/c/xrspGg8T94o
The subject of this email is: "[Action Advised] Take action to continue using Google's OAuth authorization endpoint" and the first statement is "We detected requests to our OAuth 2.0 authorization endpoint from one or more of your OAuth client IDs within an embedded webview context in the past 30 days.".
Question:
As stated above, my application is a web app, how is it possible that OAuth requests from an embedded webview are received?

As you see, Google disagrees with using webview.
Maybe, you can build your own sign in button with google icon and then add onclick event with window popup to solve this problem.
If you have any question, feel free to ask me.

Related

Integrating Google Sign-In with WebView in Android

Our Android app is a minimal wrapper around our mobile-friendly website. This is by design.
Google OAuth is one means by which users can authenticate. With the announcement that WebView's will be blocked from Google OAuth, we are now looking at how to move forward.
My current plan is:
Use a JavascriptInterface to invoke native code when someone clicks on the web app's Sign in With Google button
Use Google Sign In to authenticate the user on the mobile app side.
Somehow send this authentication to the web server. Should I just redirect the user to the existing oauth callback URL?
Step 3 is where I'm not sure what the best approach is. It's a Ruby on Rails application using Omniauth.
Are there any examples of integrating Google Sign In with an almost entirely WebView-based application? Is this approach the right way to go about it?
The solution described in Authenticate with a backend server sounds just like what you want to do in step 3, though without using the OAuth callback URL.
Unfortunately, I could not find any reference on how to use it with OmniAuth.

Web Api using Google authentication on Android / IOS

I followed the following guide on how to set up Web API with Google authentication.
Basically the Azure page has to redirect to Google and the Google login has to redirect back to an Azure page that gives an access token that I can put in a header to get data specific to that Google Account.
It works on Android when I use a WebView but apparently this is frowned upon for security issues and on IOS, Google blocks me from entering a password.
So my question is how do I do the same thing but without using a WebView? I tried implementing Google+ Sign In but I was only able to retrieve an authentication token and I don't know if this is useful at all.

Android facebook signin for Spring Social webapp

I'm currently developing a web application with Spring Social and Spring Security. In the web application, specific users can signin on Facebook with ProviderSignInController. When staff members authenticate with FB successfully, they are programatically signed in for my local webapp with Spring Security, too. This concept is adapted from the spring-social-showcase. Spring Social then enables authenticated users to create Events, which are also created on a facebook page.
Now i want to write a android app which enables users to post to my guestbook and view/create events via my web application. My question now is how to realize the signin from my andoid app. On my web application, a UsersConnectionRepository maps facebook accounts to local accounts. Can i simply reuse this data and signin from my android app in the exact same way as from the web application?
ProviderSignInController adds a path mapping for http://_webapp_/signin/facebook which redirects to a facebook signin page. Can this simply be done with a WebView on android?
Looking on the spring-android-facebook-client im confused. This example seems to manually manage the OAuth authentication. But i havent figured out yet, whether this is the way to go or just another possibility to implement it, when there is no other web application in the background that already manages the authentication.
Any feedback is welcome. Thanks.
Jeyp
Now i want to write a android app which enables users to post to my
guestbook and view/create events via my web application.
The Android client will need a method to sign in to your web application in order to post to a secured RESTful endpoint, and OAuth is a good method for doing this. Spring Security OAuth is an extension of Spring Security that can allow third party mobile or web clients to interact with your web site.
Once you have an OAuth server configured, you can create a custom provider using Spring Social within your Android client to establish an OAuth connection to your web site. Your users will authenticate to your web site with their local credentials in this case. Once connected, your Android app can then post events to RESTful endpoints within your web site, again using your custom Spring Social API bindings.
In this scenario, your users do not authenticate to Facebook from the Android application. This assumes they have already established an account and a connection to Facebook on your web site. And in fact, this is how the SpringSource Greenhouse reference application works.
This brings us back to a previous part of your question:
When staff members authenticate with FB successfully, they are programatically signed in for my local webapp with Spring Security, too.
If I understand correctly, you are asking to authorize your Android client to access your third-party web site, with Facebook credentials. While this is certainly possible, it is not currently supported through Spring Social and Spring for Android.
Another option is to consider a mobile version of your web site. That way Android and other mobile devices can then simply sign in to your site just like from a normal browser, using their Facebook credentials. The UI would be more appropriate for mobile devices, and it would eliminate the extra complexity of an additional OAuth server/client configuration.
And finally, to address the last part of your question. This is really a separate issue from the previous parts:
This example seems to manually manage the OAuth authentication.
The primary issue is that Spring Social does not yet support Resource Owner Credentials Grant (ROCG). The addition of this feature would simplify the process of obtaining an access token for Facebook on Android, because you would not have to deal with a browser redirection. See this Spring Social issue for more information.
Because of the lack of ROCG, the Spring for Android sample app is illustrating one method for obtaining the access token using Spring Social. In this case, it is a modified version of the client-side authentication flow. For reference, Facebook has a helpful page describing all the available authentication methods. The webview redirects to a url after successful authentication, at which point the app is able to retrieve the access token from this url.
SpringSource is discussing how to simplify authentication and improve this part of the integration between Spring Social and Spring for Android in future releases.

