Google to block web views from using its OAuth
Deprecation starts in October
Google's decided that web-views should no longer be able to use OAuth requests, and is deprecating them in Android, iOS, Windows and OS X as of October.
What that means is that while (for example) Android's embedded browser will be able to handle OAuth requests, third party app logins won't be able to use web-views for OAuth logins.
Web views are designed to let developers use Web-style code instead of trying to get across different operating systems – it's a mini Web browser (the WebView) running the app, with access to native APIs.
Google's announcement is clear: “In the coming months, we will no longer allow OAuth requests to Google in embedded browsers known as “web-views”, such as the WebView UI element on Android and UIWebView/WKWebView on iOS, and equivalents on Windows and OS X.”
Google explains that the idea is to make things easier for users: pushing the OAuth support to whatever browser is present on the device means the login can persist on that device (a web view can't keep the login across sessions).
“Users only need to sign-in to Google once per device, improving conversion rates of sign-in and authorization flows in your app. Modern “in-app browser tab” patterns available on some operating systems, such as Chrome Custom Tabs on Android and SFSafariViewController on iOS offer further UX improvements for browser-based OAuth flows”, the post says.
The alternatives, with links to examples and documentation in the post, are:
- Google sign-in for Android and iOS;
- The open source AppAuth OAuth client library for Android, iOS and OS X; and
- For Windows, the Chocolate Factory provides examples of both Google sign-in and OAuth.
On October 20, Google will prevent new OAuth clients from using web views, and the company will start presenting users with warnings of the end-of-life schedule. On April 20, 2017, web views will get blocked unless there's no viable alternative. ®