Cryptomator does not ask for google drive permission again after revoked

[KenErikson]

Please agree to the following

• [X] I have searched existing issues for duplicates
• [X] I agree to follow this project's Code of Conduct

Summary

Cryptomator does not ask for google drive permission again after revoked

System Setup

- Android: 11
- Cryptomator: Cryptomator v1.7.1 (2617) "Google Play Edition" started on android 11 / API30 using a SM-A415F

Cloud Type

Google Drive

Steps to Reproduce

1. Log In to Google Drive in app
2. Revoke access in google security settings
3. Try to open Google Drive in app
4. Nothing except for "Error"
5. Sign out from google-drive in cryptomator -> sign back in
6. Still same "Error"

Expected Behavior

Ask for google drive permission again

Actual Behavior

Just shows "Error" popup

Reproducibility

Always

Relevant Log Output

20220328124054.905  App Cryptomator v1.7.1 (2617) "Google Play Edition" started on android 11 / API30 using a SM-A415F
I   20220328124055.101  ActivityLifecycle   onResume org.cryptomator.presentation.ui.activity.SplashActivity@244738e
I   20220328124055.164  App Cryptors service connected
I   20220328124055.170  App Cryptors service connected
I   20220328124055.174  App Auto upload service connected
I   20220328124055.177  App Cryptors service connected
I   20220328124055.217  Database    Configure v0
I   20220328124055.219  Database    Create v11
I   20220328124055.220  DatabaseUpgrade Running CompoundDatabaseUpgrade (0 -> 11)
I   20220328124055.220  DatabaseUpgrade Running Upgrade0To1 (0 -> 1)
I   20220328124055.224  DatabaseUpgrade Running Upgrade1To2 (1 -> 2)
I   20220328124055.226  DatabaseUpgrade Running Upgrade2To3 (2 -> 3)
I   20220328124055.233  DatabaseUpgrade Running Upgrade3To4 (3 -> 4)
I   20220328124055.238  DatabaseUpgrade Running Upgrade4To5 (4 -> 5)
I   20220328124055.243  DatabaseUpgrade Running Upgrade5To6 (5 -> 6)
I   20220328124055.250  DatabaseUpgrade Running Upgrade6To7 (6 -> 7)
I   20220328124055.253  DatabaseUpgrade Running Upgrade7To8 (7 -> 8)
I   20220328124055.254  DatabaseUpgrade Running Upgrade8To9 (8 -> 9)
I   20220328124055.255  DatabaseUpgrade Running Upgrade9To10 (9 -> 10)
I   20220328124055.257  DatabaseUpgrade Running Upgrade10To11 (10 -> 11)
I   20220328124055.263  Database    Open v11
I   20220328124055.368  ActivityLifecycle   onResume org.cryptomator.presentation.ui.activity.VaultListActivity@ec79c4c
I   20220328124059.936  ActivityLifecycle   onResume org.cryptomator.presentation.ui.activity.ChooseCloudServiceActivity@703e00f
I   20220328124101.544  ActivityLifecycle   onResume org.cryptomator.presentation.ui.activity.AuthenticateCloudActivity@ebb2f5
I   20220328124104.894  ActivityLifecycle   onResume org.cryptomator.presentation.ui.activity.AuthenticateCloudActivity@ebb2f5
I   20220328124105.039  ActivityLifecycle   onResume org.cryptomator.presentation.ui.activity.ChooseCloudServiceActivity@703e00f
I   20220328124105.426  ActivityLifecycle   onResume org.cryptomator.presentation.ui.activity.CreateVaultActivity@d292fef
I   20220328124110.200  ActivityLifecycle   onResume org.cryptomator.presentation.ui.activity.BrowseFilesActivity@ac68862
E   20220328124111.045  ExceptionHandler    org.cryptomator.domain.exception.FatalBackendException: com.google.api.client.googleapis.json.GoogleJsonResponseException: 401 Unauthorized
GET https://www.googleapis.com/drive/v3/files?fields=nextPageToken,files(id,mimeType,modifiedTime,name,size,shortcutDetails)&pageSize=1000&q='root'%20in%20parents%20and%20trashed%20%3D%20false
{
  "code": 401,
  "errors": [
    {
      "domain": "global",
      "location": "Authorization",
      "locationType": "header",
      "message": "Invalid Credentials",
      "reason": "authError"
    }
  ],
  "message": "Invalid Credentials"
}
    at org.cryptomator.data.cloud.googledrive.GoogleDriveCloudContentRepository$Intercepted.list(GoogleDriveCloudContentRepository.kt:116)
    at org.cryptomator.data.cloud.googledrive.GoogleDriveCloudContentRepository$Intercepted.list(GoogleDriveCloudContentRepository.kt:58)
    at org.cryptomator.data.cloud.InterceptingCloudContentRepository.list(InterceptingCloudContentRepository.kt:103)
    at org.cryptomator.data.repository.DispatchingCloudContentRepository.list(DispatchingCloudContentRepository.kt:103)
    at org.cryptomator.domain.usecases.cloud.GetCloudList.execute(GetCloudList.java:24)
    at org.cryptomator.domain.usecases.cloud.GetCloudListUseCase$Launcher$2.call(GetCloudListUseCase.java:92)
    at org.cryptomator.domain.usecases.cloud.GetCloudListUseCase$Launcher$2.call(GetCloudListUseCase.java:86)
    at io.reactivex.internal.operators.flowable.FlowableFromCallable.subscribeActual(FlowableFromCallable.java:39)
    at io.reactivex.Flowable.subscribe(Flowable.java:14935)
    at io.reactivex.Flowable.subscribe(Flowable.java:14882)
    at io.reactivex.internal.operators.flowable.FlowableSubscribeOn$SubscribeOnSubscriber.run(FlowableSubscribeOn.java:82)
    at io.reactivex.internal.schedulers.ExecutorScheduler$ExecutorWorker$BooleanRunnable.run(ExecutorScheduler.java:288)
    at io.reactivex.internal.schedulers.ExecutorScheduler$ExecutorWorker.run(ExecutorScheduler.java:253)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
    at java.lang.Thread.run(Thread.java:923)
Caused by: com.google.api.client.googleapis.json.GoogleJsonResponseException: 401 Unauthorized

