I'm implementing a phoneGap application and I want to allow signing from different services (Facebook, Twitter, Google). I am using the childBrowser plugin which is actually a UIWebView.
Whenever I try to load specifically Google's OAuth URL https://accounts.google.com/o/oauth2/auth with or without the specified parameters, the UIWebView is stuck on loading. If I access that URL from mobile Safari, it works.
From a bit of searching (before posting) I came to the conclusion that it must have something to do with the Certificates from Google. UIWebView doesn't allow unsigned certificates, or something like that.
RESOLVED
I had a blank space before https (it was ' https..' instead of 'https..'). This caused the webView to get stuck on loading screen.
Related
Short:
I need help in SSO in Safari, I'm using iFrame and postMessage logic which is working fine in Chrome and Firefox (PC, Mac, Android and iOS) but the catch is in Safari. I tried Storage Access APIs and placed those in iFrame's onLoading event to check access. But the localStorage which I was used to store JWT is not persistent in the iFrame. I'm using Angular 11.
Scenario:
I'm developing few applications which uses same auth site for sso, which was working as expected as I said in short description. But when it comes to Intelligent Tracking Prevention enabled browsers as of now Safari, It blocks the iFrame by considering it as 3rd Party Trackers which is very insane since the iFrame's origin (Domain) is same with Sub-domain used in service sites.
I tried to check the access by using storage access API i.e hasStorageAccess() in window onLoad method in the iFrame's script. If has no access, I called requestStorageAccess(). I'm here not using user gesture and using button click from service site because I'm using angular for frontend framework but in order to request using button in iFrame.(Since, The policy specifies to get access works only after user interaction which is another headache for devs)
I need help to overcome this issue and fix the SSO with ITP. Any guidance is useful and I'll keep updated.
Google is working fine with their sso and services such as YouTube and Mail doesn't need login on every visit. Any idea on how they achieved.
The reason could be that Safari has the option "Prevent cross-site tracking" enabled by default and that can interfere with the SSO login and display of an embedded iframe (because it blocks some cookies).
Solution
Disable (uncheck) the option for "Prevent cross-site tracking" in the Safari configuration menu.
Tip: To achieve a better user experience, using Javascript you can detect when a user is using Safari and show him an HTML message explaining that he needs to disable that option in order to continue or use another browser like Chrome or Firefox.
My question is similar to How to use OAuth with Github in a Safari extension, however, the answer there explains how to use oauth with the older safari extension API. I am trying to use OAuth with the new Safari App Extension API (https://developer.apple.com/library/content/documentation/NetworkingInternetWeb/Conceptual/SafariAppExtension_PG/).
The new API allows the writing of native code, in addition to providing the ability to inject content scripts. Where should I perform the authentication? I also developed a chrome extension, and Google provides an API for retrieving OAuth tokens (https://developer.chrome.com/apps/identity) -- however I do not see anything similar for Safari App Extensions.
Any help is greatly appreciated!
I am currently working on Safari App Extension similar to your needs and the logic, certs (if you use them) persistence, access and refresh tokens all of them goes to the native code. From the SFSafariExtensionHandler you can control the active window/tab and all the pages in the tab, also receive callbacks from the pages.
For the OAuth use any native lib. that solves most of your needs for the logic. I am using this one from AeroGear.
Some adaptation will be needed for the page controlling.
Some dev blogs have published information about the "fb://" url scheme for opening various views in the Facebook iPhone App. No matter how much I've searched, I haven't found one word from any official Facebook source about this.
Since the information is public anyways, I'm sure I'm not the only one who'd like to know, whether using this url scheme is officially approved, am I allowed to use it, does it work correctly, and if it's not approved, will it be and what's the approximate schedule for that?
Thanks in advance for any info on this subject!
It's there to support the iOS push notification system (i.e. you get a push notification that says "Friend's Name tagged you in a photo", and you tap on it, it takes you straight to the photo).
I'd assume it's not intended for third party use and therefore subject to change. Hell, Facebook's public-facing APIs are subject to change on a whim anyhow, so I'd be especially cautious about something they hadn't documented.
It's for iOS only. The iOS API lets you define you own URL scheme, so Facebook must have developed their application to register the fb:// URL scheme on iOS devices. It's not a feature that was created by Apple, it's something you, the developer, can make up.
Here are some resources you can investigate
The Facebook iOS SDK
Here on StackOverflow
A tutorial on how it works (not Facebook-specific)
You can use it from your own applications on iOS, but only if the Facebook application is installed. There are, however, plugins and browser extensions out there that mimic the behavior by handling the fb:// schema on your desktop browser.
I have website link at which I have designed a html/javascript web app. I used iOS and Android app to create an app that encapsulates the web app.
Is there a way to block access to the website link and only allow access to the website link only thru the native apps calling the link.
In short safari, IE, Chrome must not be able to access the link, but the iPhone & Android app should be able to access it.
Is there some way to tell that the app is accessing the site and not the phone or pc browsers.
I am sure there a number of ways to implement this.
Thanks,
It depends on how is the web app implemented. Since native Web Views are pretty much the wrapper for the standard browser (Safari/Chrome), you will find it tough to filter it based on that.
What you can do, however, is to add an extra GET variable (for ex. &ref=youruniquecodehere) or a custom User-Agent, based on which you will be able to identify, whether your application authorized the request (with a proper access code) or if it's a generic request using browser.
However, both of these options can still be bypassed if researched, although it'd require slightly more time. Not sure whether a solution that would work in 100% of cases exists.
Hope that helps, please correct me if I'm wrong.
I've been going through the steps to add a Google+ Sign-in to my web application as found in https://developers.google.com/+/web/signin/
When used in a 'typical' web site, the 'client side' flow works just fine. Now, I'm trying to integrate this Google+ sign inside PhoneGap. Since PhoneGap runs the web page as a file:// URL, the origin that gets sent in the request is file://. In every other PhoneGap I've written, this hasn't been a problem.
However, when I click the Google+ sign in button from my page in PhoneGap, the origin being sent as file:// causes the following error message:
Error: invalid_request
Invalid parameter value for origin: Missing authority: file://
I went to the Google API console and tried to assign file:// as an authorized Javascript origin. But, of course, it doesn't allow file:// to be entered as an origin.
So I'm wondering if anyone has any insight in how to do this kind of web-style (Javascript) Google+ sign in from within PhoneGap (or from a local web page where there is no server - just a page being run as a file://). I really don't want to have to do the sign-in in native code and then integrate the token back over into the 'PhoneGap' realm since that kind of defeats the purpose of writing the app once for multiple platforms.
My understanding is that you cannot use the standard client-side flow with Cordova/PhoneGap because file:// is not a valid origin.
However, you can use the In-App Browser plugin along with window.open, which will allow to initiate a "standard" client-side flow from within the application. You then listen to events on the opened window to deal with the responses.
The plugin works cross-platform so you won't have to maintain multiple native implementations.
The ng-cordova-oauth library implements this for AngularJS.
For more details about the implementation, see this tutorial for details, as well as the Google OAuth documentation.
For file://, the thing works differently.. try this as your origin: http://localhost:4567
or try this tutorial: here