6

Both Android and IOS devices have a mechanism to detect captive portal on Guest Wifi networks. Whenever a captive portal is detected, these devices start an embedded browser in order to show up the captive portal.

My captive portal allows my guest wifi to use their Google auth credentials in order to allow access to my wifi.

The portal triggers an OAuth 2.0 with Google service and get back the user profile.

All was working fine, unfortunately, Google decided to stop supporting OAuth 2.0 in Embedded browser on April 22nd.

https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html

As far as I know, there is no way to force IOS or Android devices to start a real browser during the captive portal detection process.

Since this embedded browser can't be controlled, what option do I have to allow my guests to use their Google credentials? If there is no alternative option, I will have to migrate to Facebook auth modules which doesn't have this restriction as of today.

Thanks, William

Beorn
  • 61
  • 1
  • 3
  • 1
    Hi Naveen, Thanks for your feedback. Would you have any news on this topic? Any chance to support Google auth on captive portals after April 22nd ? Thanks William – Beorn Feb 05 '17 at 15:43

2 Answers2

3

Update 12/12/19: Google will no longer exempt OAuth clients to enable logging in to a Google account within captive portal assistants. As mentioned in the original post, Google announced in August 2016 that it would remove support for Google Sign-In products displayed inside embedded web views starting on April 20, 2017.

If you are experiencing this issue with Apple captive portals, a user encountering an issue inside Captive WebSheets can currently gain access to the network by taking a few additional steps:

  • Open the Settings app
  • Open the WiFi settings pane
  • Select the info icon next to the network name
  • Turn off Auto-Login for the network
  • Open a website in the Safari browser. Example: https://captive.apple.com/
  • Complete required steps on the captive page presented by the network in Safari

Alternatively, a user could choose to use the network by selecting the "Without Internet" option when prompted and navigating to a URL in the Safari browser.

If you are unable to use Google Sign-In for non-Apple captive portals, Google Sign-in is unfortunately not supported at this time.

Update 1/23/2019: If you do have a client that need to do a sign-in inside the captive portal, please send the client id, description of your portal and users and other details to oauth-feedback@google.com

Update (4/7/2017): For now we have decided that we'll not break the Google sign-ins within captive portals. If you do have a client that is broken, send me the client id.

Thanks William for this note regarding Captive portal. We (Google Identity team) need to do some investigation to decide how to best support your use case. I'll reply back on this thread. Stay tuned.

Sebastien
  • 3
  • 2
nvnagr
  • 1,847
  • 1
  • 11
  • 10
  • 1
    would you have any update on this topic? We almost reached the deadline but there is no alternative available about this issue. – Beorn Mar 20 '17 at 10:24
  • Is there any update? Is it possible that Google did not think about problems of captive portal on android (and iOS)? Captive portals are and will be there for years, I understand the security concerns but just dismissing oauth in embedded views will cause many to remove google login on captive portals. – piacente.cristian Mar 31 '17 at 10:42
  • We are going to allow it to continue to work in captive portal. – nvnagr Apr 08 '17 at 08:24
  • 1
    @nvnagr I still see "disallowed_useragent" on iOS device. – jitendra Apr 24 '17 at 17:02
  • If you can list the user agents that you see in your captive portal, that will help. – nvnagr Apr 25 '17 at 00:31
  • Hey @nvnagr, I'm facing the same issue on an iPhone running iOS 10.3.2. Would any additional information would be required to further debug the issue / add the device to an exclusion list ? I'll share the User Agent in a short while. – Rohan Jul 11 '17 at 09:33
  • Hey @nvnagr here are a couple of User Agenst still facing the issue, any guidance would really help: Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.0 Mobile/14F89 Safari/602.1 Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) Mobile/14F89 – Rohan Jul 25 '17 at 07:01
  • looks like this issue doesn't happen everywhere. it may depends on the OAuth server you hit. @nvnagr, could you please confirm this assumption? – Beorn Nov 07 '17 at 18:03
  • @nvnagr Any update on this issue? We are encountering it, specifically on an iphone 6 plus running iOS 10. – Duy Anh Pham Nov 24 '17 at 09:30
  • Hey, @nvnagr is the help email: oauth-help@google.com? We have a Google Login implementation for the captive portal solution at Mojo Networks that is dependent on this. Can we still request whitelisting on the same email ? – Rohan Mar 05 '18 at 07:16
  • 1
    @nvnagr I have sent emails to both oauth-help@google.com and oauth-feedback@google.com. It's been a week and no response. I get the feeling that these mailboxes are not monitored. – Gordolio Sep 06 '19 at 16:38
  • @nvnagr I have the same feelings of Gordolio. I sent a lot of e-mails but unfortunately I had no answer too... – Ramon Lucas Oct 09 '19 at 05:11
  • @nvnagr still without awnser... Is there another way to solve it? – Ramon Lucas Nov 12 '19 at 18:00
3

I'm not cool enough to comment apparently, so I'll just reply that despite @nvagr stating that google will not be broken in the CNA, it is. You cannot log in using Google oAuth on an iOS device. You'll get a 403: disallowed_useragent because it uses the CNA.

philzy127
  • 53
  • 7
  • 1
    Before I get more delete votes, why doesn't someone express a solution to the problem. I merely stated a rebuttal that what someone else stated is clearly incorrect. I personally would VERY MUCH like to know a solution to this problem. – philzy127 Jul 05 '17 at 12:46
  • The solution has been that they have provided me the Google oauth client_id and we have whitelisted those. – nvnagr Nov 07 '17 at 20:32
  • Thank you for explaining, I have sent in my client id. Hopefully this helps me move this project forward. – philzy127 Apr 20 '18 at 19:08