Problem using Google Auth in Mattermost mobile (ios/android) versions

[adrianveracom]

Summary

Trying to use google auth in mobile (android and ios) is returning an Error: disallowed_useragent on google's side.

Followed the instructions on how to set it up in the site and works perfectly on the web. Haven't made it work in android/ios/mac clients.

Environment Information

• Device Name: Samsung Galaxy S8
• Mattermost App Version: latest
• Mattermost Server Version: latest

Steps to reproduce

Enable Google Auth in the system console, configure with the right api credentials and try to log in using a current user.

Expected behavior

It should log you in.

Observed behavior

[lfbrock]

Hi @adrianveracom - is this on the new "Mattermost 2017 Beta" mobile apps, or the older ones?

We haven't added Google Auth support to the new mobile apps yet, it's on the roadmap for after the July release.

Is it something you would be interested in helping contribute?

[sjk07]

@lfbrock this happens on both versions of the mobile apps.

My use case: team uses Google as auth server for Gitlab.

[gabrie-allaigre]

Hi, On Android, Google requires to use Chrome Custom Tabs to use OAuth. We need to change WebView here https://github.com/mattermost/mattermost-mobile/blob/master/app/screens/sso/sso.js

[thobai]

I'm having the same problem on iOS. Is there any possibility to already use a working beta version for iOS and Android? We only use Google as auth server for Gitlab as well, so that's a show stopper right now. Are there any workarounds?

[lfbrock]

Hi @thobai + others,

For those using GitLab SSO, we don't officially support connecting to other authentication methods through GitLab. That being said, we've been investigating Google Auth since it's one of our enterprise edition features, summary of what we've found is below.

The issue is that Google revoked the ability to use a WebView to authenticate using their OAuth2 provider. Since GitLab uses a web application flow, it needs the WebView to work.

To use the Google Login libraries instead of a webview, you need to compile the app with a google-service.json file in order to make use of your own Google Api Key. So it's looking like anyone using Google Auth would need to compile the apps themselves.

[bbredewold]

Any progress on this topic? Someone with a workaround?

[MarkusTeufelberger]

What's the resolution of this issue? I still have that problem...

[lindy65]

Hi @MarkusTeufelberger

Thanks for your question,

At this stage, the resolution of this issue is as per lfbrock's post above...

[JMLX42]

Could we use this solution https://github.com/RocketChat/Rocket.Chat.Cordova/issues/159#issuecomment-275730484 ?

[JMLX42]

@lfbrock @lindy65 AFAIK changing the user agent should do the trick. The SSO webview is created here:

https://github.com/mattermost/mattermost-mobile/blob/master/app/screens/sso/sso.js#L232

We could simply set the userAgent property:

https://github.com/react-native-community/react-native-webview/blob/master/docs/Reference.md#useragent

We could do this only when we're dealing with a Google OAuth URL so the impact should be minimal.

Are you interested in a PR?

[lindy65]

Hi @promethe42,

Thanks for your message and the offer of a PR :)

I'll defer to @enahum and @esethna as they are more closely involved with the roadmap for the mobile apps. I'm not sure whether they're out for the holidays so they might only respond after the new year

[enahum]

Yes @promethe42 a PR would be great

[JMLX42]

@enahum OK I'll do it.

Here is my plan:

• setup a build/config parameter to change the user agent declared by the web view
• provide a default value that works for the Google Auth
• attempt to use this user agent only for Google Auth URLs to minimize the impact

This would be my first Mattermost PR, so I'll have to setup my dev env first. But the documentation looks great.

In the meantime, please re-open this so people know it's being dealt with.

[enahum]

@promethe42 sounds like a solid plan, you can refer to the logic in the webapp to enable/disable the login option.

I’ve created this ticket https://mattermost.atlassian.net/browse/MM-13602 so it can be tracked.

Let me know if you need help with the dev env setup.

Thanks for taking care of this.

[JMLX42]

Let me know if you need help with the dev env setup.

@enahum I've setup a working Dockerfile to build the Android app with a one liner. I'll make a first PR with that.

setup a build/config parameter to change the user agent declared by the web view

@enahum Where should I put this kind of config variable?

