Security

last person joined: 3 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Facebook support for embedded browser on Android

Jump to Best Answer
This thread has been viewed 35 times
  • 1.  Facebook support for embedded browser on Android

    Posted 12 days ago
    Hello,

    4 x ClearPass boxes in cluster 6.9.7
    AOS 8.7.1.5 (10 box cluster)

    We are implementing Guest with social login as the only option (Facebook, Twitter, LinkedIn, Amazon). Facebook announced it was withdrawing support for the Android embedded browser on the 5th Oct, and sure enough login attempts from Android started failing then:

    Deprecating support for FB Login authentication on Android embedded browsers

    But strangely enough in the past week or so it seems to be working again! Has anyone else come across this? Or does anyone have any info about it? While it is good that it is working we want to be sure it is going to keep working!

    Thank you,

    Guy

    ------------------------------
    Guy Goodrick
    ------------------------------


  • 2.  RE: Facebook support for embedded browser on Android
    Best Answer

    Posted 12 days ago
    You should assume that all OIDC-based federated sign-in will be blocked from WebViews in the future and start planning for it.

    ------------------------------
    Tim C
    ------------------------------



  • 3.  RE: Facebook support for embedded browser on Android

    Posted 12 days ago
    So what does that mean in practice? Are there any alternatives?





  • 4.  RE: Facebook support for embedded browser on Android

    Posted 12 days ago
    Currently, the only options are to break out of the captive portal mini-browser or discontinue use of federated sign in on captive portals.

    ------------------------------
    Tim C
    ------------------------------



  • 5.  RE: Facebook support for embedded browser on Android

    Posted 12 days ago
    Thank you Tim,

    So (just so I understand the implications correctly) as far as the Guest social provider logins are concerned does this mean we can't rely on these working in future? At least on devices that use embedded/mini browsers?

    Do you know if device manufacturers are looking at changing the behaviour? Or should we plan to move away from the social provider options that Guest offers? Obviously this has quite a lot of implications for our guest service.

    ------------------------------
    Guy Goodrick
    ------------------------------



  • 6.  RE: Facebook support for embedded browser on Android

    Posted 12 days ago
    Many will stop working in the captive portal mini-browser in the future.

    I can't speak on behalf of any company, but I imagine this is a low priority use case to address.

    ------------------------------
    Tim C
    ------------------------------



  • 7.  RE: Facebook support for embedded browser on Android

    Posted 12 days ago
    Thanks Tim, understood

    ------------------------------
    Guy Goodrick
    ------------------------------



  • 8.  RE: Facebook support for embedded browser on Android

    Posted 12 days ago
    Sorry, one last question. You probably can't answer this, but just in case - do you have any sense of the kind of time-frame we are talking here for the big providers (is there a sense of urgency to this? I guess as it is a security issue there could be)?

    ------------------------------
    Guy Goodrick
    ------------------------------



  • 9.  RE: Facebook support for embedded browser on Android

    Posted 12 days ago
    https://developers.googleblog.com/2021/06/upcoming-security-changes-to-googles-oauth-2.0-authorization-endpoint.html





  • 10.  RE: Facebook support for embedded browser on Android

    Posted 12 days ago
    Sorry - one extra question. Regarding Guest social media login options, will Aruba be able to offer an alternative method that will mean Guest social media login is still available (if in a different form)? Is there a method of achieving these logins that Aruba will offer in future releases that bypasses the current issues, or are we all entirely reliant on changes by device manufacturers?


    It seems like there wouod be a demand for Guest social login in future


    ------------------------------
    Guy Goodrick
    ------------------------------



  • 11.  RE: Facebook support for embedded browser on Android

    Posted 12 days ago
    Speaking solely from the industry perspective, the industry goal is to eliminate captive portals. Visitor access would come via federations leveraging Passpoint.








  • 12.  RE: Facebook support for embedded browser on Android

    Posted 12 days ago
    Tell them they're dreaming. How many years have they been trying to make passpoint happen? It's not going to happen. Eduroam just barely works thanks to common interest in a non-profit community, getting companies to give up control of their guest networks is a pipe dream.

    I just wanted to let staff register their personal devices using Azure AD OIDC to save them entering their details manually, but apparently we can't have nice things.





  • 13.  RE: Facebook support for embedded browser on Android

    Posted 11 days ago
    Morning,

    Something we need to nail down in the short term is why Android devices have started working again on Guest despite withdrawal of WebView/mini-browser support for login (they stopped, but appear to be now working again). I tried with/without the FB app installed, both just worked. Does anyone know anything about this?


    Thanks for your help with this - the Facebook question is a big one for us as we haven't deployed Guest yet, and deploying it, only for Android devices to stop working with Facebook a week later would be a big deal! We have Twitter, LinkedIn and Amazon as login options but obviously FB is the biggy.

    Guy



    ------------------------------
    Guy Goodrick
    ------------------------------



  • 14.  RE: Facebook support for embedded browser on Android

    Posted 12 days ago
    Nobody is asking companies to "give up control of their guest network". Technology evolves. This area is evolving. 

    Not sure I understand your comment. eduroam has been running in full production with heavy usage and high user satisfaction for over a decade+.

    RE: Passpoint, sure, the technology has struggled in the past, but the past 2 years have seen exponential adoption.

    Captive portals are wildly insecure and the mini browsers are not capable of supporting modern authentication.

    ------------------------------
    Tim C
    ------------------------------



  • 15.  RE: Facebook support for embedded browser on Android

    Posted 12 days ago
    Everything that turns up when you google passpoint and openroaming is from two years ago, where have these gains occurred?

    My point about Eduroam is that it's a special case that makes it work fairly well, guest access in other industries won't have the same success factors.

    Even Aruba has two different SSO systems - one to log in here, one to log in to ASP. Identity is hard and I have no confidence in anyone doing it right.

    ------------------------------
    James Andrewartha
    ------------------------------



  • 16.  RE: Facebook support for embedded browser on Android

    Posted 12 days ago
    I'd recommend starting a new thread to discuss/debate this.






  • 17.  RE: Facebook support for embedded browser on Android

    Posted 12 days ago

    Wouldn't it be best to just use a single click accept policy like it's done in retail? I think consumers would rather click "I accept" than use a social login.

    My .02..

    --
    °(((=((===°°°(((================================================





  • 18.  RE: Facebook support for embedded browser on Android

    Posted 11 days ago
    For us this isn't an option unfortunately, we have to have some way of tracing users (however full of gargantuan holes that may be) to keep our security team (and powers further up the chain) happy. But I agree, ideally that would be the simplest and most user friendly.

    ------------------------------
    Guy Goodrick
    ------------------------------