Google Sign-in deprecation schedule

Do not post support requests, bug reports or feature requests. Discuss CEF here. Non-CEF related discussion goes in General Discussion!

Re: Google Sign-in deprecation schedule

Postby salvadordf » Mon Jan 06, 2020 12:29 pm

ndesktop wrote:Makes sense. I was considering obtaining an API Key that would been recognized by GMail team, but I think they will support only well-known mainstream browsers.
Basically being in the list with Chrome, Firefox, Edge etc.

I run out of ideas - the Google groups conversation started by you did not end with any detail - last post is mine from 05/2019. Did someone contacted Google for obtaining API keys for a Chromium browser? How does it work?


Jonathan Skelker said in that forum post that you should contact him if you have questions or concerns.

https://groups.google.com/a/chromium.or ... j1v_cqBgAJ
Maintainer of the CEF4Delphi, WebView4Delphi, WebUI4Delphi and WebUI4CSharp projects.
User avatar
salvadordf
Expert
 
Posts: 129
Joined: Sun Dec 18, 2016 8:39 am
Location: Spain

Re: Google Sign-in deprecation schedule

Postby ndesktop » Thu Jan 09, 2020 2:05 am

Jonathan Skelker appears to be out of this.
I'm actually no longer working on this effort, so am copying in the team responsible, [url=mailto:lsb-escalations@google.com]+LSB escalations[/url].

However the main problem here is that as the browser is based on Chromium embedded library and as such we can't tell whether the application will be abusive or not. Our recommendation to developers is to move to browser based OAuth. Our LSB help center article has more details.

Regards,
Jonathan

If Google LSB escalation team will say something, I will follow-up with details.
ndesktop
Master
 
Posts: 748
Joined: Thu Dec 03, 2015 10:10 am

Re: Google Sign-in deprecation schedule

Postby nycnewman » Thu May 07, 2020 3:41 pm

Is there a way to reach this team as I have an issue with SAML based auth for native apps using embedded browsers. Cannot get any useful response on this from Google.
nycnewman
Newbie
 
Posts: 3
Joined: Wed Apr 08, 2020 9:05 am

Re: Google Sign-in deprecation schedule

Postby ndesktop » Thu May 07, 2020 5:08 pm

Well, you can try to contact them directly. I was not successful, and, as said before, this was not a Chrome decision, but a GMail team decision.
I think they won't bother much with this, since the only embeddable things are Chrome-based (affected), IE, which is deprecated, and XUL (deprecated as well).
So it makes sense, I think, for GMail team to look only to CEF, Electron etc.
ndesktop
Master
 
Posts: 748
Joined: Thu Dec 03, 2015 10:10 am

Re: Google Sign-in deprecation schedule

Postby mitchc » Fri Jun 19, 2020 11:08 am

First, this is not a gmail only item. This is an entire Google ecosystem decision. You are locked out of all Google properties that use Google sign in, all 3rd party websites that use Google sign in to authenticate, and all 3rd party applications that may use Google sign in. This includes many business facing enterprise applications like Google adwords, youtube business accounts, Google analytics, Google webmaster tools, etc. This effects a massive portion of the internet traffic and properties available that any user of your 3rd party browser is completely locked out of by Google.

It is clear that Google is happy to wield its monopolistic control over a significant portion of the internet that goes to Google properties, to dictate which browsers consumers are allowed to use and lock out competition. If you do not use one of their approved technologies in your competitive product your users cannot even do basic actions like sign into their email. How large is that effect? Google controls over 12% of internet traffic and 30% of internet connections per sandvine, and the top internet properties, that also does not include 3rd party websites that use Google auth.

The official recommendation of using "oAuth" is a joke, as it is in no way a solution for any real browser. Even if you complete a valid oAuth authentication through using a browser that Google currently has arbitrarily deemed acceptable for doing so it does not help. That oAuth authentication token cannot be used for logging in as a browser to any of those Google properties, it can only be used for making select API calls and in no way works in a normal browser setting. The other recommendation of "using a progressive web app" also only works if that app is run in one of the select browsers Google has deemed appropriate, and again is not really a valid solution for any actual 3rd party browser.

