16

integrated Auth0 login in my android application. for this integration i am following this one https://auth0.com/docs/libraries/lock-android

its work fine previously, but now i am facing 403 disallowed user while click on google.

while i am searching in google i found this: Google since april 20 decided to block access from embedded webviews for security purposes thats why Auth0 login with google fails.

iOS guys fixed the same issue using:

but didn't find this in android

how to resolve this. any have idea on this.

my piece of code:

compile 'com.auth0.android:lock:2.+'

Auth0 auth0 = new Auth0(getString(R.string.auth0_client_id), getString(R.string.auth0_domain));
            mLock = Lock.newBuilder(auth0, mCallback)
                    //Add parameters to the builder
                    .closable(true)
                    .build(this);
            startActivity(mLock.newIntent(this));

private LockCallback callback = new AuthenticationCallback() {
       @Override
       public void onAuthentication(Credentials credentials) {
          //Authenticated
       }

       @Override
       public void onCanceled() {
          //User pressed back
       }

       @Override
       public void onError(LockException error) {
          //Exception occurred
       }
   };

manifest:

<activity
  android:name="com.auth0.android.lock.LockActivity"
  android:label="@string/app_name"
  android:launchMode="singleTask"
  android:screenOrientation="portrait"
  android:theme="@style/MyLock.Theme">
    <intent-filter>
      <action android:name="android.intent.action.VIEW" />

      <category android:name="android.intent.category.DEFAULT" />
      <category android:name="android.intent.category.BROWSABLE" />

      <data
        android:host="quikdeal1.auth0.com"
        android:pathPrefix="/android/{YOUR_APP_PACKAGE_NAME}/callback"
        android:scheme="https" />
    </intent-filter>
</activity>

enter image description here

enter image description here

NareshRavva
  • 823
  • 3
  • 21
  • 50

7 Answers7

16

Since Google blocks requests from a WebView, we need to set a user agent ourselves before making the request.

Using a hard-coded fake user agent as given in other answers has a disadvantage. Gmail sends email to the user telling that their account has been logged in from a particular device (which is not their device, and may lead to suspicion).

Using the System's default user agent worked for me.

webView.getSettings().setUserAgentString(System.getProperty("http.agent"));
Nabin Bhandari
  • 15,949
  • 6
  • 45
  • 59
  • 1
    What does http.agent means? Should it be https.agent? Can you please elaborate on this – Manoj Perumarath Apr 22 '20 at 05:47
  • 3
    @ManojPerumarath "The HTTP headers User-Agent is a request header that allows a characteristic string that allows network protocol peers to identify the Operating System and Browser of the web-server [src: https://www.geeksforgeeks.org/http-headers-user-agent/ ]". To my knowledge, HTTPS also uses HTTP headers. So, using `http.agent` should be fine as it is just a key to retrieve the required system property. – Nabin Bhandari Apr 22 '20 at 12:27
  • 1
    This works! Using this, Gmail also sends the security alert email though, but it looks way better than hardcoding a user agent – moyo Feb 25 '22 at 10:21
  • This method is worked. But getting very strange super simplified version of login page. I think this because server side detection can not detect web engine version and provides very simplified layout. I added alternative way in my answer: https://stackoverflow.com/a/72642783/6124347 – Дмитрий Пупкинг Jun 16 '22 at 08:43
11

As you said, google decided to block access from embedded WebViews. The same has happened to me and i just put the user-agent by myself. It looks like this:

public static final String USER_AGENT_FAKE = "Mozilla/5.0 (Linux; Android 4.1.1; Galaxy Nexus Build/JRO03C) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.166 Mobile Safari/535.19";

@Override
protected void onCreate(Bundle savedInstanceState) {
    webView.getSettings().setUserAgentString(USER_AGENT_FAKE);
}
OShiffer
  • 1,366
  • 12
  • 27
  • hey thanks man. but my peace of code is Auth0 auth0 = new Auth0(getString(R.string.auth0_client_id), getString(R.string.auth0_domain)); mLock = Lock.newBuilder(auth0, mCallback) //Add parameters to the builder .closable(true) .build(this); startActivity(mLock.newIntent(this)); don't have webview variable in my source code – NareshRavva May 15 '17 at 07:16
  • sorry i don't know this library... try to find a way to set the user agent manually. – OShiffer May 15 '17 at 07:25
8

It worked for me:

private WebView mWebView;

public static final String USER_AGENT = "Mozilla/5.0 (Linux; Android 4.1.1; Galaxy Nexus Build/JRO03C) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.166 Mobile Safari/535.19";

@Override
protected void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    mWebView.getSettings().setUserAgentString(USER_AGENT);
}
Vishal Yadav
  • 3,642
  • 3
  • 25
  • 42
Joby korah george
  • 155
  • 2
  • 3
3

Another more attractive way is to remove the WebView wv flag from the real WebView's UserAgent.

Аccording to Chrome for Android User-Agent Strings documentation :

WebView UA in Lollipop and Above

In the newer versions of WebView, you can differentiate the WebView by looking for the wv field as highlighted below.

Mozilla/5.0 (Linux; Android 5.1.1; Nexus 5 Build/LMY48B; wv)
AppleWebKit/537.36 (KHTML, like Gecko) 
Version/4.0 Chrome/43.0.2357.65 Mobile Safari/537.36

So you should set User Agent like this:

    webView.getSettings().setUserAgentString(
            webView.getSettings().getUserAgentString().replace("; wv)", ")")
    );

As a result, all important information about device OS, the version of the web engine used in WebView is left for statistics and cross-platform layout, if the site uses it. The page opened in WebView will be displayed as correctly as possible.

Also please note that this approach is relevant if your minSdk 21. For older version there is another User-Agent string template (described in above link).

Дмитрий Пупкинг
  • 146
  • 1
  • 5
1

Google to block web views from using its OAuth. Reference link

You need to do OAuth through native code. or use some alternative of Webview

Furqan
  • 787
  • 2
  • 13
  • 28
1

As mentioned by @OShiffer you need to add a fake user agent but now it's outdated you have to use new one instead. Use this one

public static final String USER_AGENT = "Mozilla/5.0 (Linux; Android 10; SM-J105H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.164 Mobile Safari/537.36";
Savithu
  • 75
  • 9
0

FYI, I ran into this same issue and struggled with it for a while before realizing that a lot of Android simulators do not come with a valid default browser installed. Simply using a device that had Chrome installed fixed this bug for me. See this really well-detailed answer here: https://github.com/FormidableLabs/react-native-app-auth/issues/716

Dylan Lewis
  • 1
  • Please do not provide links in an answer, if you want to use links please mark the question as duplicate and use a comment to provide the link. – Yunfei Chen Jun 23 '22 at 03:27