Automatically sign into Google account on Android webview

Question

This past week I've inundated myself with links and led myself in too many circles to count, so I thought I'd pose the question here. I have an Android app that displays webviews pointing to urls which the user must be signed in with their Google account to see (the backend is built in Google App Engine). Since the end user is likely to be signed into their Google account on their Android anyway, I'd like the sign-in process to be automatic. Currently, on the first webview the user opens up they are presented with the Google sign-in form and a really ugly subsequent page asking "would you like to allow example.appspot.com to use your Google account?"

That process is dreadful for user experience. I've seen precious few resources here and there concerning auto-login, but I'm frankly lost in the sea of almost-what-I-want-but-not-quite to be able to discern the direction I ought to be going.

I read through Nick's tutorial on authenticating an app with App Engine, but just having the token doesn't get me the uniquely-assigned user ID associated with every Google account on the backend. On top of that, prior experience has taught me the hard way that an app's webview session is incongruous with the app's HTTPClient session. So even if I could log in with Nick's method it wouldn't help me sign into the webviews.

Then I came across this tutorial, which actually seems really promising, but so far I haven't been able to adapt his code to work with my own.

I also found this SO link which suggests that all I need to do is pass the auth token (which I could presumably obtain via Nick's method) into every webview I load as a cookie.

And that's about it. They are all rather different approaches, so I'm wondering if any of them are actually what I want. Or, if somewhere out there a reasonably simple approach actually exists. I'd really appreciate it if someone knows of a straightforward answer on this one. Thank you!

Answer 1

For security reasons WebViews do not have access to the phone's cache, cookie store etc, it is instead recommended you use the new Chrome Custom Tabs which can auto log in your users.

---

Concerning the "would you like to allow example.appspot.com to use your Google account?" screen; this is the standard OAuth process and requires that the User sign in and allow your app to access their account information.

In your 'example.appspot.com' App Engine app, if you are using an API that requires user information, like the Google Calendar API, it is required that you specifically request the User for their approval to access this information.

Once you have their approval, you can then save the access and refresh tokens to make future API calls on their behalf without the need for repeated user consent. You can see how the entire Oauth flow works in the OAuth 2.0 Playground.

Even if you automatically logged your user in, they will still see the approval page requesting for your app to have access to their information. To develop a hack to forcefully approve the access to a User's information on their behalf is a major security violation.

---

You can take a look at the new Firebase Authentication flow to easily manage your user's Oauth experience in your App Engine application.