Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Replace OOB with loopback 3LO flow #1142

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

bsidhom
Copy link

@bsidhom bsidhom commented Oct 11, 2022

The out-of-band flow is deprecated and can no longer be used to authorize new clients: https://developers.google.com/identity/protocols/oauth2/resources/oob-migration#what-is-oob. Desktop clients should be migrated to the loopback flow: https://developers.google.com/identity/protocols/oauth2/resources/oob-migration#desktop-client.

Fixes #1140.

@bsidhom
Copy link
Author

bsidhom commented Oct 11, 2022

This patch is a bit rough, but I've verified that it works with new clients and also when redirected through a SOCKS proxy. This is important since it's now the only way to authorize a remote server (short of using service account credentials directly).

@indev29
Copy link

indev29 commented Oct 19, 2022

Thanks for the patch, worked for me!
Got this message after the auth: error closing loopback server: <nil>, is something wrong with handling the response? Everything worked fine, just a suspicious message.

@bsidhom
Copy link
Author

bsidhom commented Oct 19, 2022

Ah, I think that's an issue due to partially-typed interfaces never evaluating as nil. Anyway, as the contents of the message indicate, there's no error there, so it's fine. Further, this is just supposed to be a (non-blocking) warning when the server fails to shut down cleanly. I'll try to figure out how to fix that nil check.

The out-of-band flow is deprecated and can no longer be used to
authorize new clients:
https://developers.google.com/identity/protocols/oauth2/resources/oob-migration#what-is-oob.
Desktop clients should be migrated to the loopback flow:
https://developers.google.com/identity/protocols/oauth2/resources/oob-migration#desktop-client.
Fixes odeke-em#1140.
@bsidhom
Copy link
Author

bsidhom commented Oct 19, 2022

Turns out there were 2 problems. I wasn't checking for http.ErrServerClosed and I was printing the wrong error message (err instead of closeErr). Should be fixed now.

@amirkhiz
Copy link

@bsidhom Thanks for your patch I really don't know how to use this patch and install instead of the main one could you please help me with this?

yathxyz pushed a commit to yathxyz/drive that referenced this pull request Nov 7, 2022
The out-of-band flow is deprecated and can no longer be used to authorize new clients.
See odeke-em#1142 for a detailed explanation.
Combine different commits into a single patch and commit.
@grovera-md
Copy link

Hello!! I just completed a fresh installation with the command "go install github.com/odeke-em/drive/cmd/drive@latest", but the authentication step doesn't work. Could you please provide some guidance on the steps/commands required to solve this issue? Best regards

@djtinus
Copy link

djtinus commented Dec 5, 2022

Hello!! I just completed a fresh installation with the command "go install github.com/odeke-em/drive/cmd/drive@latest", but the authentication step doesn't work. Could you please provide some guidance on the steps/commands required to solve this issue? Best regards

You have to clone the source and fetch the Pull request. Then build from source and copy the generated binary into the $GOPATH/bin

Steps i've done (with the installation of drive already done with go install github.com/odeke-em/drive/cmd/drive@latest:

~# git clone https://github.com/odeke-em/drive.git
~# cd drive/
~# git fetch origin pull/1142/head:loopback-auth
~# git checkout loopback-auth
~# go build ~/drive/cmd/drive/
~# mv drive $GOPATH/bin/drive

After completing this steps I was able to authenticate the client. Since this is my very first comment on Github feel free to correct me if i'm wrong

@grovera-md
Copy link

You have to clone the source and fetch the Pull request. Then build from source and copy the generated binary into the $GOPATH/bin

Steps i've done (with the installation of drive already done with go install github.com/odeke-em/drive/cmd/drive@latest:

~# git clone https://github.com/odeke-em/drive.git ~# cd drive/ ~# git fetch origin pull/1142/head:loopback-auth ~# git checkout loopback-auth ~# go build ~/drive/cmd/drive/ ~# mv drive $GOPATH/bin/drive

After completing this steps I was able to authenticate the client. Since this is my very first comment on Github feel free to correct me if i'm wrong

Thank you very much for the clear instructions. I will try them as soon as possible. Best regards

