Google disabling third-party OAuth app logins from web-views over the next year

Datetime:2016-08-22 22:56:20          Topic:          Share

Using a login party like Google, Twitter, or Facebook is much more convenient than remembering a username and password for individual services. To improve security for this type of sign-in, Google is deprecating third-party app logins from web-views in favor of the native browser.

Signing into third-party applications via a Google Account involves sending an OAuth request. Over the next year, Google will be disabling login requests sent from web-views and other embedded browsers. This includes the WebView UI element on Android, UIWebView/WKWebView on iOS, and equivalents on OS X and Windows.

Developers are encouraged to send users into the more secure native browser for Google sign-ins. Device browsers are more frequently updated and offer improved security as web-views can be inspected and modified by apps.

On the usability front, users are likely already logged into their Google Accounts for Search and other services. Googles notes that Android now hasChrome Custom Tabs and iOS SFSafariViewController for quicker access to the native browser.

Beginning October 20, new OAuth clients we be prevented from using web-views on platforms that have a viable alternative. Existing OAuth client users will also begin seeing notices about the change. On April 20, 2017, all OAuth requests will be blocked for clients on platforms with viable alternatives.

There are a number of alternatives for developers to implement in lieu of web-views, including the recommended Google Sign-In approach for mobile and AppAuth for Android , iOS , and OS X . The blog post also lists a number of log-in examples for Windows developers .