How are you supposed to trust SSO popups in desktop and mobile applications?
When I was investigating how to add SSO to a local application to login to google drive, the standard approach seems to be to open a web view window, ask user to log in while also opening a localhost webserver which will be pinged with the token after the login.
This web view window always prompts for a password since it does not have access to any login cookies in the browser on that system.
This is concerning: it seems I could just as well create a fake google/github/whatever form and the user has no way of verifying where are they entering the password. Or log their password since I have full control of the popup browser.
Even windows OS generates these popups instead of using browser. Weirdly, SSO providers do not seem to be providing a way to have user enter the password in their preferred browser, then copy some token to the app they want to approve. This turned to be quite the roadblock when making a CLI program that was supposed to integrate with Google Sheets.
How are users supposed to trust these popups? How can one verify they are genuine? How can programs be developed so that users can trust them (best practices)?