search

gilesknap / gphotos-sync

Google Photos and Albums backup with Google Photos Library API
Apache License 2.0
1.97k stars 161 forks source link

Google is deprecating OAuth OOB flow #381

Closed tbaumann closed 1 year ago

tbaumann commented 1 year ago

I got this email from google. The wording is a bit unclear. Testing apps will apparently still continue to work.

Our records indicate you have OAuth clients that may have used the OAuth OOB flow in the past, although not in the last 90 days.

Hello Google OAuth Developer,

We're writing to remind you that the OAuth out-of-band (OOB) flow will be deprecated on October 3, 2022, to protect your users from phishing and app impersonation attacks.
What do I need to know?

As we notified you in the first week of May 2022, any affected authorization endpoint requests will be blocked with an invalid_request error after October 3, 2022. Apps using OOB in [testing](https://notifications.google.com/g/p/APNL1ThkqePkHm8ET5Rjh-aNfJs-NV1A5FGYYThvCLjQ2k-btRXAhSZhRFbAbVs8Ta2-072I2I4Zkl1XjnIsYQMiRGKi2aUC3HwIN3XtxPxBSLmENRex7-AvrSvpbTbgZJ6o9rCYj5cv4ozVs6nz7-W6GwfeMU5gDa_D) mode will not be affected. However, we strongly recommend migrating them to safer methods as these apps will be immediately blocked when switching to [production](https://notifications.google.com/g/p/APNL1ThJlRTiP5cPzF72UUMAF29mba9dwXOfpnXUxv70h5L_Y876K0UcK6SrugM-aS7b_5QVjOblLTCObd9mQOzRvRISydNpHOnQn4HyNzFLauwp3J41nVuOBhXrg_X8yrahdT1c5xoojKVaDOBXrve4zZbuESSRnhUaoHCZ) status.

Below are key dates for compliance:

    September 5, 2022: A [user-facing warning message](https://notifications.google.com/g/p/APNL1ThA7LWcC7iQFXV2DTwudMc0TUpeF61GYrYl43c7VSURooAxm_2-XpeedFpwvODEZKNh50PFv9tedGOUaAg29Q2W3Be_2gbRacYlEatZ2WZ7SAsToaP63_gOcxwhsYbamRBVyoy5iDPCbxVAi-c1uXgaZU_HGOIcqpL-qw) will be displayed to non-compliant OAuth requests.
    October 3, 2022: The OOB flow will be blocked for all clients and users will see the error page.

You can consult our previous email with the subject line: “Migrate your OAuth out-of-band flow to an alternative method before October 3, 2022,” for more details.

I guess there isn't much anyone could do, short of implementing some central proxy service that handles the user credentials.

PetteriAimonen commented 1 year ago

I wonder if starting up a temporary HTTP server on localhost might work? Would need testing whether Google's OAuth accepts http://localhost:1234/ as the redirect url. Getting HTTPS would be difficult and I wouldn't be surprised if HTTP is blocked.

gilesknap commented 1 year ago

The latest version of gphotos-sync has switched to InstalledAppFlow.

See https://gilesknap.github.io/gphotos-sync/main/tutorials/oauth2.html

lutzky commented 1 year ago

This looks to me like exactly what I did, and yet I got a message similar to the one above. Still no cause for concern?

gilesknap commented 1 year ago

In order to create the new secret you would have created a new Google Cloud Project. If your old one is still there in your account then the warning may have come from that.

You can verify that you are not using the old Out of Band auth with the following command (or equivalent on non linux):

cat ~/.config/gphotos-sync/client_secret.json

The redirect_uris field should be just 'localhost' and not contain oob. ie.

        "redirect_uris": [
            "http://localhost"
        ]
lutzky commented 1 year ago

It definitely contains oob. I see, so if this stops working, I can just use the new flow to generate a new secret. Thank you!

gilesknap commented 1 year ago

@lutzky yep you should be good to go.