403: disallowed_useragent for web login from embedded browsers

There was a past thread about this, but it was closed without being answered: Google - Disallowed user agent when using Auth0 Lock

I also cross-posted this question to Stack Overflow, and from there linked a couple other relevant Stack Overflow questions.

Google disallowed logging into Google from webviews a few years ago, and Auth0 also made a blog post about workarounds, but it all seems to focus on native apps, not web apps that offer Google as a login option.

But my company’s app is a web-app, and we’d like it if when someone shares a link to our site on Facebook Messenger/Facebook posts, users can log in with Google even if they don’t pop out the native Safari browser. Based on the above documentation it would seem that that’s not possible - but actually I discovered that Pinterest’s “Sign in with Google” button does work! So it appears there’s a way to get Google login working (not sure if they swung a special deal with Google, or if they’re doing something we/Auth0 can be doing too, though).

Repro steps:

  1. Open Facebook Messenger in iOS (this should roughly work with Facebook too, but this demonstrates the issue)
  2. Send yourself a message with the URL https://community.auth0.com
  3. Click on the link to the Auth0 Community forum
  4. Click on Log In
  5. Click on Log in with Google
  6. See that you get a 403: disallowed_useragent error.

And to prove that there does seem a way for this to be done in the wild:

  1. Ensure Pinterest isn’t installed on your iOS device so links to it don’t open in-app
  2. Open Facebook Messenger in iOS
  3. Send yourself a message with the URL https://pinterest.com
  4. Click on the Pinterest link
  5. Click on “Sign in with google”
  6. Somehow, it doesn’t error when Pinterest does it!

What does the Auth0 team/community think? Thanks!

EDIT: some more details from looking at the Google OAuth endpoint URLs my site vs Pinterest’s:

Looking at the Google oauth URL my site uses vs Pinterest’s, I see a few differences:

  1. Mine goes to https://accounts.google.com/o/oauth2/auth, theirs goes to https://accounts.google.com/o/oauth2/auth/identifier
  2. Theirs has a few extra query parameters mine doesn’t:
["openid.realm", ""]
["ss_domain", "https://www.pinterest.com"]
["fetch_basic_profile", "true"]
["gsiwebsdk", "2"]
["flowName", "GeneralOAuthFlow"]
  1. Theirs has a different value for response_type of permission id_token, mine is code

not sure what has an effect though.