Page 2 of 3

Re: Google Sign-in deprecation schedule

PostPosted: Mon Jan 06, 2020 12:29 pm
by salvadordf
ndesktop wrote:Makes sense. I was considering obtaining an API Key that would been recognized by GMail team, but I think they will support only well-known mainstream browsers.
Basically being in the list with Chrome, Firefox, Edge etc.

I run out of ideas - the Google groups conversation started by you did not end with any detail - last post is mine from 05/2019. Did someone contacted Google for obtaining API keys for a Chromium browser? How does it work?


Jonathan Skelker said in that forum post that you should contact him if you have questions or concerns.

https://groups.google.com/a/chromium.or ... j1v_cqBgAJ

Re: Google Sign-in deprecation schedule

PostPosted: Thu Jan 09, 2020 2:05 am
by ndesktop
Jonathan Skelker appears to be out of this.
I'm actually no longer working on this effort, so am copying in the team responsible, [url=mailto:lsb-escalations@google.com]+LSB escalations[/url].

However the main problem here is that as the browser is based on Chromium embedded library and as such we can't tell whether the application will be abusive or not. Our recommendation to developers is to move to browser based OAuth. Our LSB help center article has more details.

Regards,
Jonathan

If Google LSB escalation team will say something, I will follow-up with details.

Re: Google Sign-in deprecation schedule

PostPosted: Thu May 07, 2020 3:41 pm
by nycnewman
Is there a way to reach this team as I have an issue with SAML based auth for native apps using embedded browsers. Cannot get any useful response on this from Google.

Re: Google Sign-in deprecation schedule

PostPosted: Thu May 07, 2020 5:08 pm
by ndesktop
Well, you can try to contact them directly. I was not successful, and, as said before, this was not a Chrome decision, but a GMail team decision.
I think they won't bother much with this, since the only embeddable things are Chrome-based (affected), IE, which is deprecated, and XUL (deprecated as well).
So it makes sense, I think, for GMail team to look only to CEF, Electron etc.

Re: Google Sign-in deprecation schedule

PostPosted: Fri Jun 19, 2020 11:08 am
by mitchc
First, this is not a gmail only item. This is an entire Google ecosystem decision. You are locked out of all Google properties that use Google sign in, all 3rd party websites that use Google sign in to authenticate, and all 3rd party applications that may use Google sign in. This includes many business facing enterprise applications like Google adwords, youtube business accounts, Google analytics, Google webmaster tools, etc. This effects a massive portion of the internet traffic and properties available that any user of your 3rd party browser is completely locked out of by Google.

It is clear that Google is happy to wield its monopolistic control over a significant portion of the internet that goes to Google properties, to dictate which browsers consumers are allowed to use and lock out competition. If you do not use one of their approved technologies in your competitive product your users cannot even do basic actions like sign into their email. How large is that effect? Google controls over 12% of internet traffic and 30% of internet connections per sandvine, and the top internet properties, that also does not include 3rd party websites that use Google auth.

The official recommendation of using "oAuth" is a joke, as it is in no way a solution for any real browser. Even if you complete a valid oAuth authentication through using a browser that Google currently has arbitrarily deemed acceptable for doing so it does not help. That oAuth authentication token cannot be used for logging in as a browser to any of those Google properties, it can only be used for making select API calls and in no way works in a normal browser setting. The other recommendation of "using a progressive web app" also only works if that app is run in one of the select browsers Google has deemed appropriate, and again is not really a valid solution for any actual 3rd party browser.

The lsb-escalations email is an internal only Google address, so cannot be emailed by 3rd parties. A Google employee can email them on your behalf, however it will not help. After over 9 months of arbitrarily slow replies from the Google Switzerland product manager (taking weeks to months on average to get replies) Googles mission is clear. Despite initial claims that any full system browser should work and that they are doing "everything we can do ensure genuine browsers don't get blocked", it is quite the opposite.

As of this week their official position is that "general guidance would be to either build a "full" browser - or to use oauth/ a system browser for the Google login. ... We don't intend to support Google sign-in for consumer accounts in CEF.". By use oauth or a system browser really they mean do _not_ use your browser at all, as even after the login is complete it is unusable. By "build a "full" browser" they really mean build a full system browser using the technology that Google has currently decided is OK for their ecosystem, and has no reflection on what the application itself does.

They are happy to announce however "We are working on more detailed guidance for CEF developers.", the same thing they said over 9 months ago, and the same thing that has yet to be produced.

Today (well really over 9 months ago) Google deemed one of its technologies was not acceptable to be used by browsers, who knows what browser technology will be banned tomorrow. Given Googles vast control on the internet, and ability to disable any browser of their choosing instantly from being able to access all properties, there may be no safe options.

Google has a long history of repeatedly "accidentally" breaking, degrading, or slowing other major browsers like Microsoft Edge and Firefox (or entire platforms like Windows Phone) on their most popular properties, this is one of the reasons that Microsoft switched to a browser based on Google technology to end the cat and mouse game. Little did they know that even Google tech may not be safe...

Re: Google Sign-in deprecation schedule

PostPosted: Sat Jun 20, 2020 5:25 am
by ndesktop
Well, my scenario *is* a full browser (just not a "system" browser, whatever that might be - I thought a browser is just another app).
And it is part of a well-known top security suite, updated regularly, and having what I'd call some extra layers of defense (no extensions, URL scanning, isolated storage, session erase on close, protected locations, clipboard deterrent, separate secure desktop, dll loader protection, load signed binaries only, kernel driver protection for files, processes and registry, and then some). And they ignored it all the same.
So much for the days when they yelled against proprietary IE. It's almost amusing they are locking out those not playing by their rules having nothing to do with APIs.

Re: Google Sign-in deprecation schedule

PostPosted: Sun Jun 21, 2020 6:52 am
by mitchc
I also find it humorous that google has developed bot detection with reCAPTCHA however clearly that product isn't robust enough for their own use to stop login attacks.

Re: Google Sign-in deprecation schedule

PostPosted: Thu Nov 19, 2020 5:53 am
by cleytoncoro
Hello guys.

I'm logging in to google using CEF. But just when I'm using a G Suite Account.

Is this a Google Security bug, or is it allowed by google team?!

Can someone help me with this question?

I'm creating a service and this login is a very important resource. I can't create it based on a bug.

Thank you everyone.

Re: Google Sign-in deprecation schedule

PostPosted: Thu Nov 19, 2020 10:13 am
by magreenblatt
cleytoncoro wrote:Hello guys.

I'm logging in to google using CEF. But just when I'm using a G Suite Account.

Is this a Google Security bug, or is it allowed by google team?!

Can someone help me with this question?

I'm creating a service and this login is a very important resource. I can't create it based on a bug.

Thank you everyone.

Google has stated that this will not be supported. Use at your own risk.

Re: Google Sign-in deprecation schedule

PostPosted: Tue Apr 20, 2021 8:50 am
by ndesktop
As of 4430:
- paying/G suite login just works
- free accounts (gmail.com, accounts.google.com, youtube.com etc.) do not work.
In order to make it work a patched CEF using another accepted user agent is now required.