totally a non issue, but not sure where else to ask

[joebeem]

I am a former user of the old repo and needless to say was very upset (as were the rest of us) to learn about what had transpired over this past weekend.

Given that it seems that the owner of this github is basically taking ownership of the issue and seems to be willing to help out and/or attempt fixing the issue in the event amazon replies, I was wondering if there is a place we can donate funds for the time and effort?

I certainly appreciate anyone's assistance in getting this project running again and I am willing to bet that others would gladly be willing to donate as well.

This also applies to the original repo of acd_cli if the owner reappears or contributes to the fix. Sorry for opening an issue for this, feel free to remove. Since I am unfortunately not advanced enough in programming, I would just like to help out anyway possible.

Thanks.

[shadycuz]

No this is the right place and it's something on my mind as well. I'm sure once we know if AWS will grant us another key we will start making preparations but first we need another key. They might even ask to see our Auth code first which as of right now does not exist.

[hjone72]

I could be wrong here, but my understanding is that there was an issue with appspot (the authentication) not acdcli itself. Shouldn't using your own security profile should resolve the issue?

EDIT: Just had a read through this and the consensuses seems to be that you can't create your own security profile. This isn't accurate.

I'm making some instructions now.

[hjone72]

1. Navigate to: https://developer.amazon.com/
2. Sign in.
3. Click 'Apps & Services' (at the top beside the 'dashboard' button)
4. 'Security Profiles' (at the top on the new menu that appears below 'Apps & Services')
5. Create new security profile.
6. Give it a name and description, this isn't important it only for your use.
7. Click on 'Login with Amazon' (at the top in the same menu as step 4)
8. Select your security profile from the drop down and click 'Confirm'
9. Fill out the information, this again doesn't matter as only you are using it. (http://localhost.com/index.html is what I used for this example)
10. Hover over the new profile and click the 'settings cog' to the far right and click 'Web Settings'
11. Enter your allowed origins and return URL (localhost for both).
12. ?????
13. Profit!

[shadycuz]

@hjone72 You can make a security profile sure, but you can't attach it to ACD because the API is closed. The appspot was from the original Repo owner who had an ACD API key, which has now been revoked.

[hjone72]

@shadycuz, Mine is still currently working. Will it just eventually stop? or can new people not authorize it? I'm still not sure what the problem is?

[shadycuz]

@hjone72 You are still using acdcli? What happens when you run acdcli sync

[hjone72]

it worked.

Getting changes...... Inserting nodes........

[shadycuz]

hmm, most likely your token just hasn't expired yet.

[hjone72]

I just deleted my oauth_data and ran a sync. It then allowed me to reauth. It is still working.

[hjone72]

@shadycuz, have you got your own security profile? At what point do you get an error and what is the error?

[shadycuz]

I created a security profile yes but was unable to attach it to anything as the ACD API is closed.

[hjone72]

follow the steps above... it will link the missing step ;)

[hjone72]

The API isn't closed, Amazon's new API is invite only. ACD_CLI is built using the older API.

[shadycuz]

hmm I am working on recreating your steps, will post back soon.

[shadycuz]

@hjone72 I get errors, invalid scope and unable to connect to remote host...

[hjone72]

at which point?

[shadycuz]

when I run acd_cli sync and it opens a browser for me to login to amazon.

[hjone72]

Yeah... Once you login it should display a url that looks like "http://localhost/?code=ANWsWiAXhKsRzxREZxWv&scope=clouddrive%3Aread_all+clouddrive%3Awrite"

[shadycuz]

It doesn't allow me to log in, I believe one issue is I'm on a headless server using Lync

[shadycuz]

Step 11 did you use localhost? or http://localhost

[hjone72]

Yup in step 11 I used http://localhost for both.

Rather than logging in using that interface, quit it. The app will display a message A window will have opened at https://amazon.com/ap/oa?redirect_uri=http%3A%2F%2Flocalhost&client_id=amzn1.application-oa2-client.4137asdfaae37b46asdf9c894dca0031c8ac&scope=clouddrive%3Aread_all+clouddrive%3Awrite&response_type=code Copy that URL into a browser on a computer with a web browser. After you login, you'll be redirected to "localhost somethign something" as stated above.