Anything else?

No response

[KenErikson]

Note: this leaves the app in a locked unusable state. At least if one intended to use GoogleDrive.

One can do this accidentally, or in the past I've done it to see if an app would ask for lower request if one only used a subset of the features. (e.g. create new -> maybe not request access to whole drive)

[SailReal]

Thanks for reporting this annoying bug. I can reproduce it and as you mentioned with "this leaves the app in a locked unusable state. At least if one intended to use GoogleDrive", if I revoke the permission I'm unable to connect it again, even when I re-install Cryptomator. Only installing it on a new device triggers on this new device the app permission grant dialog but the first phone still can not access the drive.

While debugging, the interesting thing is that Google still grants auth tokens for the scope DriveScopes.DRIVE to access Google Drive but when executing a request against Drive, a GoogleJsonResponseException is thrown with code 401 which isn't of kind UserRecoverableAuthIOException which means Google don't know how to recover from this state but should provide us the app grant dialog again which we unfortunately cannot open ourselves.

Unfortunately, there is nothing we can do in this regard except file a bug report at Google which I'll do in a moment and hope that they fix the problem.

I can't reproduce it but what helped once was to clear the cache of the "Google Play Services" app but right now that doesn't help anymore.

[SailReal]

Some time later, I get the UserRecoverableAuthException: NeedRemoteConsent again with the intent to show the permission grant dialog.

So it looks like the current workaround is to wait some time and try it again^^

[KenErikson]

:+1: Thank you for looking into it so quickly, good to know about the upstream bug, and that it's not locked forever.

Maybe even just needed some time to propagate, who knows.

[SailReal]

Maybe even just needed some time to propagate, who knows.

Yes, my guess is that the refresh token has to expire, then they realize they can't issue a new refresh token. However, only google knows why they still provide access tokens as long as the refresh token is valid without checking whether the scope can still be accessed and why not the correct error is thrown when accessing it but it's just a wild guess :)

[obo-ueat]

Hello,

I confirm I also get this error since 2 days now (and the underlying exception says NeedRemoteConsent too) Completely stuck with this. I will wait a few days as you did to see if it helps or not...

[SailReal]

@obo-ueat that is a different message. Where did you installed the app from?

[obo-ueat]

@SailReal while trying to find what was happening, I cloned the repo and make it run locally to debug it. I had the original message mentioned in the issue description but it was missing some details so I tried to figure out if it was something broken in the code itself and not on Google side.

The error I've posted is obtained with the version running in the emulator (using an image with google play services activated of course).

[obo-ueat]

here are the details from the error in case you wanted to know @SailReal

[SailReal]

...I had the original message mentioned in the issue description but it was missing some details...

After around 1h Google will send the correct error message again which will trigger the permission grant screen.

The error I've posted is obtained with the version running in the emulator (using an image with google play services activated of course).

Yes, that was my guess. We need to update the README as we separated this week the Google project which manages the access to the Drive API. Before we used for testing and production the same Google project but Google don't like that so we now have one for production and one for testing.

However, Google testing projects can only be used by Google accounts that have been explicitly granted access manually in the project. This means that, similar to Dropbox and Onedrive, you now unfortunately have to do something to be able to use the corresponding cloud when you build the app yourself :/ . Here are some instructions on what to do: https://www.raywenderlich.com/5144-integrating-google-drive-in-android (the chapter regarding Registering for Google Drive is the one of interest)

I will mark our posts as off-topic as they describe a different issue and will adapt the README. If you want discuss this further, feel free to create a new issue.

[obo-ueat]

Thank you very much @SailReal for the explanation, that makes sense :-) I will make the appropriate changes to be able to build locally following your pointer and will review your updated version of the README when available. Thanks again!