Google Login: after app verification on Android 11 devices appears: Error 403 disallowed_useragent

FrancoBaz 16

I made a Xamarin Forms app using Xamarin.Auth 1.7.0 which had no problems in Google authentication until it was waiting the verification of the consent screen. Since the consent screen has been successfully verificated, suddenly on some devices (not all!!!) the authentication produces
"Error 403 disallowed_useragent
Google can't sign you in safely inside this app. You can use Google sign-in by visiting this app's website in a browser like Safari or Chrome"
response_type=code
access_type=offline
scope=https://www.googleapis.com/aut/userinfo.email
Please note that I use
_auth = new OAuth2Authenticator(clientId, string.Empty, scope,
new Uri(AuthorizeUrl),
new Uri(redirectUrl),
new Uri(AccessTokenUrl),
null, true);
and it works perfectly on the Android 9 /10 devices we tried.
After lots of app uninstallations, removing Google accounts on the Android 11 devices, reset Chrome as default browser, exactly one time I managed to authenticate, so the consent screen appeared and the authentication worked, but then trying a counter-proof, after deleting the refresh token on the SecureStorage and trying a new authentication Error 403 always appears.

JessieZhang-MSFT 7,706 Reputation points Microsoft Vendor

2021-06-16T09:00:47.987+00:00

Hi @FrancoBaz , just as this issue mentioned,Xamarin.Auth has being replaced by authentication support in Xamarin.Essentials. So you can use Xamarin.Essentials: Web Authenticator instead.
FrancoBaz 16 Reputation points

2021-06-16T17:51:28.147+00:00

Thanks, but I would like to avoid an extra component on our Apache server. The fact is that our app manages to authenticate successfully on Google, OneDrive, and Dropbox, saving refresh tokens and secrets on secure storage, but in some devices with Android 11 the Google Web Authenticator gives Error 403 instead of the OAuth Consent Screen and choice of the username
JessieZhang-MSFT 7,706 Reputation points Microsoft Vendor

2021-06-17T09:45:54.157+00:00

Is there any device with android 11 works as expected? if no, then it can be the reason that the lib didn't adapt into the new OS, if yes, then it can be other causes maybe we can start with the difference between the worked device and not working devices.
FrancoBaz 16 Reputation points

2021-06-18T07:17:15.25+00:00

Even on Android 11 at least one time the app authenticated successfully, showed the username choice and consent screen obtaining token and refresh token. Trying to discard the refresh token, new authentication request always produces 403 error from the Web Authentication page. Uninstalling the app, rebooting, and installing again, 403 error always occurs. I suspect that some memory of the previous authentication/consent remains on the device or on the authentication server...
On Android 8/9 devices, the app always authenticates well, refresh token works well, and discarding it a new authentication web browser session starts and works.
My scopes are: drive.readonly, photos.readonly, photoslibrary.readonly, but setting only e-mail nothing changes.

Now I'll try to start from a blank project, insert OAuth with just a simple email scope, something like Lariviere sample, obtaining new appId and SHA1 fingerprint...and test on different Android devices.
JessieZhang-MSFT 7,706 Reputation points Microsoft Vendor

2021-06-22T01:53:00.103+00:00

Since we haven't encountered such problem, so we can't give you a definite answer. Hope to create a blank project will be useful. Waitting for your good news.
FrancoBaz 16 Reputation points

2021-06-29T09:01:11.787+00:00

The first time I tried to login from a new blank project using my app credentials, it worked.
But then coming back to the real Xamarin Forms project and trying to change it in order to login to Google from MainPage always produced 403 instead of the choice of the user profile.
After a lot of attempts finally it worked: I saved the refresh token, so when I restart the app no login session is required.
But now the sample blank project with my app credentials, not using the refresh token always 403!!
Before the app was verified, I didn't use the refresh token but the exact day in which the app was verified after the first successful login my device always gives 403.
Then I updated the app to save and use the refresh token and installed it on other devices with succesfully login! But I tried to remove the refresh token from one of the devices, immediately it always gives 403. Sorry I didn't explicitly revoke the token before...
How to connect again if you loose the refresh token?
Nicole Lu-MSFT 96 Reputation points

