[UPDATE] Google Auth Flows and WebView2

[jasonstephen15]

Google has recently made a policy update to prohibit Google OAuth requests in embedded browsers (webviews). This means that google auth flows will not be supported in WebView2.

Our short-term recommendation for a workaround is to launch the system browser and handle the auth flow there. Google’s OAuth Sample repo has an example of how to do this. This solution will work for all app types.

Longer term, our suggestion will be to use the Web Authentication Broker (WAB) API. The WAB API is a Windows API, vetted by Google, that will enable auth flows in your native applications. This API is currently UWP-only but has plans to be available in win32 and .NET as part of the WindowsAppSDK. Please follow the team’s GitHub post for updates on that. For more guidance on how to build out these auth flows visit the WAB Sample Code.

Feel free to leave any comments or questions below. Thanks!

[federicorosso1993]

@federicorosso1993 - thanks for settings me straight on what you and @markismail7 have been saying, namely, a protected popup coming out of the webview flow, now i get it... @markismail7 - apologies for being patronizing =)

weird you can't play past 0:49 on video, i just checked it again... maybe retry in a fresh session of something... this extension still seemed to work just now for downloading youtube videos as a last resort

yes, i can totally login without the api flow... i can go straight to youtube in the webview2 (triple checked by clearing all my session cookies via debug window) and google will prompt for login and lets me right in

i guess i'm going to keep implementing this direction with fingers crossed... worst case i will pull true msedge.exe windows into my app panels via win32 setparent window handle api calls... done it before, with windows explorer, and that code still works on win11 just fine and i really doubt they could ever disable that brute force approach.

If you can log in without the api flow I think that they will just block the new version in the future. Like they say here: https://developers.googleblog.com/2021/06/upcoming-security-changes-to-googles-oauth-2.0-authorization-endpoint.html?m=1 they will block all webviews... If the webview2 was updated to avoid this problem I think microsoft would update this (I think it is just google that is "late"). Maybe we can ask @champnic if that "System Webview" that he was talking about in #1669 was implemented in the next few release, if that's the case it is only a matter of update the edge version/webview2 framework (not sure if windows 11 is required).

The other solution can be ok, but you cannot use it like a real webview (I'm not even sure you can implement a way to get cookies from there for my app to work). Finally for the youtube video I did not mean I cannot watch the youtube video after 0:49, I mean we can reach that point in the authorization flow (unlike you said in the video) and not the page after that.

PS. Here there is a guy with a problem with google meet sharing screen https://github.com/MicrosoftEdge/WebView2Feedback/issues/1809

so he should be logged in... Maybe they actually fixed this in the last release... (here another guy asking what's new in the last release) https://github.com/MicrosoftEdge/WebView2Feedback/issues/1807

[Beej126]

@jarno9981 - i'm seeing the same working behavior in google's wpf sample with webview2 v1.0.992.28 (which is a .net framework 4.6.1 project) as well as another fresh .net 5 pet project with webview2 v1.0.1018-prerelease.

i have currently msedge v94.0.992.38 and msedge dev v96.0.1032.0... the release notes talks about webview2 browser version dependencies.

@federicorosso1993 - thanks for setting me straight on your mention of what step in the oauth flow, that makes sense now.

i'm curious how much anyone has explored the cookie manager api? https://docs.microsoft.com/en-us/microsoft-edge/webview2/reference/win32/icorewebview2experimentalcookiemanager?view=webview2-1.0.674-prerelease#getcookies

[jarno9981]

I have webview2 pre-release 1.0.1018-prerelease @Beej126

[champnic]

@federicorosso1993 et al - Unfortunately we don't currently have a timeline yet for the System WebView2.

[markismail7]

@champnic Is it possible that Microsoft is working on a solution with Google to solve this issue?

