TLDR: It seems the only way to login to a 3rd party website that redirects the user to Google for login via OAuth is by using a WebView and "spoofing" the user-agent header, which is doing an end around Google's security policy and hence is a Very Bad Thing. Is there a way to handle this without using a WebView?
Details: I'm trying to log into a 3rd party site that, as part of its login flow, redirects to Google via OAuth but doesn't use the Google credentials otherwise. I have this working by:
- Setting up a
WebView - "Spoofing" the
user-agentheader as per this and many other similar answers- E.g.
wv.getSettings().setUserAgent(System.getProperty("http.agent"))
- E.g.
- Launching the
WebViewby sending a request to the 3rd party site, which immediately redirects to Google so the user can proceed through the OAuth login flow - Intercepting Google's redirect back to the 3rd party in
WebViewClient.shouldOverrideUrlLoading - From there I pull a couple of cookies set by the 3rd party from the
WebViewCookieManager, and using those cookies and the intercepted URL, complete the login at the 3rd party site via a regular HTTP client and get back a bearer token minted by the 3rd party (note NOT a Google token).
The issue is that Google explicitly says not to do this and suggests using custom tabs as an alternative, which AFAICT won't work because there's no way to intercept urls, get cookies, get the response with the token from the 3rd party server, etc.
I've read a few case studies re switching to custom tabs, but they all (as expected) would require 3rd party service changes, which is not an option here.
Even though the login currently works, I'm assuming that if I try to release this app as is on the Play store (not sure as I'm a 1st time Android dev) that it'll get rejected immediately, or at least at some point. Is there some other way to get the login to work that isn't violating Google's security policies?
