yii2-authclient
yii2-authclient copied to clipboard
yiisoft
Take action to continue using Google's OAuth authorization endpoint
Just got an email from google asking make changes
Hello Google Developer,
We're writing to let you know that we detected the use of an embedded webview in requests to Google's OAuth 2.0 authorization endpoint in the past 120 days associated with one or more of your OAuth client IDs listed in this email.
Any affected authorization endpoint requests will be blocked with a disallowed_useragent error starting July 24, 2023. Affected requests to our authorization endpoint will display a [user-facing warning message](https://notifications.google.com/g/p/APHC3cpoTxXiGKjyXeRZXwLCjxuHLET5EylQrEgujbKkdmsS1twYR7tJaQ6sNoEFePRR14MVYabcEZpeb6gLQXPYbqyY3_bb7dGwDANpi0Nb2Xn3ifjApe9aiTdtjyqM7CbP76FXgsxV6EdYx0O0PV5exTp8Wq-qH4bHLHQ7qigniyiZm4ezRCRbCb7OJehuDSWaSOJBiHqEsbd6rm1fGlsF9sDwVRXmCA_rK7g4-kEsb706uUxbHnoFnD9FmMAVE_CyVLl9MvPuCzL271hqAYdqgR4vfjroHFNBKrAw_HXR0Uij_nWaitk7uzaeobBJwk9Qi9lL) starting in May until July 24, 2023.
What do you need to know?
Embedded webview libraries are highly customizable, which can expose Google's login and account authorization pages to potential "man-in-the-middle" attacks. [Google's OAuth 2.0 "Use secure browsers" policy](https://notifications.google.com/g/p/APHC3cq4QTa97yCFbz1g4Pcww07DvotMtlP97bq1uaoWd3kQZKk6qYq-7cLs3m1_pe_L7x39ouD3hxSYPCv1DE8bg8iQW1jSMb_i-cfm5t9bm3BZvJPEv1wsA9c5iTeHFCIrkG7AS7A7J2tYsec94ISMydn0zvi6Fv4WLYArzBO71xfG8xr0qONzpnm_qyPkWFWJHKjyqgHVVCXmjrUzKIfWESn6XZi6P1HUOL03V2P_nV3mhK-LgiYF) helps us protect users from these and other types of attacks.
Examples of affected embedded webview libraries include android.webkit.WebView on Android and WKWebView on iOS or macOS.
What do you need to do?
Review our June 2021 Google Developers blog post, [Security changes to Google's OAuth 2.0 authorization endpoint in embedded webviews](https://notifications.google.com/g/p/APHC3crPsSqD2uZ9Y48ahyKfmxJ5eHuDenNLqrXQag-Mt2rtSCXskOBMJD7W2YVQ_HJ7ncnFEe9CTMCHSohhO4syTwJU4TcfJvaXNhOjvn9cJbsZFIyDI8hJV0N0m9CVM8aq0ybeE9HvHJDXdiouawHKA6Z29PJ_sbvlTo2vN_09IAozOTulhDPgMWgJnIzRs2wZMNeSxltQt5uGmQiHzvBcc73uzvUtPctRnWiMSf3Caa-DY4utA0e-2Hva6H4q0yi-9a38HU5rUCD6pNsd5J6sW_Q5TDdXctZIwPBoL600Ou37ow), to determine potential next steps.
Consider how enterprise and educational users might be impacted by embedded webviews in your app(s).
If you are able to modify the authorization requests of your app, you can choose to [test your application for compatibility](https://notifications.google.com/g/p/APHC3cqYPW2jOJGOAvbhSsimUii-FxLJP4LpideLG3Wp2ZhMJlSRtxjKpmFOJEoKSSYEUstVBInTZcPWXES0yZq2JpjqDzFejs5m6asTA_PjojJVMgffB34clWkn0HMagH35rcPPnBiA6Tec2hnfowMQFysk4xdqTlML71f8ynupI45TPNV4J_M_tuYXY5I1d6EoVhnz1Ne6AN7kzwsoioeciN1wxYXIKjUiR1DeD61o57MNsuHJZFqwbohRqEFSmd8NH6dBxXSIMlCnkMxVX7Y0GIUbgi80wQw_sW_VsMwSJExhR9TnXRYm) with our "Use secure browsers" policy after making the necessary changes.
Note: Suppression of the user-facing warning message is not supported.
is there an update coming soon to address this? Thanks
| Q | A |
|---|---|
| Yii version | ~2.0.14 |
| Yii Auth Client version | ~2.2.0 |
| Yii HTTP Client version | |
| PHP version | 8.1.7 |
| Operating system | Ubuntu |
Have you tried what's described at https://developers.googleblog.com/2021/06/upcoming-security-changes-to-googles-oauth-2.0-authorization-endpoint.html#test? Do you have credentials for the specific platform that you use?
@samdark do i add this
1. Go to where you send requests to Google's OAuth 2.0 Authorization Endpoint. Example URI: https://accounts.google.com/o/oauth2/v2/auth
2. Add the disallow_webview parameter with a value of true to the query component of the URI. Example: disallow_webview=true
to the google.php file?
class Google extends OAuth2
{
/**
* {@inheritdoc}
*/
public $authUrl = 'https://accounts.google.com/o/oauth2/auth';
/**
* {@inheritdoc}
*/
public $tokenUrl = 'https://accounts.google.com/o/oauth2/token';
/**
* {@inheritdoc}
*/
public $apiBaseUrl = 'https://www.googleapis.com/oauth2/v1';