Google Oauth2 Consent Screen "Allow" button disabled for DELPHI app

Question

Can someone please help me why the button "Allow" in the screen below is disabled? WE are using a Delphi application in order to have user single sign on with google using the TWebBrowser built in delphi to start the process. Here is what our payload looks like: (Is there a way to bypass this check? maybe send other parameters to the url request? or other ideas how can we authenticate google using the client_id..etc. ) We have been reading similar posts in Stackoverflow, but no solutions. Thanks

https://accounts.google.com/o/oauth2/auth?
client_id=1000217514248-pqeu5oqj3easr************************&
redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob
&response_type=code&
state=995F6663-D8FE-4***************&
scope=openid+email
&code_challenge=0C336C62-1B4E-49F7-*************&
login_hint=test%40test.be
&hd=test.be&
as=S-737348098%3A1615472*****6&flowName=GeneralOAuthFlow

Anyway I think the recommended practice for OAuth2 is to open the default browser with the URL and not try to embed it in your app. — Olivier, Mar 12 '21 at 11:26
Hello Oliver, yes in IE it works I get "Please copy this code, switch to your application and paste it there" Which I assume everything went well. When you mention "open the default browser with the URL" do you mean just open IE directly with the current url? Since we are trying to emulate a SSO if I login externally in the browser how could I get the callback from google back in my project?. Thanks — Tonathiu Redrovan, Mar 12 '21 at 11:38
As stated [here](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html): *"we will no longer allow OAuth requests to Google in embedded browsers"* — Olivier, Mar 12 '21 at 12:02
They probably detect the old user-agent sent by your embedded `TWebBrowser`. — Olivier, Mar 12 '21 at 12:03
If you embed a web server in your app (which should be possible with Indy), then you can redirect the browser to it after the user gives their consent. — Olivier, Mar 12 '21 at 12:10
Thanks Olivier@ great info..I'll try to find another way then to SSO with google, i'll try to open the browser and somehow catch the successful callback. I'll further investigate with Indy, havent been familiar with this, let me know if you have any good links about it..cheers. — Tonathiu Redrovan, Mar 12 '21 at 12:13
A quick search gives [this](https://stackoverflow.com/questions/7131093/indy-10-http-server-sample). — Olivier, Mar 12 '21 at 12:34
Google decided to block all embeded browsers signins. Read this for more info : https://security.googleblog.com/2019/04/better-protection-against-man-in-middle.html?m=0 — Salvador Díaz Fau, Mar 12 '21 at 14:54
@TonathiuRedrovan did you get this to work in the end ? If so what was your solution ? — David Rose, Nov 12 '21 at 11:47
We stopped using embedded browsers...we used the common Google services in order to have the pop up from default browser in order to login. — Tonathiu Redrovan, Nov 13 '21 at 20:26

score 1 · Answer 1 · answered Mar 12 '21 at 19:15

1

You need to make sure that you are opening the browser window on the users installed browser.

You cant open the consent screen from any type of embeded browser or iframe . You need to open a new window in the users installed browser

answered Mar 12 '21 at 19:15

Linda Lawton - DaImTo

106,405
32
180
449

@TonathiuRedrovan Even if it works technically, it's still against Google's guidelines. – Olivier Mar 17 '21 at 17:06
yeah copy that. How else are desktop applications using google as SSO? thanks Oliver – Tonathiu Redrovan Mar 17 '21 at 19:15

Imperyal · Answer 2 · 2022-05-31T17:05:23.147

I had that same problem before. Google is detecting an old and insecure browser and will not allow the authorization to proceed.

I ended up creating a TCustomAuthenticator descendent class for this. This should work on older versions of Delphi.

It implements a OAuth2 Authenticator:

Allows authorization via externel browser
Uses PKCE flow for added security
Generates new tokens when they expire (using the refresh token)

In the repository there's a Demo app too.

Feel free to use it if you like: https://github.com/imperyal/delphi-google-oauth2

score 0 · Accepted Answer · answered Nov 15 '21 at 10:18

We stopped using embedded browsers...we used the common Google services in order to have the pop up from default browser in order to login. The current DELPHI version uses Internet Explorer 11 as internal browser, i believe that New versions of delphi have Edge as internal browser which this will not have the disabled button on.

Google Oauth2 Consent Screen "Allow" button disabled for DELPHI app

3 Answers3