Replace Google authentication strategy

gilesknap / gphotos-sync

Google Photos and Albums backup with Google Photos Library API

Apache License 2.0

1.97k stars 163 forks source link

Replace Google authentication strategy #342

Closed marcocaberletti closed 2 years ago

marcocaberletti commented 2 years ago

This PR changes the authentication strategy, using the OAuth2 Device code flow (aka "Desktop app" in Google credentials language)

This change resolves also #341

gilesknap commented 2 years ago

This looks great. Thanks. I'll give it a try this weekend and update the docs too.

I'm not sure why I did not use 'desktop app' in the first place, but its too long ago to remember!

gilesknap commented 2 years ago

Hi Marco,

I think I need help generating the application token. Using your code I'm still getting the error in #341.

Did you use a different workflow to generate the App token?

Thanks

marcocaberletti commented 2 years ago

Verify the client_secret.json content: you should only have this:

 "redirect_uris": [
      "http://localhost"
    ]

in redirect URIs

gilesknap commented 2 years ago

Thanks, I now have it working.

One of the things I need to support is non-GUI authentication for people running gphotos-sync on a server or in a container.

It looks like I can achieve this with: flow.run_local_server(open_browser=False, host=)

This is only going to work if host is routable from the workstation where the user runs their browser. Its a new limitation but worth the fix.

Many thanks.

marcocaberletti commented 2 years ago

I think the limitation can be solved using run_console:

flow.run_console()

Maybe a new CLI parameter can be added to choose with strategy use. I'll try and open a new PR

gilesknap commented 2 years ago

Hi Marco,

The first thing I tried was run_console and it does not seem to use the localhost server. If you can make it work I would be interested as this would be the preferred solution.

Thanks.

On Mon, 25 Apr 2022 at 07:57, Marco Caberletti @.***> wrote:

I think the limitation can be solved using run_console https://google-auth-oauthlib.readthedocs.io/en/latest/reference/google_auth_oauthlib.flow.html#google_auth_oauthlib.flow.InstalledAppFlow.run_console :

flow.run_console()

Maybe a new CLI parameter can be added to choose with strategy use. I'll try and open a new PR

— Reply to this email directly, view it on GitHub https://github.com/gilesknap/gphotos-sync/pull/342#issuecomment-1108146001, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAHLRW5HLI2A5MBUZB3XV4DVGY665ANCNFSM5TSW56NA . You are receiving this because you modified the open/close state.Message ID: @.***>

gilesknap commented 2 years ago

@marcocaberletti any ideas on this?

flow.run_local_server(open_browser=False) and flow.run_console() present the following URLs respectively:

https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=922694661112-hso5f9cqnuafdqap2k9nkc1qbatlf5am.apps.googleusercontent.com&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fphotoslibrary.readonly+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fphotoslibrary.sharing&state=d4cKp4V5ar49FsafOtoFK9YjKzF9Ee&access_type=offline
https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=922694661112-hso5f9cqnuafdqap2k9nkc1qbatlf5am.apps.googleusercontent.com&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fphotoslibrary.readonly+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fphotoslibrary.sharing&state=WOIbBskf9JZ22x3H71kX8NOpBBgOmb&prompt=consent&access_type=offline

So you can see why the second one does not work.

marcocaberletti commented 2 years ago

I see the deprecated redirect uri in the second URL. Now, I don't remember all the details. I have to dig into it and try.

marcocaberletti commented 2 years ago

Hi @gilesknap , You are right, run_console is deprecated and it doesn't work. I've tried to implement this: https://developers.google.com/identity/protocols/oauth2/limited-input-device. But as you can see at the end of the page, GooglePhotos scopes are not yet supported. So, for servers and containers, I guess the workaround is:

create the access on a device with a browser
copy the saved token file .gphotos.token into the destination folder

gilesknap commented 2 years ago

Thanks,

I'm going to go with this:

flow.run_local_server(open_browser=False, host=hostname)

where hostname can be passed on the command line.

Then it can be made to work as long as you have a workstation with a browser that can route to hostname.