11

Setup:

Situation:

I have received an email from Google stating that my web application client ID is receiving OAuth requests within an embedded webview, and I need to make some changes to these webviews to avoid man-in-the-middle attacks. This is a similar email: https://groups.google.com/g/omegaup-soporte/c/xrspGg8T94o

The subject of this email is: "[Action Advised] Take action to continue using Google's OAuth authorization endpoint" and the first statement is "We detected requests to our OAuth 2.0 authorization endpoint from one or more of your OAuth client IDs within an embedded webview context in the past 30 days.".

Question:

As stated above, my application is a web app, how is it possible that OAuth requests from an embedded webview are received?

JShinigami
  • 7,317
  • 3
  • 14
  • 22
  • Your first question makes no sense. Try to update your question into an answerable problem. For your second question, no you cannot access Google authentication logs. To help you solve your problem, rewrite your entire post into a software problem. https://stackoverflow.com/help/how-to-ask – John Hanley Oct 18 '22 at 09:59
  • This link might also help: https://developers.googleblog.com/2021/06/upcoming-security-changes-to-googles-oauth-2.0-authorization-endpoint.html – John Hanley Oct 18 '22 at 10:49
  • Make sure your application is opening the authorization window in the default browser on the device. please add your code – Linda Lawton - DaImTo Oct 18 '22 at 15:13
  • Thank you for your comments, I have edited the question, I hope my situation is clearer now. – JShinigami Oct 19 '22 at 06:58
  • @JShinigami what did you find out? I have a feeling someone is loading my site in an iframe or something to allow such a thing to occur. – Kevin Danikowski Mar 28 '23 at 16:33
  • 1
    I got the same email today and my application is a web app too. I guess someone is embedding my website on his app. It is hard to find if an action has to be taken if you only have a web app. – Luis Rodriguez Mar 28 '23 at 19:24
  • 1
    I received the same email and wonder if it has to do with Facebook app (or another app with the same behavior) : when a user using facebook app clicks on a link to our website, it opens inside Facebook app and from there, the user would sign in with Google. – sglessard Mar 29 '23 at 21:25
  • I received again the same email yesterday. I did not find out more. The assumption regarding e.g. facebook app sounds realistic in my case. – JShinigami Mar 30 '23 at 05:02
  • I have received the same email and I also have a webapp. It looks like we don't have to take any action here? – Domingo Apr 02 '23 at 15:36

1 Answers1

2

I am in a similar situation. We have no explicitly supported login flows in embedded webviews. What I discovered was that this flow can be trigger by a user in an embedded webview from a different app navigating to your website and attempting to login.

You can test this scenario yourself in a browser by faking your user-agent to be one from an embedded web view. Example: Mozilla/5.0 (Linux; Android 13; SM-G986U1 Build/TP1A.220624.014; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/111.0.5563.116 Mobile Safari/537.36 WEBVIEW TEST/1.3.1.106 (Phone; anonymous)

You can't really prevent someone from attempting to navigate to your site from another app's webview, but this at least explained why we received the email despite not supporting a specific webview auth flow.

Chris
  • 1,140
  • 3
  • 9
  • 15