Why Google Sign-In Fails When Users Click Links From Email Apps
TL;DR
When users click links in email apps (Gmail, Outlook), the link often opens in an in-app browser (WebView). Google blocks OAuth in embedded browsers. You can't force the system browser. Your options are to warn users in the email and detect WebViews to guide them.
The Problem
A user reported they couldn't sign in with Google after clicking a link from our email campaign. They saw this error:
Access blocked: [app name]'s request does not comply with Google's policies
Error 403: disallowed_useragent
The same sign-in worked fine on desktop.
At first it wasn't obvious. Only after looking closely at the screenshot did it click: this was on mobile.
The Root Cause
Since September 2021, Google blocks OAuth sign-in from embedded browsers (WebViews).
On mobile, when a user clicks a link in an email app like Gmail or Outlook, the link opens inside the app's built-in browserโnot Safari or Chrome. Google rejects OAuth requests from these environments by design.
From Google's announcement:
Embedded webview libraries are highly customizable, which can expose Google's login and account authorization pages to potential man-in-the-middle attacks.
This affects any app that uses an in-app browser, including Gmail, Outlook, Facebook, Instagram, LinkedIn, TikTok, and others.
Why There's No Magic Fix
This is the frustrating part: there is no reliable way to force a WebView to open the system browser.
The WebView is controlled by the parent app (Gmail, Outlook, etc.), not by your website.
Common attempts that don't work:
target="_blank"โ still opens in the WebView- Android intent schemes (
intent://) โ blocked by most apps - Universal / App Links โ only help if you control the native app
The only escape hatches are user actions:
- Long-press the link โ Open in Safari / Chrome
- Tap the menu (โฎ or โฏ) โ Open in Browser
- Copy the URL and paste it into a browser
Practical Solutions
Since we can't fix this technically, we handle it at the UX level.
1. Add Instructions in Email Campaigns
Below the CTA button, add a short hint:
๐ฑ On mobile? For Google sign-in to work, open this link in Safari or Chrome. Tap & hold the button โ "Open in Browser".
This alone reduced support questions for us.
2. Detect WebViews and Show a Warning
On the sign-in page, detect if the user is in a WebView and show a dismissible warning.
Example detection logic:
const WEBVIEW_PATTERNS = [
'GSA/', // Gmail / Google Search App
'FBAN', // Facebook
'Instagram',
'LinkedInApp',
'Twitter',
'TikTok',
'WebView',
'wv)', // Android WebView marker
];
function isWebView(userAgent: string): boolean {
if (WEBVIEW_PATTERNS.some(p => userAgent.includes(p))) {
return true;
}
// iOS WebView: iPhone/iPad without Safari version string
if (/iPhone|iPad|iPod/i.test(userAgent) && !/Safari\/[\d.]+/.test(userAgent)) {
return true;
}
return false;
}
Then show a banner like:
โ ๏ธ You're using an in-app browser
Google sign-in may not work here. Tap the menu (โฎ) and select "Open in Safari" or "Open in Chrome".
Key Takeaways
- Google blocks OAuth in WebViews โ this is intentional, not a bug
- You can't force the system browser โ only user actions can escape the WebView
- Guide users early โ instructions in emails plus detection in your app
- UA-based WebView detection is heuristic โ existing npm packages are mostly unmaintained