[jarno9981]

@jasonstephen15 @champnic @Beej126 @Tochibee

fixed it i can login now with my google account on latest version with this code C#

private void newWeb_NavigationStarting(object sender, CoreWebView2NavigationStartingEventArgs e) { BtnRefresh.Image = FireBrowser.Properties.Resources.icons8_delete_32; BtnRefresh.Enabled = false; ThreadPool.SetMinThreads(2, 2);

        var settings = newWeb.CoreWebView2.Settings;
        // Note: Oversimplified test. Need to support idn, case-insensitivity, etc.
        if (new Uri(e.Uri).Host == txtUrl.Text)
        {
            settings.UserAgent = GetMobileUserAgent();
        }
    }

    private string GetMobileUserAgent()
    {
        return "Chrome";
    }

[jarno9981]

above

[jarno9981]

manage account fully working and returning info

[jarno9981]

gmail tested : OK

[jarno9981]

YOUTUBE : OK - VERIFY PREMIUM RETURNED

[jarno9981]

private void newWeb_NavigationStarting(object sender, CoreWebView2NavigationStartingEventArgs e) { BtnRefresh.Image = FireBrowser.Properties.Resources.icons8_delete_32; BtnRefresh.Enabled = false; ThreadPool.SetMinThreads(2, 2);

        var settings = newWeb.CoreWebView2.Settings;

        // Note: Oversimplified test. Need to support idn, case-insensitivity, etc.
        if (new Uri(e.Uri).Host == txtUrl.Text)
        {
            settings.UserAgent = GetMobileUserAgent();
        }
        else
        {
            settings.UserAgent = GetDesktopUserAgent();
        }
    }

    private string GetDesktopUserAgent()
    {
        return "old";
    }

    private string GetMobileUserAgent()
    {
        return "Chrome";
    }

trigger 2 useragents then you get old login screen and then you can login

[jarno9981]

var settings = newWeb.CoreWebView2.Settings;

        if (FireBrowser.Properties.Settings.Default.googleOn == true)
        {
            if (new Uri(e.Uri).Host == txtUrl.Text)
            {
                settings.UserAgent = GetMobileUserAgent();
            }
            else
            {
                settings.UserAgent = GetDesktopUserAgent();
            }
        }
        else
        {

        }
        // Note: Oversimplified test. Need to support idn, case-insensitivity, etc.

added trigger event for sites after login trigger to new design and stay loged in

[Beej126]

@jarno9981, thanks for sharing! i'll be honest, i don't really understand the core idea of this approach yet (is it really as simple as setting the useragent twice, to 2 different strings?) ... but i'm just glad to see using webview2 for authenticated google pages is something i can count on... i have started several pet projects in this direction.

[jarno9981]

@Beej126 it works only anonying thing is it goes to google old page and after re-opening tab it goes back to new page but it working i am oke with it so long it works

[federicorosso1993]

@jarno9981 you sir are a genius really. I don't even know how you actually was able to solve this with an easy fix like this one. For everybody you actually only need two lines of code:

var settings = webView.CoreWebView2.Settings;
settings.UserAgent = "Chrome";

where webView is of course the variable of your webview. Not sure if this is just a workaround that google will "fix" in the future or an actual fix, but it's working. Let's hope google will not break it before microsoft make that System WebView2.

[Beej126]

@federicorosso1993 - thanks for boiling that down! ... it's funny you were sure the user agent was not involved =)

PS. The user agent is not the problem

[federicorosso1993]

@federicorosso1993 - thanks for boiling that down! ... it's funny you were sure the user agent was not involved =)

PS. The user agent is not the problem

that's because I tried to change it with the chrome one, and the edge one... but the user agent was actually always the same... I didn't know there was a workaround like this where you set the useragent to just "Chrome" and it works. It does not even make sense that a real user agent like this "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 OPR/80.0.4170.63" it's not working, but something like "Chrome" works

[champnic]

@Beej126 While this is a workaround for now, Google's stance is to block WebView2 from authenticating. If they are able to, they will almost certainly find a way to block this workaround. I don't think this is something you can count on :(

[markismail7]

@champnic For the love of God, let Microsoft do something about this. Make WebView2 exactly like Edge Chrome. Why are giving the option to Google to decide. This problem is not good for business for Microsoft or us. We can't build projects if we can't using sign in with Google.

[federicorosso1993]

@Beej126 While this is a workaround for now, Google's stance is to block WebView2 from authenticating. If they are able to, they will almost certainly find a way to block this workaround. I don't think this is something you can count on :(

I agree, so please make sure to make that system webview2 soon. We really need that.

