Google OAuth 2.0 and Captive portal with Embedded browser

6
votes

Both Android and IOS devices have a mechanism to detect captive portal on Guest Wifi networks. Whenever a captive portal is detected, these devices start an embedded browser in order to show up the captive portal.

My captive portal allows my guest wifi to use their Google auth credentials in order to allow access to my wifi.

The portal triggers an OAuth 2.0 with Google service and get back the user profile.

All was working fine, unfortunately, Google decided to stop supporting OAuth 2.0 in Embedded browser on April 22nd.

https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html

As far as I know, there is no way to force IOS or Android devices to start a real browser during the captive portal detection process.

Since this embedded browser can't be controlled, what option do I have to allow my guests to use their Google credentials? If there is no alternative option, I will have to migrate to Facebook auth modules which doesn't have this restriction as of today.

Thanks, William

2
androidioswifigoogle-oauthcaptiveportal
Hi Naveen, Thanks for your feedback. Would you have any news on this topic? Any chance to support Google auth on captive portals after April 22nd ? Thanks WilliamBeorn

2 Answers

4
votes

I'm not cool enough to comment apparently, so I'll just reply that despite @nvagr stating that google will not be broken in the CNA, it is. You cannot log in using Google oAuth on an iOS device. You'll get a 403: disallowed_useragent because it uses the CNA.

3
votes

Update 12/12/19: Google will no longer exempt OAuth clients to enable logging in to a Google account within captive portal assistants. As mentioned in the original post, Google announced in August 2016 that it would remove support for Google Sign-In products displayed inside embedded web views starting on April 20, 2017.

If you are experiencing this issue with Apple captive portals, a user encountering an issue inside Captive WebSheets can currently gain access to the network by taking a few additional steps:

  • Open the Settings app
  • Open the WiFi settings pane
  • Select the info icon next to the network name
  • Turn off Auto-Login for the network
  • Open a website in the Safari browser. Example: https://captive.apple.com/
  • Complete required steps on the captive page presented by the network in Safari

Alternatively, a user could choose to use the network by selecting the "Without Internet" option when prompted and navigating to a URL in the Safari browser.

If you are unable to use Google Sign-In for non-Apple captive portals, Google Sign-in is unfortunately not supported at this time.

Update 1/23/2019: If you do have a client that need to do a sign-in inside the captive portal, please send the client id, description of your portal and users and other details to [email protected]

Update (4/7/2017): For now we have decided that we'll not break the Google sign-ins within captive portals. If you do have a client that is broken, send me the client id.

Thanks William for this note regarding Captive portal. We (Google Identity team) need to do some investigation to decide how to best support your use case. I'll reply back on this thread. Stay tuned.