2021-06-30T03:03:57.273+00:00

As far as I understand the refresh token is to refresh the access token when it expires, and the main token used should be the access token, what about your access token? How are you using it?
FrancoBaz 16 Reputation points

2021-06-30T07:07:06.657+00:00

When the app starts, the refresh token is restored from SecureStorage to produce the token that is used for every command; when the token expires, the error catch clause obtains a new token and all is OK.
The problem is that if the refresh token is lost/discarded a new authentication attempt made by
DependencyService.Get<INativePages>().StartGoogleAuthentication();
almost always produces Error 403.
Only after lots of attempts: app uninstall, device reboot, install again, Google logout from Mail and Chrome apps, disable synchronization, updates to Google Console Consent screen credentials, Visual Studio updates, project cleaning, NuGet packages updates, tested one by one with no success, in the end, I don't know why, StartGoogleAuthentication managed to display the user profile choice.
The problem remains: when I switch from the app debug version to the release one, using another ID client, fingerprint, and SHA1 certificate, to avoid 403 I am bound to make miracles...
FrancoBaz 16 Reputation points

2021-06-30T07:07:55.893+00:00

When the app starts, the refresh token is restored from SecureStorage to produce the token that is used for every command; when the token expires, the error catch clause obtains a new token and all is OK.
The problem is that if the refresh token is lost/discarded a new authentication attempt made by
DependencyService.Get<INativePages>().StartGoogleAuthentication();
almost always produces Error 403.
Only after lots of attempts: app uninstall, device reboot, install again, Google logout from Mail and Chrome apps, disable synchronization, updates to Google Console Consent screen credentials, Visual Studio updates, project cleaning, NuGet packages updates, tested one by one with no success, in the end, I don't know why, StartGoogleAuthentication managed to display the user profile choice.
The problem remains: when I switch from the app debug version to the release one, using another ID client, fingerprint, and SHA1 certificate, to avoid 403 I am bound to make miracles...
Nicole Lu-MSFT 96 Reputation points

2021-07-07T08:37:39.517+00:00

@FrancoBaz Are you using embedded WebView to do the authentication? How about try with https://github.com/xamarin/Xamarin.Auth/blob/master/docs/readme.md#312-native-ui , since the issue only occurs in some devices, it may be helpful to go with native to get some more information. Since we're not able to reproduce your issue, you may try this https://github.com/xamarin/Xamarin.Auth#xamarin-chat---community-slack-team-xamarin-auth-social-room to get more help.

1 answer

Антон Полименов 16 Reputation points

2021-09-27T10:26:14.68+00:00
I had the same issue AND I FOUND HOW TO FIX IT!

I was so angry this was the only page 100% describing my problem without a fix, but I found it my self :)

For all of you having the same issue - Android 11 requires some lines in the app manifest in order to be able to read the browsers installed that supports custom tabs.

In order to do that you need to put the following in your AndroidManifest.xml file:

<manifest ...> <queries> ... <intent> <action android:name="android.intent.action.VIEW" /> <category android:name="android.intent.category.BROWSABLE" /> <data android:scheme="https" /> </intent> <intent> <action android:name="android.support.customtabs.action.CustomTabsService" /> </intent> ... </queries> ... </manifest>

This can be see in this manifest file:
https://github.com/AzureAD/microsoft-authentication-library-common-for-android/blob/614c06eb8210069af6d089e6c97e79fb5c8cffb3/common/src/main/AndroidManifest.xml

Beers are more than welcome :)

Best regards,
Anton Polimenov
Please sign in to rate this answer.

3 people found this answer helpful.
FrancoBaz 16 Reputation points

2021-09-28T08:26:10.447+00:00

It worked for me too! Thanks Anton!
I uninstalled the app, installed it again on an Android 11 device, and the Google Drive/Photos authentication displayed the consent page that worked!
I suggest you write your solution as an ANSWER including the code to add to AndroidManifest.xml, so I can vote for you!!!
Sign in to comment