Ijility maumelle ar benefits.REGISTER NOW GET FREE 888 PESOS REWARDS!

Resolved fariazz
(@fariazz)

1 year, 7 months ago
We received the following email from Google, about the credential we use for the NextEnd plugin. It looks like it will stop working soon? We are on the latest version of the plugin, but we only updated recently. As you can see in the email, it says “last 120 days”, so it could be it’s no longer a problem:

—

Hello Google Developer,

We’re writing to let you know that we detected the use of an embedded webview in requests to Google’s OAuth 2.0 authorization endpoint in the past 120 days associated with one or more of your OAuth client IDs listed in this email.

Any affected authorization endpoint requests will be blocked with a disallowed_useragent error starting July 24, 2023. Affected requests to our authorization endpoint will display a user-facing warning message starting in May until July 24, 2023.

What do you need to know?

Embedded webview libraries are highly customizable, which can expose Google’s login and account authorization pages to potential “man-in-the-middle” attacks. Google’s OAuth 2.0 “Use secure browsers” policy helps us protect users from these and other types of attacks.

Examples of affected embedded webview libraries include android.webkit.WebView on Android and WKWebView on iOS or macOS.

What do you need to do?
- Review our June 2021 Google Developers blog post, Security changes to Google’s OAuth 2.0 authorization endpoint in embedded webviews, to determine potential next steps.
- Consider how enterprise and educational users might be impacted by embedded webviews in your app(s).
- If you are able to modify the authorization requests of your app, you can choose to test your application for compatibility with our “Use secure browsers” policy after making the necessary changes.
Note: Suppression of the user-facing warning message is not supported.

Please review the affected client(s) being used by your projects:
- Project ID: xxxxxx
  - OAuth Client ID: xxxx (cliend ID we use for NextEnd)
For additional information regarding these changes, please read thoughtfully through the Google Developers blog post shared above.

Thanks for choosing Google OAuth.

— The Google OAuth Team

Viewing 1 replies (of 1 total)

Plugin Support Laszlo
(@laszloszalvak)

1 year, 7 months ago
Hi @fariazz

Do you probably have a mobile App, that displays your website over an embedded browser (WebView)? If this is the case, then the problem is caused by that, since as Google mentioned it, WebView is not secure and some providers like Google and Facebook doesn’t allow the usage of their OAuth 2 endpoints from WebView.

Because of this, we hide the social buttons in the embedded browsers, as people won’t be able to connect with it anyways.

In our documentation you can learn more about this:
- https://nextendweb.com/nextend-social-login-docs/can-use-nextend-social-login-webview/
So this is not a Nextend Social Login specific limitation, but a general Google and Facebook OAuth 2 specific limitation.

If you don’t have a mobile App, you can actually ignore this message, as this is just to inform the App developers about these limitations. But actually these are not new, as it had been announced in 2021 already ( like you see in their message ) and people have been receiving those errors in WebView browsers since then.

Best regards,
Laszlo.

Viewing 1 replies (of 1 total)

The topic ‘Warning from Google about NextEnd’ is closed to new replies.