OAuth behavior changed since Feb. 20 with WebView on Android


#1

On February 21 i got report from my users that they can’t login into my app, because at the end of the login process they end up on the twitch home screen instead of finishing the login process.

1.

Previously on Android with WebView opening https://id.twitch.tv/oauth2/authorize... would land me on the desktop site, but since that date i land on the mobile version of the site, with FB login option:

https://id.twitch.tv/oauth2/authorize?client_id=

meanwhile in the background:

shouldOverrideUrlLoading: https://www.twitch.tv/login?client_id=...openid
shouldOverrideUrlLoading: https://m.twitch.tv/login?client_id=...openid&desktop-redirect=true
shouldOverrideUrlLoading: https://www.twitch.tv/login?no-mobile-redirect=true

Also during that time you started using? Arkose Labs’s login protection, which works really well with my emulator:

p.s.: i don’t understand why my emulator was flagged, also i use 2Factor, so i don’t know why i have to deal with this when i use 2Factor, but w/e. Luckily the audio login option works.

shouldOverrideUrlLoading: https://www.twitch.tv/passport-callback#access_token=...

Now here is my problem, i set the redirection URL to localhost, but instead i end up on this https://www.twitch.tv/passport-callback, but it used to be localhost.

Also i explicitly request the openID data, but with this i never received it, which broke my app at the time. But i got my requested access_token, and turns out i don’t need openid anymore.

2.

Mind you, i never set the useragent before, so let’s see what happens when i request the desktop version:

https://id.twitch.tv/oauth2/authorize?client_id=

FB login is gone

shouldOverrideUrlLoading: https://www.twitch.tv/login?client_id=...openid

Finish the login.
shouldOverrideUrlLoading: https://id.twitch.tv/oauth2/authorize?client_id=... +openid
shouldOverrideUrlLoading: http://localhost/#access_token=.... id_token=... &scope=user_read+chat_login+user_follows_edit+openid&token_type=bearer

Guess what, everything work as expected. The only thing i’ve changed was i explicitly requested the desktop version.

Again, my issue is, previously for years, webview always ended up on the desktop version, without using useragent. Am i missing something here?

3.

Now, this is not all! Because all this happened on API 28 emulator, with WebView version 66.0.3359.158.

If i fire up an API23 emulator with WebView 44.0…

Opening this https://id.twitch.tv/oauth2/authorize?client_id= with desktop useragent, the site won’t even load. Every other site loads with desktop version, except id.twitch.tv

removing the useragent:

shouldOverrideUrlLoading: https://www.twitch.tv/login?client_id=...openid
shouldOverrideUrlLoading: https://m.twitch.tv/login?client_id=...openid&desktop-redirect=true
shouldOverrideUrlLoading: https://www.twitch.tv/login?no-mobile-redirect=true

First, i have to deal with reCAPTCHA and look for fire hydrants, instead of dealing with Arkose Labs.

Finishing the login:

shouldOverrideUrlLoading: https://www.twitch.tv/login?no-mobile-redirect=true
shouldOverrideUrlLoading: https://www.twitch.tv/?no-reload=true

There is no localhost redirect, there is no passport-callback, no access_token, nothing. I just end up on twitch’s main page.

I would blame WebView, but the thing is, i had a user who was on Android 6 (marshmallow), his webview was (allegedly) up to date and since Feb 20, he couldn’t log in anymore. Eventually he updated his rooted android box to 7.1 and was able to login. Is it WebView’s fault, or did you changed something that affects the login process based on the android version which makes no sense to me?!

So right now my users on Android 6 and below can’t login anymore. Which makes no sense to me.


#2

Can i have an official statement on why the OAuth api doesn’t follows the documentation?

If i’m not providing a desktop useragent, the API doesn’t works as documented, meanwhile previously that wasn’t necessary.


#3

@S0und any luck with finding a better fix for this? I’m having the exact same issue on iOS and since I really can’t change the user agent with the framework I’m using, there’s no way for me to get around this.


#4

Seem to have the same issue on certain browsers on windows as well, Chromium <70 displays the exact same problem on a few machines ive tested