I’m currently working on integrating OAuth 2.0 into a web application that allows users to authenticate using their Google accounts. The authentication is handled directly in the frontend of our web application using OAuth 2.0. This setup works perfectly fine when accessed through a web browser.
However, challenges arise when this same application is accessed via web views within our Android and iOS mobile applications. Attempting to sign in using Google from the mobile apps fails, presumably because the Google OAuth flow isn’t optimized for handling authentication in mobile web views.
A suggested approach to solve this involves setting up separate OAuth 2.0 clients for Android and iOS in addition to the existing web client. However, managing multiple OAuth clients for essentially the same application seems inefficient and potentially increases the complexity of our system.
I’m contemplating a solution where all authentication requests, regardless of client (web or mobile), are routed through a server. The idea is that both the web frontend and mobile apps would communicate with our server, which would then handle the OAuth authentication with Google on their behalf. This approach could potentially allow us to maintain a single OAuth client configuration.
My question is, would this setup effectively bypass the need for multiple OAuth clients for different platforms?
Any insights or advice on this would be greatly appreciated
Thanks
As @Gary Archer pointed, using Google to sign in directly from within a webview is prohibited by Google, as they claim the current browser isn’t secure or something like that. Converting the webview content to a phone app, however, wasn't an option, so I had to find a workaround. I ended up initiating the Google sign-in process in the webview but opened the Google sign-in popup in a native browser. After the user enters their credentials, they get redirected to a private site where the Google client code is extracted from the URL parameters and sent down to the phone application using universal linking. The phone app then grabs the code, injects it into the webview where it is being exchanged, signing the user in successfully. This works for all three platforms (web, iOS, Android) with only one OAuth client, which is a welcome solution.