Google’s Social Login use with Captive Portals

Schools that use Google for Education can have hundreds of accounts that can be leveraged in many ways. One of those ways is to give access to a particular SSID on the school’s WLAN. This allows easy administration and accounting of who is using the WLAN.

However, Google decided to block embedded webviews on September 30, 2021. The IEEE had recognized the increased number of attacks on Android webviews and recommended no longer using it in applications.

Mist and others began introducing Social Logins to authorize users on the WLAN. Mist made it so easy that it was just a few clicks, and it worked! Then Google’s enforcement finally made its way to education domains. Then suddenly, iPhones and any device that uses CNA, an unsecured mini browser, stopped working. I have seen this on both Mist and Ruckus.

It isn’t Safari that Google has an issue with. It is the mini browser that Apple’s implementation uses to connect to the captive portal. This is an Apple issue.
https://www.mist.com/documentation/regarding-social-login-with-google-sign-in/

https://developers.googleblog.com/2021/06/upcoming-security-changes-to-googles-oauth-2.0-authorization-endpoint.html

This only impacts Apple devices. In my testing and customer feedback, Android devices work correctly. My iPad connects but it is slow to do so. Changing the default browser on the Apple device will not help.

Apple will have to comply with Google’s wishes. They’ll have to come up with a way other than WKWebView. It is an in-app browser that can potentially be hijacked.

https://developer.apple.com/documentation/webkit/wkwebview A simple web search raises hundreds of user complaints about the iPhone and Captive Portals. It will take pressure from manufacturers to get Apple to fix this issue.