Google has a "secure browser policy", basically banning many browsers embedded into mobile apps, such as Instagram or TikTok, from using Google OAuth 2.0 authentication for single sign-on to websites. According to emails I've been getting from Google, starting in July 2023, they intend to further degrade the user experience in such cases, saying:
Any affected authorization endpoint requests will be blocked with a disallowed_useragent error starting July 24, 2023
As a website developer, I would like to avoid this degraded user experience when users reach my website through such embedded mobile browsers. I would like to change the site's behavior in case it's running in an "insecure" browser, so that it wouldn't offer the user the option of using Google's authentication.
The question is: How can the website tell if Google OAuth would be allowed on the current browser or not?
On the server side - probably the User-Agent header is a good thing to check - but is there any safe and stable way of checking it against Google's policy without obscure heuristics?
On the client side - maybe there is some HTTP call that can be made under the hood to Google, that will tell the client whether Google authentication is supported on this browser?
