Clarify 'Error': 'NeedsBrowser'

[B16f00t]

When you enter an .edu account linked to Gsuite, Displays: 'Error': 'NeedsBrowser.

{'Error': 'NeedsBrowser', 'Url': 'https://correo.XXXXXXXXXX.edu.co:8443/cloudkey/a/XXXXXX.edu.co/index?SAMLRequest=fVJLT%2BMwEL6vxH%2BIfM%2BrCLSymqACQlQCNqKBAzfjTFKD7Qkeu9399%2BumIOBAr59nvpdnfvbX6GQDjhTaipVZwRKwEjtlh4o9tFfpb3ZWH/2akzB65Ivg1/Ye3gKQT%2BKmJT49VCw4y1GQIm6FAeJe8tXi9obPsoKPDj1K1CxZXlZMohXrzhgNuh/wtRsGNC9iRCtBDAIV9IPupAWWPH7Ymu1sLYkCLC15YX2EilmZFqfp7LQtT3h5zIviiSXNu9K5svsEh2w974eIX7dtkzZ/Vu1EsFEduLs4XbEBcdCQSTQ7%2BUYQqU2Ee6Ep2lsQgfPR4AVaCgbcCtxGSXi4v6nY2vuReJ5vt9vskyYXebDPSLHADLoQoVxIYvVUL58Sui%2B9HvYvPvRZfUhhnn8hr98/cpdvedmgVvJfstAatxcOhI/hvAsx2xU6I/zP%2BmVWTojq0n4a5cHSCFL1CjqW5PVe9fvFxDv6Dw%3D%3D&RelayState=https://accounts.google.com/CheckCookie?continue%3Dhttps://accounts.google.com/o/android/auth?hl%253Den_us%2526xoauth_display_name%253DAndroid%252BLogin%252BService%2526source%253DAndroid%252BLogin', 'ErrorDetail': 'To access your account, you must sign in on the web. Touch Next to start browser sign-in.'}

[simon-weber]

This is a bit of a misleading response from Google. Nothing really went wrong, but Google has determined for whatever reason that they need you to log in through a web browser. In your case, it looks like your institution has their own custom login system. I've also seen this happen when Google thinks a log in attempt is suspicious.

You should be able to copy and paste that url into a browser and continue from there.

We could document this better, but I'm not sure there's anything else we can do to improve this case on gpsoauth's end.

[B16f00t]

It would be nice to try to capture the token when you click on the browser to complete the login or something like that. I could provide you with an account for testing if you wish.

[simon-weber]

That would be nice, but I think I'd rather not add the complexity of browser automation to the library.

I'll leave this open to track improving the ux, though.

[emma-eva]

Its a captcha issue. You can bypass this by click continue button... Click this link and click continue button: https://accounts.google.com/DisplayUnlockCaptcha

[B16f00t]

It's been two days since Google can't be accessed through this library The error returns: Error': 'NeedsBrowser', ''ErrorDetail': 'To access your account, you must sign in on the web. Touch Next to start browser sign-in.'}

[simon-weber]

Yeah, this looks new. The 'Url' key from the did get me to a login screen that worked, but didn't actually complete the OAuth flow. DisplayUnlockCaptcha didn't seem to work either.

[B16f00t]

Someone commented in some forum that these parameters make the authentication flow. https://gitlab.com/AuroraOSS/AuroraStore/-/blob/master/app/src/main/java/com/aurora/store/util/AC2DMTask.kt#L27-43 I have not been able to check it.

[Deathbot64]

having the same issue with a fresh install

[emma-eva]

i fixed. But on php. I will fix on python and pull it on here.

[leikoilja]

@emma-eva, can you please share your findings with us?

[leikoilja]

@emma-eva, how is the progress going? Do you mind sharing what your findings were, perhaps someone else can take it further, so we get the ball moving? :)

[B16f00t]

I solved it in python, you can see the code in Whapa tool, the whagodri.py library, also I had to modify one function of gpsoauth.

   def perform_master_login_oauth(
           email: str,
           oauth_token: str,
           android_id: str,
           service: str = "ac2dm",
           device_country: str = "us",
           operator_country: str = "us",
           lang: str = "en",
           sdk_version: int = 28,
           proxy: MutableMapping[str, str] | None = None,
           ) -> dict[str, str]:
           """
           Perform a master login, which is what Android does when you first add
           a Google account.
           Return a dict, eg::
           {
                          'Auth': '...',
                          'Email': 'email@gmail.com',
                          'GooglePlusUpgrade': '1',
                          'LSID': '...',
                          'PicasaUser': 'My Name',
                          'RopRevision': '1',
                          'RopText': ' ',
                          'SID': '...',
                          'Token': 'oauth2rt_1/...',
                          'firstName': 'My',
                          'lastName': 'Name',
                          'services': 'hist,mail,googleme,...'
           }
           """

           data: dict[str, int | str | bytes] = {
                          "lang": lang,
                          "google_play_services_version": 19629032,
                          "sdk_version": sdk_version,
                          "device_country": device_country,
                          "Email": email,
                          "service": service,
                          "get_accountid": 1,
                          "ACCESS_TOKEN": 1,
                          "callerPkg": "com.google.android.gms",
                          "add_account": 1,
                          "Token": oauth_token,
                          "callerSig": "38918a453d07199354f8b19af05ec6562ced5788",
           }

           return _perform_auth_request(data, proxy)

[CyberAltra]

Just submitted a PR that solves this issue without doing manual token exchange :)

[simon-weber]

I've merged that and it seems to work fine for me! I'll look to cut a release today or tomorrow to include https://github.com/simon-weber/gpsoauth/commit/1bf49e91289d9f9676efd5a0d73fed7e5766df91.

[leikoilja]

Awesome news! Thanks @CyberAltra & @simon-weber ⭐ 💥 🔥

[B16f00t]

Works perfect, I think this thread could be closed by now

[simon-weber]

Released in 1.0.1.

[B16f00t]

I think it would be a good idea to add a function for OAuth authentication, like the one I posted above, because GSuite accounts keep crashing and the user could take the cookie from his browser and login this way.

[simon-weber]

That's probably reasonable. Want to open a new issue to track it?

[B16f00t]

The beginning of this issue was for this reason, for example in my program to make this type of accounts work, I had to take your library and modify it by adding a function to log in with the browser, so I contemplate all the scenarios.

[nathanmarlor]

Have just tested 1.0.1/1.0.2 using this this yet still can't generate a master token using app passwords? Can others confirm working/not?

[leikoilja]

@nathanmarlor, i can confirm it worked just fine. Here is a python SDK that is based on gpsoauth I used to test the master token: https://github.com/leikoilja/glocaltokens/

[nathanmarlor]

Confirmed working, thanks!