You can't sign in from this screen because this app doesn't comply with Google's embedded webview Policy

Question

I am working on an e-commerce website. Our website provides the option to signup using google account (using OAuth).

Our website is responsive and can be accessed using mobile devices, however it is not embedded and we do not have any Andriod or iOS apps.

Today I got the following error from one of our users. That's all I got, but it sounds like she was trying to signup to our website, when she got the following error:

You can't sign in from this screen because this app doesn't comply with Google's embedded webview Policy. If this app has a website, you can open a web browser and try signing in from there.

I have checked this Google page, which says:

The Google Identity team is continually working to improve Google Account security and create a safer and more secure experience for our users. As part of that work, we recently introduced a new secure browser policy prohibiting Google OAuth requests in embedded browser libraries commonly referred to as embedded webviews. All embedded webviews will be blocked starting on September 30, 2021.

This is strange because today is 29th of September! Not entirely sure if this error is because of Google's change in OAuth? And not sure how to resolve this?

Answer 1

Google has announced and blocked embedded webviews since 2016, which is likely the reason for this error.

As mentioned in the error page, ask your users to open your app by visiting the website in a system browser. It may be that your users are attempting to visit your website using an app that opens up links in embedded webviews. Suggesting to your users that they use the system browser to login will get around that.

Answer 2

In mobile apps the optimal solution is to redirect user to native browser as specified in Google security policy guide and let them finish the registration there using SFSafariViewController:

iOS - Optimal solution

 let config = SFSafariViewController.Configuration()
 let safari = SFSafariViewController(url: url, configuration: config)
 viewController.present(safari, animated: true)

If you are not able to do that and really need to handle the login in WebView (Android) or WkWebView (iOS) you can manually change the userAgent likewise:

Check the latest userAgent and manually add it

iOS - Not Optimal solution

     let config = WKWebViewConfiguration()
     config.applicationNameForUserAgent = "Mozilla/5.0 (iPhone; CPU iPhone OS 16_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 Mobile/15E148 Safari/604.1"
     let webView = WKWebView(frame: .zero, configuration: config)

Android

webView.getSettings().setUserAgentString(System.getProperty("http.agent"));

Answer 3

For anyone who faced Error 403: disallowed_useragent but your app doesn't even use a Webview. Try to updating the Android System Webview from the play store, it solved the problem for me.

From Google documentation:

f you get an error that says “403 disallowed_useragent,” the app uses embedded WebViews. Some developers use WebViews to help display web content in an app. Embedded WebViews puts your security at risk because they could let third parties access and change communications between you and Google.

To keep your account secure, Google no longer allows embedded WebViews as of September 30, 2021.