[markismail7]

@champnic Google claiming security is an issue. That's a lie. It's not about security. Google knows, webview2 is troubling for them. Microsoft need to take harsh actions. This is war between Google and Microsoft. And so far Microsoft has been letting Google off the hook.

[jarno9981]

@federicorosso1993

Use fixed runtime webview2

private void newWeb_NavigationStarting(object sender, CoreWebView2NavigationStartingEventArgs e) { BtnRefresh.Image = FireBrowser.Properties.Resources.icons8_delete_32; BtnRefresh.Enabled = false; ThreadPool.SetMinThreads(2, 2);

        var settings = newWeb.CoreWebView2.Settings;

        // Note: Oversimplified test. Need to support idn, case-insensitivity, etc.
        if (new Uri(e.Uri).Host == txtUrl.Text)
        {
            settings.UserAgent = GetMobileUserAgent();
        }
        else
        {
            settings.UserAgent = GetDesktopUserAgent();
        }
    }

    private string GetDesktopUserAgent()
    {
        return "old";
    }

    private string GetMobileUserAgent()
    {
        return "Chrome";
    }

trigger 2 useragents then you get old login screen and then you can login

[jarno9981]

@federicorosso1993 @champnic

I can supply working example that i have then you can try

[federicorosso1993]

@jarno9981 you don't understand, I already tried and it's working. I'm just not sure it will last. Also you don't really need that "old" user agent, you can just save the user agent settings.UserAgent in a string and go back to that if you are not on the login page.

[jarno9981]

@jarno9981 you don't understand, I already tried and it's working. I'm just not sure it will last. Also you don't really need that "old" user agent, you can just save the user agent settings.UserAgent in a string and go back to that if you are not on the login page.

Okay

[markismail7]

@federicorosso1993 I tried that code, it kept giving me null pointer exception. I'm using the latest production version of webview2 var settings = webView.CoreWebView2.Settings settings.UserAgent = "Chrome"

[federicorosso1993]

@federicorosso1993 I tried that code, it kept giving me null pointer exception. I'm using the latest production version of webview2 var settings = webView.CoreWebView2.Settings settings.UserAgent = "Chrome"

You need to make sure the webview is fully render one time

My current code: xml

<wv2:WebView2 Name="webView" NavigationStarting="webView_NavigationStarting"/>

C# code

private string originalUserAgent = "";
private void webView_NavigationStarting(object sender, CoreWebView2NavigationStartingEventArgs e) {
            if (new Uri(e.Uri).Host.Contains("accounts.google.com")) {
                if (webView.CoreWebView2 != null) {
                    var settings = webView.CoreWebView2.Settings;
                    if (settings.UserAgent != "Chrome")
                        originalUserAgent = settings.UserAgent;

                    settings.UserAgent = "Chrome";
                }
            } else {
                if (webView.CoreWebView2 != null) {
                    var settings = webView.CoreWebView2.Settings;
                    if (settings.UserAgent == "Chrome")
                        settings.UserAgent = originalUserAgent;
                }
            }
        }

If will only switch to the working user-agent when you are on the google login page

[Beej126]

@markismail7 - as much as i hate to admit, i think google's man-in-middle concern is legit... i've started coding hacks on top of having this much control over injecting whatever we want into a page and it's pretty amazing...

forgive my soapbox...

a dramatic example for me: we can trap each individual request for javascripts that a page makes, then for example, go obtain that script in our code, doctor it up however we want, and then deliver it to the page "none the wiser"... i'm doing this here...

i'm no super security expert, but seeing what i can readily do as a custom app author sitting in the middle between unsuspecting users and their sensitive sites, it's pretty spooky... i personally would never use an app like this that wasn't my own making... and that's the thing, users just wouldn't know what the app author is doing... of course there's avenues like app stores have their vetting process to establish trust, but that's where us app authors are back at the mercy of a 3rd party and a lot of times they just completely punt and say none of this stuff is allowed and we're forced with external browser anyway.

for me the sweet spot with webview2 is i can make my own custom apps that become cool hybrids of existing sites plus my own enhancements... but as far as thinking of embedded web browser apps used by end users, i don't see the safe path.

these kinds of customized website enhancements are by-the-way, very much like what tamper/greasemonkey browser plugins provide... but those are readily inspectable what they're doing since they're just text scripts

