Link copied to clipboard
Posted by: Vikrant Rana, Product Manager
OAuth 2.0 custom URI schemes are known to be vulnerable to app impersonation attacks. As part of our ongoing commitment to user safety and exploring ways to more securely use third-party applications that access Google user data, Google is restricting the use of custom URI scheme methods. These are no longer allowed in new Chrome extensions and are no longer supported by default in Android apps.
To protect users from malicious attackers who can impersonate Chrome extensions and steal credentials, new extensions are no longer allowed to use the OAuth custom URI scheme method. Instead, use the Chrome Identity API to implement OAuth. This is a more secure way to provide OAuth 2.0 responses to your app.
What should developers do?
New Chrome extensions must use Chrome Identity API methods for authentication. Existing OAuth client configurations are not affected by this change, but we strongly recommend migrating to Chrome Identity API methods. In the future, we may disallow custom URI scheme methods and require all extensions to use Chrome Identity API methods.
By default, new Android apps will not be able to make authentication requests using custom URI schemes. Instead, consider using Google Identity Services for Android SDK to deliver OAuth 2.0 responses directly to your app.
What should developers do?
We highly recommend switching your existing apps to use the Google Identity Services for Android SDK. If you’re creating a new app and the recommended alternatives don’t meet your needs, you can enable the custom URI scheme method for your app in the Advanced section of the client configuration page in the Google APIs console. .
If you try to use an app that uses custom URI scheme methods to make invalid requests, you may receive an “Invalid Request” error message.error message[詳細]Click the link to learn more about this error.
developers will now be able to see additional error information when testing user flows in their applications. Click the View error details link to get more information about the error, including the root cause and links to how to resolve the error.
relevant content