[enahum]

@promethe42 I think it should go in assets/base/config.json

[hzj629206]

any update？

[JMLX42]

@hzj629206 I remember it was easy to setup the custom user agent in the code base. But #2484 made it impossible for me to test.

I can open a PR with those changes if someone can help me with the testing.

[devopstales]

@promethe42 you did not answered the questions on #2484.

[taina0407]

Any update on this ?

[robcohen]

Is this issue resolved?

[esethna]

For those following this issue, we have a ticket open here for anyone interested in contributing the change: https://mattermost.atlassian.net/browse/MM-13602

[tamasgal]

Thanks for the link. So this is still unresolved.

We did an emergency switch to Mattermost because RocketChat broke our instance several times due to auto-update issues of the snap distribution. However, without a working mobile client using Google OAuth, Mattermost is not really an interesting alternative 😕

[AlanVerbner]

I can confirm https://github.com/mattermost/mattermost-mobile/issues/622#issuecomment-450472819 approaach worked for us. We haven't added any test but we were able to login using google auth and the webview approach.

[henricook]

@AlanVerbner So you compiled it yourself with a changed user agent and it worked? Was it a simple string replace, if not would you consider sharing the changeset?

[henricook]

Bounty added - expires on 15th February 2021

I'd really like this fixed but don't have the ready skills to do it myself. I've posted a $500 bounty on this: https://www.bountysource.com/issues/46286041-problem-using-google-auth-in-mattermost-mobile-ios-android-versions

Requirements would be: Auth with Google IDP succeeds, change must be merged and available in the iOS AND Android store-based apps for bounty to be paid. Solution can either be the user agent (if you can convince the team to merge it) or (preferably) the "proper" way of authing with google, firing up an external browser.

Please all feel free to add to my bounty if you'd like to help motivate someone to fix this.

[esethna]

cc// @thefactremains ^

[thefactremains]

@henricook we are building support for this in our upcoming OpenID Connect feature. We expect to release this by Jan 2021 at the latest.

[henricook]

Thanks for the info @thefactremains

I was hoping for a solution for a fairly specific use case. I have a gitlab instance that uses Google Auth. I can't login to mattermost with it on mobile at the moment. I don't think the openid work you describe will affect that problem unless it takes over all Google/Microsoft etc auth flows and pops them out into a browser?

Edit: unless the way mattermost integrates with gitlab is openid??? I'll have to check that

[thefactremains]

@henricook Our implementation of OpenID Connect will replace all OAuth SSO (including Google and Microsoft) for E20 licensed servers. It's possible that an E20 server could use OpenID Connect to GitLab w/Google SSO (and work on mobile), but I'm not certain - and that specific use case isn't covered in the MVP.

We're aiming to release v1 of this feature very shortly, so if you're on E20 (or considering it) it may be worth waiting until then to test.

[henricook]

Thanks for that info. Not entirely sure what license I'm on, will check - I don't think it's E20. When do E20 features filter down to the common folk?

[henricook]

Do you think someone would accept a PR as a stopgap to change the user agent mattermost uses to impersonate a real browser? (And evade Google's webview/user-agent restrictions)?

[thefactremains]

We are not currently planning to add OpenID Connect to E10 or Team Edition. We do however, regularly revisit our packaging based on input like this.

A community contributor could attempt to get this working, but I am not sure our mobile team would accept the PR if it defied Google restrictions.

[henricook]

@thefactremains All packaging revisits greatly appreciated. At a total guess you've got a lot of people about to be affected by https://developers.googleblog.com/2020/08/guidance-for-our-effort-to-block-less-secure-browser-and-apps.html on January the 4th 2021 who don't realise they're about to become unable to login.

[realmichaelye]

Will sign up with google / oauth be released like in slack? https://gyazo.com/d01e5b3fef593dd20b4a117d96238c45

[davidchoo12]

issue still exists as of writing (version 1.42.1)

[henricook]

Yeah my whole team can't use Mattermost on mobile because of it. It makes it look like a pretty inferior solution next to everything else when no one can use the mobile app.

[enahum]

Google auth was added in this PR https://github.com/mattermost/mattermost-mobile/pull/5075

I do believe is available in the Enterprise edition though

[larkox]

This should be solved already. If anyone is still having the same issue, feel free to reopen the ticket.