@alievrusik
Copy link

Hello!! I just completed a fresh installation with the command "go install github.com/odeke-em/drive/cmd/drive@latest", but the authentication step doesn't work. Could you please provide some guidance on the steps/commands required to solve this issue? Best regards

You have to clone the source and fetch the Pull request. Then build from source and copy the generated binary into the $GOPATH/bin

Steps i've done (with the installation of drive already done with go install github.com/odeke-em/drive/cmd/drive@latest:

~# git clone https://github.com/odeke-em/drive.git ~# cd drive/ ~# git fetch origin pull/1142/head:loopback-auth ~# git checkout loopback-auth ~# go build ~/drive/cmd/drive/ ~# mv drive $GOPATH/bin/drive

After completing this steps I was able to authenticate the client. Since this is my very first comment on Github feel free to correct me if i'm wrong

Thanks for your comment! After this fix I was able to authenticate, but got error from google after authentication:

This app is blocked
This app tried to access sensitive info in your Google Account. To keep your account safe, Google blocked this access.

Have you encountered such issue? How to fix it?

@bsidhom
Copy link
Author

bsidhom commented Dec 26, 2022

I'm guessing that's because you're using the default client ID. You may need to create your own client id and secret as mentioned here. Note that these environment variables are only used while running drive init (i.e., you only need to set them while authorizing the drive app). Note that this is intended for developers and will require you to jump through some hoops (and possibly update things periodically).

To set up a client ID, you'll need a Google Cloud project. Once you've set up your project, you'll need to enable the Google Drive API. After that, you can go to the credentials page and create a new credential for OAuth. You'll need to select "desktop app" when creating the credentials.

There are some additional security benefits to using your own client secrets (assuming you're vetting the drive client code, only building from source, and keeping your client secrets safe). You'll also get your own quota pool, which is the reason this was historically recommended.

If you don't want to actively manage your own developer project for this purpose, you might also consider switching to Rclone, which I believe supports the new Google OAuth flows. (On the other hand, if you're security-conscious, that's a much larger code base with a larger surface area; but with that, you also have more eyes on the project.)

@jean-christophe-manciot

@djtinus
I've successfully tried your build steps.
However, we lost the environment variables used by drive version:

drive version
drive version: 0.3.9.1
Commit Hash: <CURRENT_COMMIT>
Go Version: <GO_VERSION>
OS: <OS_INFO>
BuildTime: 

I suppose they were populated in drive-gen.
Any suggestion?

@jelabarre59
Copy link

I'm guessing that's because you're using the default client ID. You may need to create your own client id and secret as mentioned here. Note that these environment variables are only used while running drive init (i.e., you only need to set them while authorizing the drive app). Note that this is intended for developers and will require you to jump through some hoops (and possibly update things periodically).

Yep, Google trying to make everything MORE hostile to anyone who would dare to use anything outside of their barbed-wire walled garden (look at the discussion about their intentionally-kneecapped Google Photos API https://issuetracker.google.com/issues/80379228 ).

There are some additional security benefits to using your own client secrets (assuming you're vetting the drive client code, only building from source, and keeping your client secrets safe). You'll also get your own quota pool, which is the reason this was historically recommended.

If you don't want to actively manage your own developer project for this purpose, you might also consider switching to Rclone, which I believe supports the new Google OAuth flows.

The problem with RClone is it doesn't export GoogleDocs to local files. This is the only utility I've seen that can do that. And Google is doing everything (legal or otherwise) to make sure you can't leave their ecosystem. I really need to find an alternative that lets me do my writing from multiple devices/platforms, where I can set the docs to work offline as well.

@jelabarre59
Copy link

Well, that was a waste of time. Managed to browbeat Google's system to let me access the API, and when I run the sync to bring down all my doc updates, it exits and says "Everything is up-to-date" without pulling ANYTHING. I have definitely done edits recently, so there should be new files.

Yes, I DEFINITELY need to move my docs off of Google. Every week they become more and more arrogant, and more hostile to the end-users.

@hightowe
Copy link

@jelabarre59 - Newer versions of rclone will export Google Docs to local files. I recently moved to rclone from drive for one of my Google Docs backups (I have several). It worked well. I may move more over after I have some more experience with it and the time to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

OOB OAuth deprecation: migrate to OAuth loopback mechanism
9 participants