OAuth 2.1 flow isn't easily compatible with mobile app authentication flows via WebViews

[mgoodfellow]

Hi,

As it stands, the new OAuth 2.1 connect screen isn't easily compatible with mobile apps for Android / iOS etc. This is because the flow opens up popup windows for external providers (Facebook / Google etc).

When working with WebViews, a popup window is complex because it isn't natively supported - workarounds exist, but become really problematic with this particular implementation because the popup is opened with about:blank and then redirected via JavaScript to the correct provider URL.

The old OAuth 2.0 flow continued these external provider logins within the current window which is far easier to work with for mobile apps/websites.

I would suggest something like a query parameter on the soundcloud login redirect, e.g. external_provider_mode=no_popup, and if this key isn't present it would default to popup which would be the same as the existing implementation.

Open to any thoughts regarding this!

Cheers

[youssefhassan]

Hey, I will share the word with our authentication team
cc @rbscgh

[youssefhassan]

I shared your thoughts with the auth team and they agreed on the concern and will be taken into account in future iterations. Is it blocking your integration?

[mgoodfellow]

Hi @youssefhassan ,

Yes, this is a blocker for us at the moment. Users cannot login to our app if they login to SoundCloud with an external provider. There might be a hacky workaround that could make it work, but ideally we don’t want to go down that route.

[youssefhassan]

@mgoodfellow It's in our pipeline, sorry for the inconvenience