However, one form of phishing, known as “man in the middle” (MITM), is hard to detect when an embedded browser framework (e.g., Chromium Embedded Framework - CEF) or another automation platform is being used for authentication. MITM intercepts the communications between a user and Google in real-time to gather the user’s credentials (including the second factor in some cases) and sign in. Because we can’t differentiate between a legitimate sign in and a MITM attack on these platforms, we will be blocking sign-ins from embedded browser frameworks starting in June. This is similar to the restriction on webview sign-ins announced in April 2016.
Seems they don’t allow this anymore... may be need to get them to vet the app or something... I don’t know Google process for that - I barely use their on line services. May be they have a strong authentication alternative that could be implemented
Édit: seems this is what they say
What developers need to know
The solution for developers currently using CEF for authentication is the same: browser-based OAuth authentication. Aside from being secure, it also enables users to see the full URL of the page where they are entering their credentials, reinforcing good anti-phishing practices. If you are a developer with an app that requires access to Google Account data, switch to using browser-based OAuth authentication today.
But I never explored this so can’t help but may be this can be useful (first hit) but there might be more recent stuff
I tried to OAuth and get Google verify my app but they want that the app to be published on the web page that I own, and that I'll have a privacy declaration page and so on....
striking the right balance is difficult. Remember you want to use a service for free, so what's in it for them if doing so create a business risk for them...
That's the cost of security at scale. Apple is doing the same by verifying and authorizing any app published for iOS for example.
There are just so many abuse and bad guys out there that they need to protect the consumer, otherwise that will cost them billions in litigation and class actions if something bad happens, they will be asked "what have you done to protect the end user?" and it's also bad for their reputation. (Android has been plagued by security issues since inception because they kept the platform too open and did not focus on security enough).
So you can't blame them to make the entry point high, that will curb risks and create traceability on who is doing what (and associated liability).
Your alternative is to create your own cloud based system, then you control everything.