In iOS app, Google-login does not work because Google does not like the embedded browser

[almarklein]

I can click the button to sign-in with Google, fill in my Google email adress, but in the next step (where normally I'd be asked for my password) I get this:

Clicking learn more produces:

[marc-farre]

@PrimozRatej any idea?

A quick research with https://claude.ai/ gives some pointers (I didn't search more, let me know if I can help):

1. Custom Tabs / SFSafariViewController: Instead of using a WebView, it's recommended to use Custom Tabs (on Android) or SFSafariViewController (on iOS) for better security and user experience with OAuth flows.

2. App-Bound Domains: Google and other providers are increasingly requiring the use of app-bound domains for authentication flows within apps.

3. User-Agent String: The internal browser might have a user-agent string that Google doesn't recognize or trust.

4. Missing OAuth 2.0 PKCE: Proof Key for Code Exchange (PKCE) is an extension to OAuth 2.0 that provides additional security for mobile apps.

Here are some steps you can take to address this issue:

1. Use Custom Tabs or SFSafariViewController: If you're using Flutter, you can use the flutter_inappwebview package, which supports these more secure browser views. Here's a basic example of how you might implement this:

   
   import 'package:flutter/material.dart';
   import 'package:flutter_inappwebview/flutter_inappwebview.dart';
   
   class SecureWebView extends StatelessWidget {
    final String url;
   
    SecureWebView({required this.url});
   
    @override
    Widget build(BuildContext context) {
      return Scaffold(
        appBar: AppBar(title: Text('Secure Web View')),
        body: InAppWebView(
          initialUrlRequest: URLRequest(url: Uri.parse(url)),
          initialOptions: InAppWebViewGroupOptions(
            crossPlatform: InAppWebViewOptions(
              useShouldOverrideUrlLoading: true,
              useOnLoadResource: true,
            ),
          ),
          onWebViewCreated: (InAppWebViewController controller) {
            // You can add additional configuration here if needed
          },
        ),
      );
    }
   }

   This approach uses a more secure web view that's less likely to be flagged by Google.

2. Implement App Links / Universal Links:
   Set up app links (Android) or universal links (iOS) for your domain. This allows your app to handle the authentication redirect securely.

3. Update User-Agent:
   If you must use a WebView, try setting a user-agent string that mimics a standard mobile browser. However, be aware that this might violate Google's terms of service.

4. Implement PKCE:
   If you're handling the OAuth flow yourself, implement PKCE. This adds an extra layer of security that Google may require.

[almarklein]

Not sure if this is relevant, but on most apps, when I sign-in with Google, it will already show my Google avatar and I only have to insert my password. With the current flow, I also have to provide my email. From what I understand, when my avatar is shown, the embedded browser is the builtin browser, or at least somehow shares cookies or something.

[marc-farre]

@almarklein I agree, ideally we should use the native app feature to login with a Google or Apple account already registered on the phone. But this would require much more development, and would only work with Google and Apple SSO.

With HumHub, we can configure many others different SSO. So we first need to make it work within the app embedded browser.

Once done, then we can later think about a native app authentication.

[almarklein]

@marc-farre I did not mean to use native auth. I meant that other apps also use an embedded browser for this flow, but it's likely a different kind of browser, because in these cases it remembered my Google account.

[PrimozRatej]

@marc-farre My first guess would be the User-Agent. We encountered a similar issue with Android some time ago. I'll look into it.