streamlit-oauth icon indicating copy to clipboard operation
streamlit-oauth copied to clipboard
verified publisher icon dnplus

Pywebview Incompatibility with window.open in OAuth2 Popups

Open LounesAl opened this issue 1 year ago • 1 comments

Description

I am using pywebview to display the Streamlit app that includes an OAuth2 button. The button relies on window.open to open an external popup. While this works perfectly in a standard browser (Chrome/Edge), it fails when the app is embedded in pywebview.

Why pywebview?

I chose pywebview to bundle my Streamlit app into a lightweight desktop application with a native window experience.

Problem

When the button is clicked, window.open fails inside pywebview. The following error appears in the developer console:

Unhandled Promise Rejection: TypeError: null is not an object (evaluating 'r.focus')

I tried replacing window.open with window.location.href = jr; as a workaround, but this results in another issue:

Failed to load resource: the server responded with a status of 403 (Forbidden)

I am not proficient in JavaScript, so I wasn’t able to debug this further.

Steps to Reproduce

  1. Run the following Python code to open the Streamlit app in pywebview:

    import webview

if __name__ == "__main__":
    window = webview.create_window(
        "OAuth2 Window",
        url="http://localhost:8501",
    )
    webview.start()

Related Issues in pywebview

This seems to be related to pywebview’s known limitation where window.open is not supported:

Suggested Fix

It would be great if the streamlit_oauth library could detect environments like pywebview where window.open is unsupported and provide an alternative mechanism, such as navigating directly to the OAuth URL with window.location.href.

LounesAl avatar Jan 20 '25 10:01 LounesAl

Good question! The reason I originally went with window.open is that Streamlit has some security considerations around CORS, which can make direct navigation tricky.

Since you're working with a desktop app, one possible approach might be to open the OAuth link in the system’s default browser and then use something like a universal link or a custom URL scheme to bring the user back to the app. That way, the authentication happens in a supported environment while still allowing the app to retrieve the OAuth token.

That said, I’m not super familiar with implementing this kind of flow myself, but it might be worth exploring. Let me know if you find any good solutions!

dnplus avatar Feb 08 '25 05:02 dnplus