Auth0 Lock for Hybrid Apps Broken for Google Login Gives 403 disallowed_useragent

Testing my Ionic app on Android using Auth0 Lock and I’m getting an error from google:

"403. That’s an error

Error: disallowed_useragent

This user-agent is not permitted to man an OAuth authorization request to Google as it is classified as an embedded user-agent… Per our policy, only browsers are permitted to make authorization requests to Google.
…"

Any suggestions?

The old forum has this issue: https://auth0.com/forum/t/google-oauth-error-disallowed-useragent/4973

@abhishek.hingnikar is there any update on this issue or a workaround?

The old forum has this issue: https://auth0.com/forum/t/google-oauth-error-disallowed-useragent/4973

@abhishek.hingnikar is there any update on this issue or a workaround?

Our decision is to move away from using Lock for multiple reasons including but not limited to the security of your users. In that context, you should be able to use the sample at auth0-cordova-oidc-sample/01-Login at master · auth0/auth0-cordova-oidc-sample · GitHub to port the code, the setup part is documented at auth0-cordova-oidc-sample/01-Login/src/auth0-cordova at master · auth0/auth0-cordova-oidc-sample · GitHub

The gist of what this does is open up safari via a plugin and then use custom-uri-schemes to fetch back the callback response. This will however, replace the current authentication mechanism of using Lock in favor of the hosted login page which improves the security of your application and offers a painless migration which is future proof.

As this is using PKCE there will be one small change required on your application’s side in Dashboard > Clients > Your Hybrid App Name > Settings. Please change the client type to “Native” this will allow using PKCE for this client.

To use this you can follow the guide at auth0-cordova-oidc-sample/01-Login/src/auth0-cordova at master · auth0/auth0-cordova-oidc-sample · GitHub and then replace the Lock part including the callback handler with the following snippet from the setup page. As this is a single promise and not an event this should further make it easier for you to integrate in your applications.

client .authorize(options) .then((authResult) => { // Handle authResult here instead of lock.on('authenticated'), basically moving your logic here will work }) .catch((error) => { // ERROR! }); Additionally, if you are using refresh-tokens you'll need to make a refresh-token call which is a POST call to /oauth/token which is described at https://auth0.com/docs/tokens/preview/refresh-token#use-a-refresh-token

Optionally, if you would like to use universal links over custom uri schemes you can check the branch universal-links on the repository. There is an example as 02-Universal-Links however this is still experimentally and needs further testing.

Feel free to ping me on this ticket if you need further assistance. We will be realizing a library to make this integration simpler.

Thanks @abhishek.hingnikar for the detailed reply. I can’t say I follow all the changes, yet… but I’ll start looking through the links you posted.

By “hosted login page” are you saying I need to recreate all the functionality of the Lock dialog?

Does this mean I can’t use the same Auth0 code when this runs in the browser as a PWA or in Electron? The Lock approach seemed like it worked everywhere.

I’ll be looking forward to seeing all of this in a single solution.

Thanks,
Steve

The same code will work in electron, please look at GitHub - darkyen/pkce-demos: A bunch of PKCE demos, using Auth0.js to extend the 🔐 to multiple providers! where I’m using a more ‘over the top’ version in all platforms. Basically, the part here is the browser handler for native / electron apps you can implement a browser opener using open. Rest is the same.

Hosted Login Page uses Lock itself, so in that front you can write Lock/UI customization here once and it will work the same on all of your applications. Please let me know if you have any further questions.

@abhishek.hingnikar
Using Ionic 1 with Angular 1 and plain vanilla es5, I’m porting over the code from the sample to get my app working with google login.

When it comes to node’s crypto library that is used for .createHash() and .randomBytes() methods, I’m having a struggle finding how to use those or find suitable replacements for the browser (my app does not use ‘require’ statements unfortunately).

Can you help me in pointing me to the right direction?

The createHash and randomBytes use crypto, there is a browserify-crypto module that implements them you should be able to pack that. However, I’ll strongly recommend using a package manager

@abhishek.hingnikar

We will be realizing a library to make this integration simpler.

Can you provide update on how this library is coming along please?

You can use it at GitHub - auth0/auth0-cordova: Auth0 integration for Cordova apps

This doesn’t work with Ionic 1. Please let us know the workaround for ionic1.

Can you tell me how to get this working for Xamarin? I originally raised this request long time ago but haven’t been following it much.
https://auth0.com/forum/t/google-oauth-error-disallowed-useragent/4973

Now that the auth0 credentials have stopped working for me, I tried changing the client id and secret to my own hoping the issue would be fixed but it doesn’t seem to be fixed yet.

FYI: I’m using the version 0.5.0 of Auth0-Client from here for iOS and Android apps in Xamarin.Forms solution.

This doesn’t work with Ionic 1. Please let us know the workaround for ionic1.

Can you tell me how to get this working for Xamarin? I originally raised this request long time ago but haven’t been following it much.
https://auth0.com/forum/t/google-oauth-error-disallowed-useragent/4973

Now that the auth0 credentials have stopped working for me, I tried changing the client id and secret to my own hoping the issue would be fixed but it doesn’t seem to be fixed yet.

FYI: I’m using the version 0.5.0 of Auth0-Client from here for iOS and Android apps in Xamarin.Forms solution.

I’ll get back to you asap, however as a workaround you can implement PKCE as I do in GitHub - darkyen/pkce-demos: A bunch of PKCE demos, using Auth0.js to extend the 🔐 to multiple providers!

Thanks for the workaround. it’s a pretty big change to my existing code.

I’ll wait to hear about an official fix; I’d think this is a pretty big issue. Until it’s fixed hybrid apps can’t use Google login on Android.

Will Lock be updated before April 20 with support for this?

Hi @abhishek.hingnikar,
Any status update on this issue?

Thanks!
Steve

@info1 i have this working in ionic 1 app. let me know if you need are interested in my code and I will post what i can