search

cryptomator / ios

Cryptomator for iOS
https://cryptomator.org
GNU General Public License v3.0
194 stars 25 forks source link

“Advanced Protection” Google Users Cannot Authorize Login #196

Open ghost opened 2 years ago

ghost commented 2 years ago

Please agree to the following

Summary

Google Members who have enabled Advanced Protection on their accounts cannot authorize Cryptomator to access Drive. I filed this as a “bug” but I realize that it’s not a bug with Cryptomator as such, rather maybe some change that needs to be made to allow access to users with this setup.

System Setup

Cloud Type

Google Drive

Steps to Reproduce

  1. In Cryptomator navigate to Settings > Cloud services > Google Drive > +
  2. Login to Googe with Credentials
  3. Authorize via Yubikey
  4. Error message

Expected Behavior

Successful authentication of account and approved permissions for Cryptomator to read drive data

Actual Behavior

Presented with the following error message and message to developers:

Authorization Error Error 400: policy_enforced

Advanced Protection prevented your Google Account from signing in. This security feature stops most non-Google apps and services from accessing your data to keep your account protected.

[Learn more(https://support.google.com/accounts/?p=2sv_non-goog)

The content in this section has been provided by the app developer. This content has not been reviewed or verified by Google. If you’re the app developer, make sure that these request details comply with Google policies.

response_type: code code_challenge_method: S256 redirect_uri: com.googleusercontent.apps.1008971033086-g04bmhlsc1cgjisa595bbc61mk1bscfu:/oauthredirect state: y8nYvseUHr1ag1zi6tWjnUec3d2i_GZxEUBEkmYSETQ nonce: CvdY5JYUaQsJl_KGmUszpYdMw7UjAmNbXPfeuwFxaOs code_challenge: G1qLWDEfHlM_UgPqq0bB__Z7oXPfjI485I43JLpY8hk client_id: 1008971033086-g04bmhlsc1cgjisa595bbc61mk1bscfu.apps.googleusercontent.com access_type: offline scope: https://www.googleapis.com/auth/drive https://www.googleapis.com/auth/userinfo.email openid

Reproducibility

Always

Relevant Log Output

No response

Anything else?

No response

tobihagemann commented 2 years ago

Thank you for your bug report! First I thought that it might have to do something with an unfinished verification process. But as it turns out, that wasn't the case. It looks like that it's the same on Android and there is a workaround: https://community.cryptomator.org/t/problem-connecting-to-google-drive-when-participating-in-advanced-protection-program/4972

It looks like that Google is quite restrictive regarding their Advanced Protection Program for non-Google services/apps: https://support.google.com/accounts/answer/7539956?hl=en#zippy=%2Ccan-i-use-non-google-apps-services-or-apps-script-with-advanced-protection

jackstruck commented 1 year ago

This issue still exists, and the workaround seems to be limited: it will only allow creating/finding a vault while advanced protection is disabled. The vault will continue to work after it is re-enabled, but only on devices that granted access to their drive while it was disabled. New devices will not be able to use cryptomator. Any other suggestions?

github-actions[bot] commented 5 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.