Closed cynthiatang closed 6 years ago
This issue can be reproduced in Pixel2
Android 8.1.0 WebView 65.0.3325
I've checked the user agent. We didn't change user agent between 1.0.4 and 2.0.0. (Except the version code itself in user agent)
Another difference I forgot to mention, the ".nightly" part
https://auth0.com/blog/google-blocks-oauth-requests-from-embedded-browsers/ this is a Google policy BUT if this is a regression than it's probably a different story
Seems like it's unrelated to user agent string. I'll try to find a regression window.
We've seen this in #841 which back then was caused by user agent change.
It's a regression of 9d6b0b48 or 28c0ce40 which are fundamental multiple tab supports.
Lightning is experience the same too.
I just checked the login issues (403 error page) on Top 30 websites in Indonesia. This issue affects 4 top websites.
A way to workaround it is: adding suppress_webview_warning=true
as described in https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html but I'm thinking if we'll need a notice if we want to do that?
TBD for Apr. 13 open beta 2
The final UC mini login url is of the form:
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https://accounts.google.com/o/oauth2/auth?redirect_uri%3Dstoragerelay://https/m.bukalapak.com?id%253Dauth711380%26response_type%3Dpermission%2Bid_token%26scope%3Demail%2Bprofile%2Bopenid%2Bhttps://www.googleapis.com/auth/userinfo.email%2Bhttps://www.googleapis.com/auth/userinfo.profile%26openid.realm%26client_id%3D1089300022407-inpgth1nigees87f1rsskkshvg1lgmih.apps.googleusercontent.com%26ss_domain%3Dhttps://m.bukalapak.com%26app_package_name%3Dcom.bukalapak.android%26prompt%3Dselect_account%26fetch_basic_profile%3Dtrue%26gsiwebsdk%3D2%26from_login%3D1%26as%3DXZDajKLXAbY0J0mj-bdaag&followup=https://accounts.google.com/o/oauth2/auth?redirect_uri%3Dstoragerelay://https/m.bukalapak.com?id%253Dauth711380%26response_type%3Dpermission%2Bid_token%26scope%3Demail%2Bprofile%2Bopenid%2Bhttps://www.googleapis.com/auth/userinfo.email%2Bhttps://www.googleapis.com/auth/userinfo.profile%26openid.realm%26client_id%3D1089300022407-inpgth1nigees87f1rsskkshvg1lgmih.apps.googleusercontent.com%26ss_domain%3Dhttps://m.bukalapak.com%26app_package_name%3Dcom.bukalapak.android%26prompt%3Dselect_account%26fetch_basic_profile%3Dtrue%26gsiwebsdk%3D2%26from_login%3D1%26as%3DXZDajKLXAbY0J0mj-bdaag&oauth=1&sarp=1&scc=1
While our login url is of the form:
https://accounts.google.com/o/oauth2/auth?redirect_uri=storagerelay%3A%2F%2Fhttps%2Fm.bukalapak.com%3Fid%3Dauth753012&response_type=permission%20id_token&scope=email%20profile%20openid%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&openid.realm=&client_id=1089300022407-inpgth1nigees87f1rsskkshvg1lgmih.apps.googleusercontent.com&ss_domain=https%3A%2F%2Fm.bukalapak.com&app_package_name=com.bukalapak.android&prompt=select_account&fetch_basic_profile=true&gsiwebsdk=2
With UC's url we seems to be able to login, and when we provide the one we have to UC, it seems to redirect to a url with the form we mentioned (the https://accounts.google.com/ServiceLogin?passive=1209600 one)
P.S. our form before enabling multi window is:
https://accounts.google.com/signin/oauth?client_id=1089300022407-inpgth1nigees87f1rsskkshvg1lgmih.apps.googleusercontent.com&as=F3xIEORa8ydtj87NYoxoJw&destination=https://m.bukalapak.com&approval_state=!ChRFd1MtWV83dU1NN3YtdWdXSmloTRIfZ193MkdKRl96SkFmTUlqOWRic2JOcGJFX2czY0toWQ%E2%88%99AB8iHBUAAAAAWs2LEbm1EVHDpGWH-5Vfpq6CQXKA_u9x&xsrfsig=AHgIfE-HKAaBZJCO16jEFkkh1J4oqWSf-Q
Tried UC's user agent and concluded it's not about user agent :)
I think it could be one of these:
Google is giving something different based on some web view settings or some other properties that make them know it's a browser (but definitely not just the user agent itself per what I tried.)
UC mini is actively redirecting the URL.
I think the first is more likely the case.
Verified: fixed. (No 403 error page)
Test website
Redmi Note4 Android 7.0 Rocket 2.0.0(3502).nightly WebView: 66.0.3359.82
STR:
Expected result:
Actual result:
Reproduce rate:5/5
Device: Sony Z3C Android: 6.0.1 Rocket: 2.0.0(3180).nightly WebView: 64.0.3282.137