Open rrech opened 2 years ago
Ylianst
commented
2 years ago So, some OAuth flows will be deprecated, specifically loopback and out-of-band. I don't think MeshCentral uses these, so we should be fine. Regardless of these removals, are you saying the Google Drive auto-backup feature does not currently work?
rrech
commented
2 years ago Sorry about the title, it was implicit that are "some". I am not a native English speaker, and I ask you to kindly take this into account.
For now, it is working fine.
I've received a communication from Google indicating that the credential that I use in MeshCentral will be deprecated. Setted a new one, when I try to use on MeshCentral, returns an error informing that is a invalid request.
If I misunderstood the situation, I apologize.
rrech
commented
2 years ago Error message when setting a new credential is:
Error 400: invalid_request
You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy for keeping apps secure.
You can let the app developer know that this app doesn't comply with one or more Google validation rules.
Request details:
The content in this section has been provided by the app developer. This content has not been reviewed or verified by Google.
If you’re the app developer, make sure that these request details comply with Google policies.
soapster
commented
2 years ago +1 for this.
soapster
commented
2 years ago Same for me. My drive backup stopped a few days ago. Today, I went to re-connect it...
Error 400: invalid_request
You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy for keeping apps secure.
You can let the app developer know that this app doesn't comply with one or more Google validation rules. Learn more Request Details The content in this section has been provided by the app developer. This content has not been reviewed or verified by Google. If you’re the app developer, make sure that these request details comply with Google policies. redirect_uri: urn:ietf:wg:oauth:2.0:oob
soapster
commented
1 year ago Something to note. If I put the project back to testing on the Google console, the process works. But this will make it so that it will fail in a number of days.
omriasta
commented
1 year ago Yep, this only works for me for about 5-6 days and then stops backups again. This is related to https://github.com/Ylianst/MeshCentral/issues/4358 I wish I knew anything about NodeJS, I would be happy to look at the code but I really don't feel I could help much.
soapster
commented
1 year ago @Ylianst This is still an issue. This only works for a limited time while the project on Google is in testing. If I publish the app on the console, the google Drive integration fails with the following error.
The strange thing is, this works fine on my setup at work. But I cannot figure out what is different between there and home. At work, we are using a free gmail account, just like I am at home. Maybe you could do a video on the full setup, start to finish on how to make this work.
soapster
commented
1 year ago This is the error details.
zikeji
commented
1 year ago Add http://localhost:1/ to your redirect URIs in Google's API Console.
Edit node_modules/meshcentral/meshuser.js, line 4592, and replace urn:ietf:wg:oauth:2.0:oob with http://localhost:1/.
You can use the following one-liner to update the file using sed, you may need to update the file path depending on your install:
sed -i "s/urn:ietf:wg:oauth:2.0:oob/http:\/\/localhost:1\//" ~/node_modules/meshcentral/meshuser.jsThen restart MeshCentral (go to console in MeshCentral and type "resetserver"). As of the latest version it seems like meshcentral reinstalls itself from npm everytime it restarts and I had to wait until the meshuser.js file got acquired to apply the change. There is probably an easier way though.
You can then go through the normal steps, and when you get redirected you'll find the code in the URL which you'll copy. You'll get redirected to http://localhost:1/?code=CODE&scope=https://www.googleapis.com/auth/drive.file. Just copy the code, not the scope part, and supply that code.
Then go to the console and run autobackup to test if. If it succeeds, you're good to go! This workaround is only needed for setting it up, once it is working there should be no issue.
When you create your API credentials in Google Cloud, go to the "OAuth Consent Screen" page and sense you set the publishing status to production. If it is in testing status your token will expire after 7 days.
This guide assumes you are accessing Google Cloud from an account that hasn't access it before.
1) Click the link provided by MeshCentral (or go here)
2) Agree to the Terms of Service.
3) Click "Select a project" at the top left then "New Project" at the top right.
4) Name the project and confirm creation.
