Setup:
Situation:
I have received an email from Google stating that my web application client ID is receiving OAuth requests within an embedded webview, and I need to make some changes to these webviews to avoid man-in-the-middle attacks. This is a similar email: https://groups.google.com/g/omegaup-soporte/c/xrspGg8T94o
The subject of this email is: "[Action Advised] Take action to continue using Google's OAuth authorization endpoint" and the first statement is "We detected requests to our OAuth 2.0 authorization endpoint from one or more of your OAuth client IDs within an embedded webview context in the past 30 days.".
Question:
As stated above, my application is a web app, how is it possible that OAuth requests from an embedded webview are received?
I am in a similar situation. We have no explicitly supported login flows in embedded webviews. What I discovered was that this flow can be trigger by a user in an embedded webview from a different app navigating to your website and attempting to login.
You can test this scenario yourself in a browser by faking your user-agent to be one from an embedded web view. Example: Mozilla/5.0 (Linux; Android 13; SM-G986U1 Build/TP1A.220624.014; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/111.0.5563.116 Mobile Safari/537.36 WEBVIEW TEST/1.3.1.106 (Phone; anonymous)
You can't really prevent someone from attempting to navigate to your site from another app's webview, but this at least explained why we received the email despite not supporting a specific webview auth flow.