Access and Refresh token expiring / ability to auto refresh

[aaachen]

Hi, thanks for creating this plugin

I notice that the access token expires after 7 days or so and it requires me to re-authenticate

From the initial README I was under the impression that the authentication step only needs to be done once and not one every now n then

I just want to confirm

1. Whether this is the same behavior others/creator experience n are aware of it
2. Is there a way to auto refresh the access token (I tried in postman and got this error, which indicates prob not?)

[alangrainger]

Hi @aaachen - I think this might be something specific to your vault / your installed plugins / your firewall setup...?

I don't ever have to re-authenticate on any of my main or test vaults, and I haven't seen this issue reported before, so it might be something specific to you.

I'll close the issue since I'm not able to replicate, but if you can do some testing that would be great. If you end up finding a cause for it please let me know and if it's possible to fix I will do so.

[aaachen]

That's weird, just to double check, is your obsidian google app left in testing environment? I believe this is the end state of the setup

screenshot of mine from OAuth consent screen tab:

The likely cause is that refresh token expires after 7 days if the app is in testing environment (according to docs and thread)

A Google Cloud Platform project with an OAuth consent screen configured for an external user type and a publishing status of "Testing" is issued a refresh token expiring in 7 days, unless the only OAuth scopes requested are a subset of name, email address, and user profile

[alangrainger]

Thanks for finding that. I can confirm that one of my Google Cloud projects is in Production, and the other is still in Testing.

I will need to do some testing from this end to find out whether:

1. People need to put their project into Production status, and the security impact of that.
2. Whether I can replicate the issue in Testing status, and if there's anything which can be done about the refresh interval.

It's strange that I haven't had this complaint more often, as the setup docs do leave the project set in the Testing status, but maybe everyone is just dealing with the weekly annoyance?

[MiroStW]

I am dealing with the weekly annoyance, but its still worth it ;-) I'd love a fix and would be happy to help. Also my extra annoyance is, that I have a separate config folder for mobile, so after every reauth, I'll need to copy my google-photos plugin folder to the mobile config folder, so that the plugin also works there :D

[MiroStW]

According to this, the users would need to switch their publishing status to production to not reauthenticate every 7 days. I am unsure about the security impact, it says that anyone with a google account can access the app. I think that doesn't mean that they could see the photos of the owner of the app, but I guess they could exploit his API key for their own usage? I would assume you can put a policy in place to avoid that, somewhere in the depth of GCP...

[alangrainger]

I'm so sorry I didn't reply earlier!

Yes, you can switch to Production without any issues. While an app is "accessible" to the public, they would require your client ID and secret to be able to authenticate with your Google Cloud app and access your data.

So no risk there, you can simply switch to production. I will update the docs with the same.