[federicorosso1993]

@Beej126 The main problem is that google did not solve the problem, they make another one. The way to solve this on google part was to make the user aware of the possible security problem and make them authorize the webview in a different way (for example with a password app, or by asking to connect to a real browser). They could even ask us developers to make an oauth call but they should tell us where to use that code to autorize a webview to navigate logged in. Another solution would be to just ask microsoft and other webview creators to system webview (a more limited windows on log in page). I can understand the security concern but I don't like that they just disable the log in on a webview without finding a possible solution to avoid problems for people that need to use it. There is not even a real reason to do that since there are so many ways to solve this problem. At least if I make an app I should be able to trust it, it's really stupid that I cannot even trust my own app.

[jarno9981]

A simple fix solves it for now

[markismail7]

@Beej126 @federicorosso1993 @jarno9981 You guys are awesome. It works. I fucking love you all. I know it's temporary. Till you figure it out. It's an amazing solution. You made my day. When it comes to security, there is always is going to be a problem. And that's not our problem. That's Google's problem. Let them fix their websites. It's their responsibility to make sure hackers can't do damage, not by blocking a browser completely and ignore us. In 1998, google creators were working from their bedroom. Now they're big and trying to stop the small guy from creating their own browser which it could become the main browser one day.

[Beej126]

while you guys have your sample apps all warmed up... can anybody confirm for me that "chrome" really is the only user agent string that works for now? not just any random string?

[jarno9981]

@Beej126

while you guys have your sample apps all warmed up... can anybody confirm for me that "chrome" really is the only user agent string that works for now? not just any random string?

As far i now old and chrome work

Old why i dont no Chrome sound more real

But tommoro i will try random strings

[federicorosso1993]

while you guys have your sample apps all warmed up... can anybody confirm for me that "chrome" really is the only user agent string that works for now? not just any random string?

tried with a "stupid" useragent and it's working so it just need to be a fake useragent to work.

[markismail7]

@federicorosso1993 lol

while you guys have your sample apps all warmed up... can anybody confirm for me that "chrome" really is the only user agent string that works for now? not just any random string?

tried with a "stupid" useragent and it's working so it just need to be a fake useragent to work.

@federicorosso1993 lol

[jarno9981]

@federicorosso1993

while you guys have your sample apps all warmed up... can anybody confirm for me that "chrome" really is the only user agent string that works for now? not just any random string?

tried with a "stupid" useragent and it's working so it just need to be a fake useragent to work.

Lol thats sound more like a security thing then protected webviews not allowed

Random new useragent cow

If i was google i will by going nuts write now because this stupid string defeats the security

[markismail7]

I blame it all on @champnic . If you knew that was the problem all along, you should have told us lol

[jarno9981]

@markismail7

I blame it all on @champnic . If you knew that was the problem all along, you should have told us lol

Its temperialy But champnic couldn't now this / stepped unkwowing on this fix was trying things this day and then i find the fix

[Beej126]

awesome, thanks guys

[markismail7]

At first, i thought Google are powerful to be able to block the browser like that. But now it shows, they're as good as the feature they created one time ("Scroll with your eyes"). How many people are using this feature lol.

[markismail7]

@markismail7

I blame it all on @champnic . If you knew that was the problem all along, you should have told us lol

Its temperialy But champnic couldn't now this / stepped unkwowing on this fix was trying things this day and then i find the fix

Thank you for saving us for now lol

[gplwzz1989]

You are all geniuses，Settings.UserAgent = "Chrome" Settings.UserAgent = "Andriod" ，It's working

[jarno9981]

@Beej126 @gplwzz1989 @champnic when you login you get this after google url now i think they are working on it

google.com/spf#=121676

or is this a webview2 rendering bug using fixed runtime 96

got that yesterday

[jarno9981]

this result after logging in

[ono77]

Hi, today If I access to Youtube I see error This Page isn't working, www.youtube.com redirected you too many times. Try cleaning your cookies. If I access with Edge I see the cookie notice window that has to be accepted...

