Google has deprecated OOB OAuth Flows

[ColdSauce]

Update:

We put out a guide on how to fix this.

---

As of Feb 28th 2022, Google has deprecated OOB OAuth flows.

Just a heads up as the documentation to get the refreshToken relies on the oob flow, and we're seeing 400s when trying to go through that flow.

Example:

[louisgv]

Quite a shame since it's what the official doc for chrome web-store is using: https://developer.chrome.com/docs/webstore/using_webstore_api/

[pgamerx]

That's the reason I am unable to get my refresh token lol

[fregante]

From the linked post, it seems that the temporary fix is to add a &ack_oob_shutdown=2022-10-03 parameter to the URL. Can anyone try? PR welcome if that works.

I think that the tokens generated this way will continue being valid, the problem here is just the process itself (which I'll have to update at some point)

[poma]

adding &ack_oob_shutdown=2022-10-03 didn't work for me

[mismith]

From the linked post, it seems that the temporary fix is to add a &ack_oob_shutdown=2022-10-03 parameter to the URL. Can anyone try?

No luck for me either, sadly

[melink14]

It seems like that parameter will only suppress the warning message for existing projects; new projects are banned from using it.

[rafek1241]

FYI I tried to contact some people that are working at google via linkedin because I couldn't find a way to reach this company. Their support page is a joke for extension developers.

[melink14]

I'm inclined to agree with PlasmoHQ/chrome-webstore-api#12 that the way forward is to run a local server which allows you to use the loopback method as per the docs. There are many cheap ways to start a quick local server so even if there's no special support in this app we can update the documentation if someone tests out the flow!

[rafek1241]

@melink14 but what will we do after that method deprecation?

[louisgv]

@melink14 I will be working on open-sourcing the tool mentioned soon, hopefully by end of this week. Been traveling last month so got a bit jetlag still xD...

@rafek1241 the tool I'm developing will not use the loopback method, but will use the normal OAuth flow to get the refreshToken.

[rafek1241]

@louisgv
If you need any help, contact me ;)

[melink14]

@rafek1241 The loopback method is not being deprecated for desktop apps (only for android and ios).

@louisgv Thanks a lot for the follow up. It should be quite useful! But are you sure you're not using the loopback method? I can't see any other type of recommended flow for desktop applications that were using oob before: https://developers.google.com/identity/protocols/oauth2/native-app#step-2:-send-a-request-to-googles-oauth-2.0-server

[louisgv]

@rafek1241 The loopback method is not being deprecated for desktop apps (only for android and ios).

@louisgv Thanks a lot for the follow up. It should be quite useful! But are you sure you're not using the loopback method? I can't see any other type of recommended flow for desktop applications that were using oob before: https://developers.google.com/identity/protocols/oauth2/native-app#step-2:-send-a-request-to-googles-oauth-2.0-server

Oops my bad, by "loopback method," I was thinking about the method used in the original guide, which used the urn:ietf:wg:oauth:2.0:oob:auto uri to return the tokens, which should be called "Manual copy/paste."

My solution is indeed using loopback for redirect_uri. Somehow my brain linked both redirect_uri and the manual copy/paste thingy to loopback xD

[louisgv]

Just released gcp-refresh-token, source code here.

Let me know if you have any issue (preferably creating an issue under gcp-refresh-token). To use, download your OAuth Client json key into a key.json file, then run:

npx gcp-refresh-token

# or

pnpm dlx gcp-refresh-token

Refers to the readme and this updated guide for more info!

--/U64eCftcNBXxHZRu3

[poma]

Worked for me, thanks! This should be included in the docs now.

[fregante]

Feel free to send a PR to replace the current note in the local guide with a direct link to that package. Something like: Google broke blah blah, use tool XYZ to generate the key and refresh token.

[louisgv]

@fregante done 👍

[fregante]

Please refer to the new guide in #63. You can temporarily read it at:

https://github.com/fregante/chrome-webstore-upload/blob/new-guide/How%20to%20generate%20Google%20API%20keys.md

The solution was to:

• replace the oob with a random redirect_uri on localhost, even if it doesn't exist
• create a "Desktop app" OAuth client instead of "Chrome app"

Let me know if this works for you, this should be easier than running third party code on your machine and even saves a few steps!

[rafek1241]

@fregante I tried your way and last part (console script) didn't work for me.

After using a @louisgv solution:

Thanks

[fregante]

I tried your way and last part (console script) didn't work for me.

@rafek1241 If you got that error, you entered the client ID incorrectly. I just tested it and I got "client secret" missing instead.

Were you able to publish the extension to the store with this new refresh token? This change brings the client secret back into play and chrome-webstore-upload recently dropped support for it. If "Desktop app" requires it, this guide change isn't enough.

It's possible that we're successfully getting the refresh token, but then chrome-webstore-upload will fail.

[fregante]

As feared, using "Desktop app" fails the upload with:

{
  "error": "invalid_request",
  "error_description": "client_secret is missing."
}

The client secret was dropped in v0.5.0 (#46) so if we revert back to "Desktop app" I'll also have to revert to using the client secret.

I tried using "Chrome app" while creating the new token but it does not natively accept localhost as a redirect_uri.

• Has anyone had any success actually uploading the extension with gcp-refresh-token’s token?
• Does anyone know how to set redirect_uri to localhost with "Chrome app"?

[fregante]

I tested the whole workflow and it's now working: https://github.com/fregante/browser-extension-template/runs/6022135901?check_suite_focus=true

npm WARN exec The following package was not found and will be installed: chrome-webstore-upload-cli@2
- Fetching token
- Uploading distribution
- Publishing
Publish successful

Findings:

• the secret-less "Chrome app" was nice while it lasted; Google’s intent with that is to be used via chrome.identity in extensions, so we can't use it anymore
• the client_secret is now required again since we must use Desktop App
• I also tried "Web application" but it also required the secret in the end
• I updated the cli tool to output a better message when the secret is required: Always print the full error chrome-webstore-upload-cli#60

Future:

• Add minimal API keys helper chrome-webstore-upload-cli#61