Google SSO in App Browsers (Webviews)

Last Updated: Nov 11, 2024

Overview

Some customers might be constrained to use the universal login page on their site within a webview in a 3rd party product, which might cause a 403 for Google SSO. Google cannot be conditionally hidden because existing users need to use Google to log in. The 3rd party product cannot drop the use of the webview because this is fundamental to the app browser feature, and other similar products use the same.

This article clarifies whether there is a way for auth0 to open an external user agent from within an embedded user agent in a native app.

Applies To

  • Google SSO in App Browsers
  • SSO
  • Webviews

Solution

Unfortunately, this is not possible. All interaction with the Universal Login is HTTP-based: an initial request to /authorize returns HTML, and a browser (a webview in this case) handles the rendering and the continuation of the flow. It would be impossible for the HTML or Javascript to force opening an external user agent, as the WebView is the one handling the HTTP and HTML flows. (e.g., window.open is likely to be either blocked or forced to stay within the WebView).

The only way to comply with Google’s requirement would be to fully open the app in an external browser (which is something that the native app should be able to do on their side).

Related References

1 Like