Fix Google 'Access Blocked' Error with Laravel Socialite in In-App Browsers
Solve the Google 'Access Blocked' error when using Laravel Socialite from in-app browsers. Covers embedded browser frames, WebView, and redirect workarounds.
If your Laravel application uses Socialite for Google authentication and users report seeing "Access Blocked: Your request does not comply with Google's secure browsers policy" when trying to sign in from Facebook, Instagram, TikTok, or other in-app browsers, you are not alone. This is a known issue caused by Google's updated browser security policies that block OAuth flows from embedded browser views.
Why Google Blocks In-App Browsers
Starting in 2024, Google began enforcing a secure browser policy for OAuth 2.0 flows. The policy requires that the browser making the OAuth request must be a recognized standalone browser (Chrome, Safari, Firefox, Edge, etc.) — not an embedded WebView or in-app browser. Google's reasoning is that embedded browsers can:
- Capture or log credentials without the user's knowledge
- Inject JavaScript into the OAuth flow
- Spoof the origin and intercept redirects
When a user taps "Sign in with Google" inside Facebook's in-app browser, Google sees the request coming from a WebView and returns the Access Blocked error.
Solution 1: Detect In-App Browsers and Force External Redirect
The most reliable fix is to detect when a user is inside an in-app browser and redirect them to the system's default browser for the OAuth flow. Here is a Laravel implementation using a middleware:
<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;
class DetectInAppBrowser
{
public function handle(Request $request, Closure $next): Response
{
$userAgent = $request->userAgent();
$inAppBrowsers = [
'FBAN', 'FBAV', // Facebook
'Instagram', // Instagram
'FB_IAB', // Facebook in-app
'FBNL', // Facebook Messenger
'Twitter for iPhone', // Twitter
'Twitter for Android',
'LinkedInApp', // LinkedIn
'Snapchat', // Snapchat
'TikTok', // TikTok
'Pinterest', // Pinterest
'Discord', // Discord
'Electron', // Electron apps
];
foreach ($inAppBrowsers as $browser) {
if (str_contains($userAgent, $browser)) {
// Store the intended URL in the session
session()->put('intended_after_oauth', $request->fullUrl());
// Redirect to the system browser
return redirect()->away($this->buildExternalRedirectUrl(
$request->fullUrl()
));
}
}
return $next($request);
}
private function buildExternalRedirectUrl(string $url): string
{
// Use a custom URL scheme or universal link
// This opens the system browser
return 'https://your-app.com/open-in-browser?redirect=' . urlencode($url);
}
} Frontend Detection Alternative
You can also handle this on the client side with JavaScript, which is often simpler:
<script>
function detectInAppBrowser() {
const ua = navigator.userAgent;
const isInApp = /FBAN|FBAV|Instagram|FB_IAB|FBNL|Twitter|LinkedInApp|Snapchat|TikTok/i.test(ua);
if (isInApp) {
// Show a button that opens the system browser
document.getElementById('open-in-browser').style.display = 'block';
// Or auto-redirect using a custom URL scheme
// window.location = 'googlechrome://...' on iOS
// window.location = 'intent://...' on Android
}
}
</script> Solution 2: Use a Landing Page with "Open in Browser" Prompt
Instead of trying to auto-detect, always show a landing page before the Google OAuth redirect that instructs users to open the link in their system browser:
<?php
// routes/web.php
Route::get('/auth/google', function () {
// Store the intended redirect
session()->put('oauth_intent', 'google');
return view('auth.choose-browser', [
'oauthUrl' => Socialite::driver('google')
->stateless()
->redirect()
->getTargetUrl(),
]);
})->name('auth.google'); <!-- resources/views/auth/choose-browser.blade.php -->
<!DOCTYPE html>
<html>
<head>
<title>Continue with Google</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>
<div class="container">
<h1>Open in Your Browser</h1>
<p>Please open this page in Chrome or Safari to sign in with Google.</p>
<button onclick="copyLink()">
Copy Link to Open in Browser
</button>
<p>Or tap the browser menu and select "Open in [Chrome/Safari]"</p>
</div>
<script>
function copyLink() {
navigator.clipboard.writeText(window.location.href);
alert('Link copied! Open it in your system browser.');
}
</script>
</body>
</html> Solution 3: Custom Chrome Tab / Safari View Controller
For mobile applications using WebView, use Chrome Custom Tabs (Android) or Safari View Controller (iOS) instead of opening the OAuth URL inside your WebView. These are recognized as secure browsers by Google:
- Android: Use Chrome Custom Tabs via the
androidx.browser:browserlibrary - iOS: Use
SFSafariViewControllerinstead ofWKWebView
// Android — Kotlin
fun openOAuthUrl(context: Context, url: String) {
val builder = CustomTabsIntent.Builder()
builder.setShowTitle(true)
val customTabsIntent = builder.build()
customTabsIntent.launchUrl(context, Uri.parse(url))
}
// iOS — Swift
import SafariServices
let safariVC = SFSafariViewController(url: URL(string: oauthUrl)!)
present(safariVC, animated: true) Solution 4: Update Google Cloud Console Settings
While this will not fix the in-app browser issue entirely, make sure your Google Cloud Console OAuth consent screen is configured correctly:
- Add your domain to Authorized JavaScript origins
- Add your callback URL to Authorized redirect URIs
- Set the application type to Web application (not iOS or Android)
If your app is in Testing mode, add the test user's email explicitly. Google sometimes blocks OAuth flows from testing apps when accessed from non-standard browsers.
Comparison of Solutions
| Solution | Complexity | User Experience | Reliability |
|---|---|---|---|
| Auto-detect + redirect | Medium | Seamless | High |
| Landing page prompt | Low | Friction | Very High |
| Custom Tabs / SFSVC | High (mobile) | Seamless | Very High |
Conclusion
Google's "Access Blocked" error when using Laravel Socialite from in-app browsers is a security policy enforcement, not a bug in your code. The fix is to ensure the OAuth flow runs in a recognized standalone browser. The most practical approach for most Laravel applications is to detect in-app browsers on the server side (via user agent) and redirect users to the system browser, or display a friendly prompt asking them to open the page in Chrome or Safari.
Stefan
SEO engineer and Laravel developer. Building tools to help Laravel applications rank higher in search results.