The lsb-escalations email is an internal only Google address, so cannot be emailed by 3rd parties. A Google employee can email them on your behalf, however it will not help. After over 9 months of arbitrarily slow replies from the Google Switzerland product manager (taking weeks to months on average to get replies) Googles mission is clear. Despite initial claims that any full system browser should work and that they are doing "everything we can do ensure genuine browsers don't get blocked", it is quite the opposite.

As of this week their official position is that "general guidance would be to either build a "full" browser - or to use oauth/ a system browser for the Google login. ... We don't intend to support Google sign-in for consumer accounts in CEF.". By use oauth or a system browser really they mean do _not_ use your browser at all, as even after the login is complete it is unusable. By "build a "full" browser" they really mean build a full system browser using the technology that Google has currently decided is OK for their ecosystem, and has no reflection on what the application itself does.

They are happy to announce however "We are working on more detailed guidance for CEF developers.", the same thing they said over 9 months ago, and the same thing that has yet to be produced.

Today (well really over 9 months ago) Google deemed one of its technologies was not acceptable to be used by browsers, who knows what browser technology will be banned tomorrow. Given Googles vast control on the internet, and ability to disable any browser of their choosing instantly from being able to access all properties, there may be no safe options.

Google has a long history of repeatedly "accidentally" breaking, degrading, or slowing other major browsers like Microsoft Edge and Firefox (or entire platforms like Windows Phone) on their most popular properties, this is one of the reasons that Microsoft switched to a browser based on Google technology to end the cat and mouse game. Little did they know that even Google tech may not be safe...
mitchc
Newbie
 
Posts: 5
Joined: Wed Apr 25, 2018 4:26 pm

Re: Google Sign-in deprecation schedule

Postby ndesktop » Sat Jun 20, 2020 5:25 am

Well, my scenario *is* a full browser (just not a "system" browser, whatever that might be - I thought a browser is just another app).
And it is part of a well-known top security suite, updated regularly, and having what I'd call some extra layers of defense (no extensions, URL scanning, isolated storage, session erase on close, protected locations, clipboard deterrent, separate secure desktop, dll loader protection, load signed binaries only, kernel driver protection for files, processes and registry, and then some). And they ignored it all the same.
So much for the days when they yelled against proprietary IE. It's almost amusing they are locking out those not playing by their rules having nothing to do with APIs.
ndesktop
Master
 
Posts: 748
Joined: Thu Dec 03, 2015 10:10 am

Re: Google Sign-in deprecation schedule

Postby mitchc » Sun Jun 21, 2020 6:52 am

I also find it humorous that google has developed bot detection with reCAPTCHA however clearly that product isn't robust enough for their own use to stop login attacks.
mitchc
Newbie
 
Posts: 5
Joined: Wed Apr 25, 2018 4:26 pm

Re: Google Sign-in deprecation schedule

Postby cleytoncoro » Thu Nov 19, 2020 5:53 am

Hello guys.

I'm logging in to google using CEF. But just when I'm using a G Suite Account.

Is this a Google Security bug, or is it allowed by google team?!

Can someone help me with this question?

I'm creating a service and this login is a very important resource. I can't create it based on a bug.

Thank you everyone.
cleytoncoro
Newbie
 
Posts: 1
Joined: Thu Nov 19, 2020 5:43 am

Re: Google Sign-in deprecation schedule

Postby magreenblatt » Thu Nov 19, 2020 10:13 am

cleytoncoro wrote:Hello guys.

I'm logging in to google using CEF. But just when I'm using a G Suite Account.

Is this a Google Security bug, or is it allowed by google team?!

Can someone help me with this question?

I'm creating a service and this login is a very important resource. I can't create it based on a bug.

Thank you everyone.

Google has stated that this will not be supported. Use at your own risk.
magreenblatt
Site Admin
 
Posts: 12379
Joined: Fri May 29, 2009 6:57 pm

Re: Google Sign-in deprecation schedule

Postby ndesktop » Tue Apr 20, 2021 8:50 am

As of 4430:
- paying/G suite login just works
- free accounts (gmail.com, accounts.google.com, youtube.com etc.) do not work.
In order to make it work a patched CEF using another accepted user agent is now required.
ndesktop
Master
 
Posts: 748
Joined: Thu Dec 03, 2015 10:10 am

PreviousNext

Return to CEF Discussion

Who is online

Users browsing this forum: Google [Bot] and 4 guests