getting 403 disallowed user agent in Auth0 Lock for Android

19.4k views Asked by At

integrated Auth0 login in my android application. for this integration i am following this one https://auth0.com/docs/libraries/lock-android

its work fine previously, but now i am facing 403 disallowed user while click on google.

while i am searching in google i found this: Google since april 20 decided to block access from embedded webviews for security purposes thats why Auth0 login with google fails.

iOS guys fixed the same issue using:

but didn't find this in android

how to resolve this. any have idea on this.

my piece of code:

compile 'com.auth0.android:lock:2.+'

Auth0 auth0 = new Auth0(getString(R.string.auth0_client_id), getString(R.string.auth0_domain));
            mLock = Lock.newBuilder(auth0, mCallback)
                    //Add parameters to the builder
                    .closable(true)
                    .build(this);
            startActivity(mLock.newIntent(this));

private LockCallback callback = new AuthenticationCallback() {
       @Override
       public void onAuthentication(Credentials credentials) {
          //Authenticated
       }

       @Override
       public void onCanceled() {
          //User pressed back
       }

       @Override
       public void onError(LockException error) {
          //Exception occurred
       }
   };

manifest:

<activity
  android:name="com.auth0.android.lock.LockActivity"
  android:label="@string/app_name"
  android:launchMode="singleTask"
  android:screenOrientation="portrait"
  android:theme="@style/MyLock.Theme">
    <intent-filter>
      <action android:name="android.intent.action.VIEW" />

      <category android:name="android.intent.category.DEFAULT" />
      <category android:name="android.intent.category.BROWSABLE" />

      <data
        android:host="quikdeal1.auth0.com"
        android:pathPrefix="/android/{YOUR_APP_PACKAGE_NAME}/callback"
        android:scheme="https" />
    </intent-filter>
</activity>

enter image description here

enter image description here

7

There are 7 answers

2
OShiffer On

As you said, google decided to block access from embedded WebViews. The same has happened to me and i just put the user-agent by myself. It looks like this:

public static final String USER_AGENT_FAKE = "Mozilla/5.0 (Linux; Android 4.1.1; Galaxy Nexus Build/JRO03C) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.166 Mobile Safari/535.19";

@Override
protected void onCreate(Bundle savedInstanceState) {
    webView.getSettings().setUserAgentString(USER_AGENT_FAKE);
}
0
Furqan On

Google to block web views from using its OAuth. Reference link

You need to do OAuth through native code. or use some alternative of Webview

2
Savithu On

As mentioned by @OShiffer you need to add a fake user agent but now it's outdated you have to use new one instead. Use this one

public static final String USER_AGENT = "Mozilla/5.0 (Linux; Android 10; SM-J105H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.164 Mobile Safari/537.36";
4
Nabin Bhandari On

Since Google blocks requests from a WebView, we need to set a user agent ourselves before making the request.

Using a hard-coded fake user agent as given in other answers has a disadvantage. Gmail sends email to the user telling that their account has been logged in from a particular device (which is not their device, and may lead to suspicion).

Using the System's default user agent worked for me.

webView.getSettings().setUserAgentString(System.getProperty("http.agent"));
0
Дмитрий Пупкинг On

Another more attractive way is to remove the WebView wv flag from the real WebView's UserAgent.

Аccording to Chrome for Android User-Agent Strings documentation :

WebView UA in Lollipop and Above

In the newer versions of WebView, you can differentiate the WebView by looking for the wv field as highlighted below.

Mozilla/5.0 (Linux; Android 5.1.1; Nexus 5 Build/LMY48B; wv)
AppleWebKit/537.36 (KHTML, like Gecko) 
Version/4.0 Chrome/43.0.2357.65 Mobile Safari/537.36

So you should set User Agent like this:

    webView.getSettings().setUserAgentString(
            webView.getSettings().getUserAgentString().replace("; wv)", ")")
    );

As a result, all important information about device OS, the version of the web engine used in WebView is left for statistics and cross-platform layout, if the site uses it. The page opened in WebView will be displayed as correctly as possible.

Also please note that this approach is relevant if your minSdk 21. For older version there is another User-Agent string template (described in above link).

1
Dylan Lewis On

FYI, I ran into this same issue and struggled with it for a while before realizing that a lot of Android simulators do not come with a valid default browser installed. Simply using a device that had Chrome installed fixed this bug for me. See this really well-detailed answer here: https://github.com/FormidableLabs/react-native-app-auth/issues/716

2
Joby korah george On

It worked for me:

private WebView mWebView;

public static final String USER_AGENT = "Mozilla/5.0 (Linux; Android 4.1.1; Galaxy Nexus Build/JRO03C) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.166 Mobile Safari/535.19";

@Override
protected void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    mWebView.getSettings().setUserAgentString(USER_AGENT);
}