5) It'll take a moment, then it'll redirect you to a page that for the Google Drive API with an "Enable" button at the top left. Click "Enable".
6) Click "OAuth consent screen" on the left sidebar.
7) Click "External" and then "Create".
8) Give the app a name, select the user support email, add developer contact information, click "Save and continue".
9) Click "cancel" on the next page (Scopes).
10) Under "Publishing status" click "Publish App", then "Confirm".
11) Click "Credentials" on the let sidebar.
12) Click "Create Credentials" then "OAuth client ID".
13) Select "Web application" for application type, give it a name, and under "Authorized redirect URIs" add http://localhost:1/. Finally, click "Create".
14) Copy and save the Client ID and Client secret. You will use these in Mesh Central.
After you applied the change mentioned at the top of this comment
These instructions still work on 1.1.11, I just checked / verified on 9/14/2023.
omriasta
commented
1 year ago @zikeji this works for me but it still stops working after about a week. Then I need to disconnect and reconnect, same as before.
omriasta
commented
11 months ago Actually, I think it now works for me, the issue is that the app must be in production AND use the above hack from @zikeji
zikeji
commented
11 months ago Ah, yes, a Google API project that is in testing mode automatically invalidates each token after a week since it's for "testing". I also just found that out the hard way in another project.
omriasta
commented
11 months ago yep, and when you create credentials in the google cloud console, make sure you select web application as the type.....for anyone else looking on here. Hopefully the dev can write this in so that meshcentral can just capture the code....I have just never written anything for node....
si458
commented
11 months ago I can look into this next week, So does the Google drive not work at all? Are there certain steps we have to follow for it to work currently?
omriasta
commented
11 months ago If the "app" is set to testing, it will work as it is right now but the token expires every few days and needs to be setup again. If the "app" is set to production, the current setup give the oob error above. Modifying as per @zikeji above will work in production but it requires to manually copy the code from the browser to the mesh central interface.
zikeji
commented
11 months ago I can look into this next week, So does the Google drive not work at all? Are there certain steps we have to follow for it to work currently?
I just updated to 1.1.11 and reset my configuration to double check / update my instructions here https://github.com/Ylianst/MeshCentral/issues/4450#issuecomment-1427431575
The reason it fails is because MeshCentral uses a removed feature that would get the oauth screen to display the code afterwards, now you must redirect. My workaround changes the redirect URI in the code (which is necessary vs. just altering the URL) and then you copy the URL from the GET parameters.
In terms of fixing this in MeshCentral itself, the solution would be to remove the "Code" entry step of the little wizard and instead add a path to express that handles the redirect from Google, and updating the instructions in the wizard to have you input the proper redirect URI into Google Cloud. e.g. https://mesh.domain.com/oauth/callback. Then that path just reads code from the GET params and saves that to the database.
(also adding a note about the app being in testing mode on Google Cloud like I mention in my comment)
si458
commented
11 months ago Thank you @zikeji for the very helpful hints!
Similar to how we do the oauth of logins and sso! Got u!
omriasta
commented
11 months ago And after that we can update the documentation on how to setup everything in the Google cloud console.
soapster
commented
11 months ago Workaround
Thank you @zikeji I found the instructions clear, and I was able to implement the changes. Working so far. We'll see in a couple of weeks!
soapster
commented
5 months ago Well, I haven't touched this since my last comment. It's till working.
alasdaircs
commented
3 weeks ago +1 : @zikeji workaround seems good. Clearly a proper web flow with working return URI is required. I would give it a go if it were C# but I'm not a Node dev...
The formal docs for the deprecation of OOB flow are here: Out-Of-Band (OOB) flow Migration Guide
Hi Ylian!
Some OAuth flows will be deprecated soon. More information here: https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html
At this moment, to use Google Drive backup resource, if one sets and use a new credential to fits new Google criteria , returns an error 400 "invalid_request". The error description could be found here: https://support.google.com/accounts/answer/12379384?hl=en
I don't know if this was addressed yet.
Thanks in advance!