Regression: Show 403 error page when user try to login Bukalapak with Google account (Topsite)

[cynthiatang]

STR:

1. Launch Rocket
2. Tap the topsite Bukalapak
3. Tap Bukalapa's menu -> Tap Login -> Tap Login dengan Google

Expected result:

• Show Google login page

Actual result:

• Show 403 page. Error disallowed_useragent
• This issue cannot be reproduced in Rocked 1.0.4(2333)

Reproduce rate:5/5

Device: Sony Z3C Android: 6.0.1 Rocket: 2.0.0(3180).nightly WebView: 64.0.3282.137

[cynthiatang]

This issue can be reproduced in Pixel2

Android 8.1.0 WebView 65.0.3325

[mTwTm]

I've checked the user agent. We didn't change user agent between 1.0.4 and 2.0.0. (Except the version code itself in user agent)

[mTwTm]

[mTwTm]

Another difference I forgot to mention, the ".nightly" part

[joechengla]

https://auth0.com/blog/google-blocks-oauth-requests-from-embedded-browsers/ this is a Google policy BUT if this is a regression than it's probably a different story

[mTwTm]

Seems like it's unrelated to user agent string. I'll try to find a regression window.

[mTwTm]

We've seen this in #841 which back then was caused by user agent change.

[mTwTm]

It's a regression of 9d6b0b48 or 28c0ce40 which are fundamental multiple tab supports.

[mTwTm]

Lightning is experience the same too.

[cynthiatang]

I just checked the login issues (403 error page) on Top 30 websites in Indonesia. This issue affects 4 top websites.

• Bukalapak
• Wordpress.com
• Kumparan.com
• Blibli.com

[mTwTm]

A way to workaround it is: adding suppress_webview_warning=true as described in https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html but I'm thinking if we'll need a notice if we want to do that?

[weslyhuang]

TBD for Apr. 13 open beta 2

[mTwTm]

The final UC mini login url is of the form:

https://accounts.google.com/ServiceLogin?passive=1209600&continue=https://accounts.google.com/o/oauth2/auth?redirect_uri%3Dstoragerelay://https/m.bukalapak.com?id%253Dauth711380%26response_type%3Dpermission%2Bid_token%26scope%3Demail%2Bprofile%2Bopenid%2Bhttps://www.googleapis.com/auth/userinfo.email%2Bhttps://www.googleapis.com/auth/userinfo.profile%26openid.realm%26client_id%3D1089300022407-inpgth1nigees87f1rsskkshvg1lgmih.apps.googleusercontent.com%26ss_domain%3Dhttps://m.bukalapak.com%26app_package_name%3Dcom.bukalapak.android%26prompt%3Dselect_account%26fetch_basic_profile%3Dtrue%26gsiwebsdk%3D2%26from_login%3D1%26as%3DXZDajKLXAbY0J0mj-bdaag&followup=https://accounts.google.com/o/oauth2/auth?redirect_uri%3Dstoragerelay://https/m.bukalapak.com?id%253Dauth711380%26response_type%3Dpermission%2Bid_token%26scope%3Demail%2Bprofile%2Bopenid%2Bhttps://www.googleapis.com/auth/userinfo.email%2Bhttps://www.googleapis.com/auth/userinfo.profile%26openid.realm%26client_id%3D1089300022407-inpgth1nigees87f1rsskkshvg1lgmih.apps.googleusercontent.com%26ss_domain%3Dhttps://m.bukalapak.com%26app_package_name%3Dcom.bukalapak.android%26prompt%3Dselect_account%26fetch_basic_profile%3Dtrue%26gsiwebsdk%3D2%26from_login%3D1%26as%3DXZDajKLXAbY0J0mj-bdaag&oauth=1&sarp=1&scc=1

While our login url is of the form:

https://accounts.google.com/o/oauth2/auth?redirect_uri=storagerelay%3A%2F%2Fhttps%2Fm.bukalapak.com%3Fid%3Dauth753012&response_type=permission%20id_token&scope=email%20profile%20openid%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&openid.realm=&client_id=1089300022407-inpgth1nigees87f1rsskkshvg1lgmih.apps.googleusercontent.com&ss_domain=https%3A%2F%2Fm.bukalapak.com&app_package_name=com.bukalapak.android&prompt=select_account&fetch_basic_profile=true&gsiwebsdk=2

With UC's url we seems to be able to login, and when we provide the one we have to UC, it seems to redirect to a url with the form we mentioned (the https://accounts.google.com/ServiceLogin?passive=1209600 one)

P.S. our form before enabling multi window is:

https://accounts.google.com/signin/oauth?client_id=1089300022407-inpgth1nigees87f1rsskkshvg1lgmih.apps.googleusercontent.com&as=F3xIEORa8ydtj87NYoxoJw&destination=https://m.bukalapak.com&approval_state=!ChRFd1MtWV83dU1NN3YtdWdXSmloTRIfZ193MkdKRl96SkFmTUlqOWRic2JOcGJFX2czY0toWQ%E2%88%99AB8iHBUAAAAAWs2LEbm1EVHDpGWH-5Vfpq6CQXKA_u9x&xsrfsig=AHgIfE-HKAaBZJCO16jEFkkh1J4oqWSf-Q

[mTwTm]

Tried UC's user agent and concluded it's not about user agent :)

I think it could be one of these:

1. Google is giving something different based on some web view settings or some other properties that make them know it's a browser (but definitely not just the user agent itself per what I tried.)

2. UC mini is actively redirecting the URL.

I think the first is more likely the case.

[cynthiatang]

Verified: fixed. (No 403 error page)

Test website

• Bukalapak
• Wordpress.com
• Kumparan.com
• Blibli.com

Redmi Note4 Android 7.0 Rocket 2.0.0(3502).nightly WebView: 66.0.3359.82