Today I've got following email from Google: <blockquote> We are writing to let you know that Google will discontinue support for sign-ins to Google accounts from embedded browser frameworks, starting January 4, 2021. We have detected the use of an embedded browser framework with one or more of your OAuth clients that may be blocked on or after January 4, 2021. Please review your use of Google Account authorization flows in the following Google OAuth client IDs and make any required changes before January 4, 2021: </blockquote> This is strange as my B2C web application isn't loaded in an embedded browser nor in a web view. It's even not an mobile app using an embedded browser or a web view. There's no embedded browser or web view at all where users could log in. My web application is just a simple public B2C "website" which does 2 things: <ul> <li>Users can log in by Google OAuth (Google Sign-In for Websites)</li> <li>Automatic retrieval of YouTube data by using YouTube data API via cronjob by using OAuth tokens with offline access</li> </ul> So I'm wondering why I've got this email. Advice is very much appreciated as it seems as Google plans to limit/block my Google API clientID and I'm a bit concerned by website will break. Update 1: <ul> <li>On my development environment I'm testing Google OneTap Sign-In since half a year on localhost. Maybe this could be the reason?</li> <li>I'm also using HotJar.com screen recording to optimize my website. The HotJar Javascript is dynamically generating invisible html iframes. Maybe this could be a reason?</li> </ul> Update 2: The Google blog article about this topic describes that "The browser must have JavaScript enabled" and "The browser must identify itself clearly in the User-Agent" in order to do an OAuth Sign-In. I'm wondering if an server side API call to YouTube data API with an offline access token is considered as an OAuth Sign-In (which it basically is). But offline access is made for API access without user interaction (a browser). So I think this should not be the problem but who knows...

Update: on Google Analytics we see that some of our users are logging in with "Android Webview" which might be the cause of these warning emails. We are still looking into it though. We got the same email and we are baffled. We have a Cordova app on Android and iOS which has been using the native auth flow for years so we do not think that is the problem. We also have a companion website with the standard Google Sign In. Ideas are welcome

Google wants to block OAuth sign-in due to an embedded browser which doesn't exist

Today I've got following email from Google:

We are writing to let you know that Google will discontinue support for sign-ins to Google accounts from embedded browser frameworks, starting January 4, 2021. We have detected the use of an embedded browser framework with one or more of your OAuth clients that may be blocked on or after January 4, 2021. Please review your use of Google Account authorization flows in the following Google OAuth client IDs and make any required changes before January 4, 2021:

This is strange as my B2C web application isn't loaded in an embedded browser nor in a web view. It's even not an mobile app using an embedded browser or a web view. There's no embedded browser or web view at all where users could log in. My web application is just a simple public B2C "website" which does 2 things:

Users can log in by Google OAuth (Google Sign-In for Websites)
Automatic retrieval of YouTube data by using YouTube data API via cronjob by using OAuth tokens with offline access

So I'm wondering why I've got this email. Advice is very much appreciated as it seems as Google plans to limit/block my Google API clientID and I'm a bit concerned by website will break.

Update 1:

On my development environment I'm testing Google OneTap Sign-In since half a year on localhost. Maybe this could be the reason?
I'm also using HotJar.com screen recording to optimize my website. The HotJar Javascript is dynamically generating invisible html iframes. Maybe this could be a reason?

Update 2:
The Google blog article about this topic describes that "The browser must have JavaScript enabled" and "The browser must identify itself clearly in the User-Agent" in order to do an OAuth Sign-In.

I'm wondering if an server side API call to YouTube data API with an offline access token is considered as an OAuth Sign-In (which it basically is). But offline access is made for API access without user interaction (a browser). So I think this should not be the problem but who knows...

Does sign-in with Google use OAuth?

Google Sign-In manages the OAuth 2.0 flow and token lifecycle, simplifying your integration with Google APIs. A user always has the option to revoke access to an application at any time.

Update: on Google Analytics we see that some of our users are logging in with "Android Webview" which might be the cause of these warning emails. We are still looking into it though.

We got the same email and we are baffled.

We have a Cordova app on Android and iOS which has been using the native auth flow for years so we do not think that is the problem.

We also have a companion website with the standard Google Sign In.

Ideas are welcome

Google wants to block OAuth sign-in due to an embedded browser which doesn't exist

Tags:

google-cloud-platform

google-oauth

hotjar

ninsky

People also ask

1 Answers

Mirko

Recent Activity

Donate For Us

Google wants to block OAuth sign-in due to an embedded browser which doesn't exist

Tags:

google-cloud-platform

google-oauth

hotjar

ninsky

People also ask

1 Answers

Mirko

Related questions

Recent Activity

Donate For Us