OAuth out-of-band (oob) flow is deprecated

[tswast]

What goes wrong

OAuth out-of-band (oob) flow is deprecated

OAuth out-of-band (OOB) is a legacy flow developed to support native clients which do not have a redirect URI like web apps to accept the credentials after a user approves an OAuth consent request. The OOB flow poses a remote phishing risk and clients must migrate to an alternative method to protect against this vulnerability. New clients will be unable to use this flow starting on Feb 28, 2022.

Key dates for compliance

• Feb 28, 2022 - new OAuth usage will be blocked for the OOB flow
• Sep 5, 2022 - a user-facing warning message may be displayed to non-compliant OAuth requests
• Oct 3, 2022 - the OOB flow is deprecated for existing clients

Expected output

I would expect these clients to migrate to the Desktop flow, with a web server listening on localhost.

Loopback IP address (macOS, Linux, Windows desktop)

To receive the authorization code using this URL, your application must be listening on the local web server. That is possible on many, but not all, platforms. However, if your platform supports it, this is the recommended mechanism for obtaining the authorization code.

When your app receives the authorization response, for best usability it should respond by displaying an HTML page that instructs the user to close the browser and return to your app.

Recommended usage macOS, Linux, and Windows desktop (but not Universal Windows Platform) apps Form values Set the application type to Desktop app.

For more discussion, see: https://github.com/r-lib/gargle/issues/202

[MarkEdmondson1234]

Thankfully, this will mostly be sorted out upstream via gargle/httr but the pro active heads up is much appreciated.

For the http server situations perhaps the JavaScript libraries may be the alternative