[jarno9981]

@oggy22

Hi, today If I access to Youtube I see error This Page isn't working, www.youtube.com redirected you too many times. Try cleaning your cookies. If I access with Edge I see the cookie notice window that has to be accepted...

updating webview2 runtime will work i had the same problem just re-install or update

[stefnotch]

This is not a solution. I'm not blaming Microsoft for it. Google is a dictator. We need to move away from Google products. The only way we can do so, if Microsoft creates a Gmail. Until then, we are all screwed. The is could get way worse, the sign in with Google is a disaster right now. We can't use it with WebView2. When WebView2 was announced, I was so excited. A powerful, fast, updated Browser embedded to .NET Application. This has been a dream for All Microsoft Developers. And now all of sudden after less than year of it's launch. Google decided to prevent us from accessing Gmail from inside Webview2. Wow.

The reason is that a random app shouldn't potentially have access to your Google password. I personally sadly don't have the luxury of trusting every single application that I use and vastly prefer it if the browser gets opened. That way, the only one who could compromise my password is the browser.[1]

[1] And technically still the app, it just needs to install a keylogger. But that's another discussion about sandboxing and security.

[federicorosso1993]

This is not a solution. I'm not blaming Microsoft for it. Google is a dictator. We need to move away from Google products. The only way we can do so, if Microsoft creates a Gmail. Until then, we are all screwed. The is could get way worse, the sign in with Google is a disaster right now. We can't use it with WebView2. When WebView2 was announced, I was so excited. A powerful, fast, updated Browser embedded to .NET Application. This has been a dream for All Microsoft Developers. And now all of sudden after less than year of it's launch. Google decided to prevent us from accessing Gmail from inside Webview2. Wow.

The reason is that a random app shouldn't potentially have access to your Google password. I personally sadly don't have the luxury of trusting every single application that I use and vastly prefer it if the browser gets opened. That way, the only one who could compromise my password is the browser.[1]

[1] And technically still the app, it just needs to install a keylogger. But that's another discussion about sandboxing and security.

that's not a valid reason since there are multiple ways to avoid this problem but google did not try any of that (like ask the user to log in a browser->return an OTP->make the user able to log in on the webview2 with that OTP, just an example, they even got a thing called "password for app" but they don't use them, they ask you to go with the OAuth 2.0 way but there is no way to set the session in the webview after you ask the user to log in that way (oauth is only good if you just need one google service, not all the google service like when you log in)). also a simple password does nothing now that you need an OTP for log in. in the end google made only a stupid fix since you can workaround it by setting a fake user-agent...

[markismail7]

This is not a solution. I'm not blaming Microsoft for it. Google is a dictator. We need to move away from Google products. The only way we can do so, if Microsoft creates a Gmail. Until then, we are all screwed. The is could get way worse, the sign in with Google is a disaster right now. We can't use it with WebView2. When WebView2 was announced, I was so excited. A powerful, fast, updated Browser embedded to .NET Application. This has been a dream for All Microsoft Developers. And now all of sudden after less than year of it's launch. Google decided to prevent us from accessing Gmail from inside Webview2. Wow.

The reason is that a random app shouldn't potentially have access to your Google password. I personally sadly don't have the luxury of trusting every single application that I use and vastly prefer it if the browser gets opened. That way, the only one who could compromise my password is the browser.[1]

[1] And technically still the app, it just needs to install a keylogger. But that's another discussion about sandboxing and security.

Google is blocking the user from accessing his/her own account by claiming this is unsafe. How about 2 way authentication. Let the user choose. There are so many options could have been used. You can put a warning message. Users are frustrated with Google. We're done with Google soon. Microsoft is on a track to claim everything was ever given to Google. Let them use Android lol by themselves. I'm always going to be Microsoft supporter, i grew using windows. When it comes to phones, i use apple. Google is a dictator, they can't be trusted with power. I uninstalled Google chrome, the moment edge chrome with released, all my users did the same thing. There is no need for Google Chrome anymore. They can't sleep knowing that.

[nirdil]

Google is a bully and is using their monopolistic position both in browser share and internet traffic to squeeze competition out of the market, and hurt Microsoft whenever they can. Anything's legit to preserve browser market share, as a proxy for maintaining search hegemony. Notice how they are attempting to block only Windows based embedded Webviews. Android based (which enable the same types of tweaks) are left alone.