Using google client API in android without account manager

I'm currently trying to write a task manager in android which syncs with google tasks. The app uses google client API along with AccountManager to communicate with google servers. It works under android. However, I want to run it under android player on Blackberry playbook. Although the .apk file converts to a blackberry application, it seems that AccountManager does not work under playbook android player as it is not tied to a google account. I'm finding it difficult to communicate with the google servers without the account manager. I've tried adding an account manually to the AccountManager but it also throws a security exception. I'm curious if there is any other way to log into google services given an username and password (along with the API key for access)? Thanks
The AccountManager and the Google Play Services that both allow you to go through an OAuth 2.0 authorization flow with a native experience on Android (for Google APIs only) are only available on Google Experience devices. The Android Emulator of the Blackberry Playbook is likely not a Google Experience environment.
So in that case the best way is to implement an OAuth 2.0 flow by using a WebView. This is also the technique you need to use for non-Google APIs (Facebook, Microsoft, Salesforce, Dailymotion, ...)
Basically you will have to send your new users to a special URL in a WebView where Google (or the other OAuth 2 provider) will ask them to grand you access to the APIs requested. Then you will need to extract the auth code from the URL or from the content of the page once it has been generated and returned by Google auth servers. The last step is to exchange that auth code for a refresh and an access token.
You need to read and understand how OAuth 2.0 authorization flow works for Installed application: https://developers.google.com/accounts/docs/OAuth2#installed
The step by step process to do OAuth 2.0 with a WebView on Android is as follow:
Redirect Users to the grant screen URL in an embeded WebView
Use http://localhost as the redirect URI
Register a WebViewClient with an onPageStarted method to intercept page changes
Detect successful/failed authorization by detecting redirects to http://localhost and read the auth code from the URL of the WebView
Finish the OAuth 2 flow by exchanging the auth code for tokens and save these tokens in local database for further use
You can find an open-source sample that does this on Onavo's GitHub.

Best way to use Google APIs using OAuth 2.0 on Android

I'm trying to migrate an Android application using OAuth 1.0a to OAuth 2.0. (using the Google API Client Library for Java/Android for my OAuth 2.0 needs).
What is the best/preferred solution for accessing Google APIs using OAuth 2.0 on an Android platform that takes into account the usability aspect as well. The user should be able to autorize access in an easy way, seamlessly integrating with my Android app.
The application is currently using the OAuth 1.0 web based flow, where my application pops a browser to let the user authorize access, and using a custom redirect URI, my application is capable of retrieving an access token. It works pretty well, but I didn't like the fact that I need to leave my app in order to pop a brower to display a webpage. I was thinking that OAuth 2.0 might work around this, and allow for a better user experience.
I started looking at the Adroid AccountManager-OAuth2 integration as outlined at Google IO, as it doesn't involve a webbrowser, and is more tightly coupled with Android, but it is simply not working the way it should. It's not documented, and unclear if it will remain a viable option for the future.
I've now started investigating the standard OAuth 2.0 web flow.
Here I seem to be having 2 options :
Configure the OAuth 2.0 client as an installed app, and use the urn:ietf:wg:oauth:2.0:oob redirect URI.
Not very clean solution, as I'm not going to have my users copy-paste some code into my app. This is not user-friendly at all.
The Using OAuth 2.0 to Access Google APIs docs mention that there is some way of polling the title of the page to parse out the URL, but I also see a lot of usability issues with that, and don't really feel like writing this kind of plumbing code. If a client library exists that would do that for me, I'd be happy to investigate this further, but for now, I've dropped this option.
Configure the OAuth 2.0 client as a webapp, and use a redirect URI.
Here I noticed non-standard schemes are prohibited in OAuth 2.0. Before, it was possible to use something like xoauth://callback, but that's not allowed anymore.
When configuring a redirect URI like http://mysite.com/oauth2/callback, I'm unable to have Android open up my activity when the Google OAuth 2.0 page redirects, despite having setup a proper intent filter for it. The http://mysite.com/oauth2/callback is simply displayed in my browser.
The following does work
Intent i = new Intent(Intent.ACTION_VIEW,Uri.parse("http://mysite.com/oauth2/callback"));
startActivity(i);
But when the Google OAuth 2 page redirects to that same URL, it is simply displayed in the browser.
Even if this would work, the user would still be presented with a chooser popup (open in browser or open using my Android Activity). From a usability perspective, this is also not acceptable.
I'm looking for a better solution than the ones outlined here.
Regards,
Davy
I ended up using a WebView component to load up the Google Authorization URL.
Using a WebviewClient, I was able to intercept the pages being loaded into the Webview, and as such, when the user accepts or denies the authorization request, I was able to continue the flow.
If the user accepts, the URL that Google redirects to contains a "code" request param, and the application is able to exchange it for an OAuth 2.0 token.
If the user does not accept, the URL that Google redirects to contains a "error" request param, and the application can handle the non-happy scenario.
I've written down everything in a blog post : Oauth 2.0 flow in Android
The post also contains a sample Android app using the OAuth 2.0 flow with the Latitude API. Sample code is available in GitGub.
Play Services were introduced at Google I/O 2013 and are now the official way to use OAuth2 in Android. They do not require a WebView.

Categories

Resources