[shadycuz]

When I paste that in I get, redirected to http://localhost/?error_description=An+unknown+scope+was+requested&error=invalid_scope

[hjone72]

yeah. Copy that url (the entire URL) and paste it into your terminal window which should say "Please log in or accept and enter the URL you have been redirected to:"

[calisro]

Did the acdcli GitHub just get removed?

[shadycuz]

no its up for me

[sergiopatino]

invalid_scope is not a valid redirect url

[sergiopatino]

I tried changing:

scope=clouddrive%3Aread_all+clouddrive%3Awrite&response_type=code

to

scope=clouddrive%3Aread_all%20clouddrive%3Awrite&response_type=code

per previous threads. still not getting redirected to my code. just getting a connection refused at this point.

[calisro]

It's back. It was 403ing.

[shadycuz]

@hjone72

My link looked like this https://amazon.com/ap/oa?scope=clouddrive%3Aread_all+clouddrive%3Awrite&client_id=amzn1.application-oa2-client.xxxxxxxxxxxxxxxxxx&response_type=code&redirect_uri=http%3A%2F%2Flocalhost

after taking out the redirect part I still get error

[Viper786]

I'm a little confused. @hjone72 after step 11, do I need to download the security profile somehow and save it where my oauth file is? If so, how do I download it?

[shadycuz]

@hjone72

redid it and this exactly what ACD gave me...

A window will have opened at https://amazon.com/ap/oa?response_type=code&scope=clouddrive%3Aread_all+clouddrive%3Awrite&client_id=amzn1.application-oa2-client.xxxxxxxxxxxxxxxxxxxxx&redirect_uri=http%3A%2F%2Flocalhost

[shadycuz]

@hjone72 Error page i get.

[hjone72]

I'm just trying to recreate your issue. One moment please

[shadycuz]

@hjone72

If I keep the redirect it redirects me to http://localhost/?error_description=An+unknown+scope+was+requested&error=invalid_scope

[shadycuz]

@hjone72

and

and

thanks for helping me with this.

[Viper786]

I'm having the same exact issue as @shadycuz

[hjone72]

This could be the sticking point. You need to whitelist your application, and I don't think you can do that without invite anymore. If you already have a whitelisted security profile you're in the clear. If you don't you are out of luck. Sorry guys.

[shadycuz]

@hjone72 That was what I was trying to tell you earlier, that its not open to the public anymore

[sergiopatino]

how can you tell if your app is whitelisted?

[shadycuz]

You would know, because you would have set it up a while ago.

[sergiopatino]

I did. Sept 2016. But is there a way to confirm?

[shadycuz]

follow the steps on this thread and here https://acd-cli.readthedocs.io/en/latest/authorization.html

[hjone72]

Yeah, sorry I miss understood where you were having the issue. Still we may be able to get it going using an already whitelisted profile... ?

[shadycuz]

Yes, you could get the acd_cli auth code, fix it and then host your own tensile.appspot for everyone else to replace the broken one yadayayaya had hosted.

@bgemmill

[calisro]

Really the auth code should be changed to not use an intermediate server at all..... I don't think rclone uses one.... A client should be the only one talking to ACD to get a token.

[shadycuz]

@calisro the rclone implementation is not perfect either. It might be better but such things have yet to be looked at. It makes a good point.

See https://forums.developer.amazon.com/questions/22091/client-secret-in-open-source-apps.html#answer-22097

[calisro]

Yes I know. But from a client perspective it is not secure in that there isn't a third party which could intercept tokens. Having an intermediate isn't good.

[shadycuz]

But this third party was/is the application owner, if you are not comfortable with his auth service are you not comfortable with his app being installed on your computer?

[calisro]

It is different. I can compile and read the source. I know exactly what it is doing. Only I can access my data. Once an intermediate is used, tokens can be mishandled or leaked or worse. If the auth is on my own client it cannot be leaked and my data be exposed which is exactly what had happened here.

Why would I have to trust the app owner in an open source setting?

[shadycuz]

Right... which is why I proposed if we bring it back up online, we opensource the auth portion as well.

https://github.com/yadayada/acd_cli/pull/562#issuecomment-301939419