deprecation of OAuth out-of-band (OOB) in Google OAuth

[itcarroll]

Because I followed DVC's instructions for creating a custom Google Cloud project, Google included me on a mass email dated May 3, 2022 stating the following:

We are writing to inform you that OAuth out-of-band (OOB) flow will be deprecated on October 3, 2022, to
protect users from phishing and app impersonation attacks.

They helpfully linked me to a blog post with guidance on making a change.

Having read the blog post and traced DVC's GoogleAuth call to the "offending" use of the out-of-band flow by PyDrive2, I think I can make a recomendation. It seems like PyDrive2 should deprecate CommandLineAuthentication and help users migrate to a flow using a Loopback IP address. This may be as simple as forcing users (like DVC, so should be easy for you) to switch to LocalWebserverAuth, if I understand it correctly.

[shcheklein]

@itcarroll thanks for creating the ticket, it should be on our radar and may be what @junpeng-jp is doing in #89 can help with this migration as well.

Loopback IP address

~From what I understand this is also prohibited and deprecated, right?~

~https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html#disallowed-loopback~

Right, it looks like we should be fine to use it for the Desktop app, and CommandLine auth will be deprecated. We can create a ticket on DVC end to change that.

[pjb304]

Hi, please can someone provide an update on what's happening with this as the OOB API cannot be used beyond the end of the month. Many thanks.