search

ubports / account-plugins

Moved to https://gitlab.com/ubports/core/indicator-transfer
https://gitlab.com/ubports/core/indicator-transfer
GNU General Public License v2.0
3 stars 6 forks source link

Google: use new Ubports keys #33

Closed mardy closed 5 years ago

mardy commented 5 years ago

Note: This is a WIP: you are very welcome to test it and report how it works, but we won't merge this until our keys have been approved by Google.

This is related to #1171, though not really a fix (there's nothing we can do to prevent Google to block access to GMail APIs). This change is to switch to the Google API keys registered by us (Unity/Ubports), instead of continue using those which were registered by Canonical, and that we have no way of configuring.

Test instructions: install the account-plugin-google, then delete your Google accounts from the device, and recreate them anew: verify that Contacts and Calendars get synchronised. The GMail webapp should not be affected, since it doesn't use Online Accounts at all, but feel free to double-check. :-)

mardy commented 5 years ago

It's a sense of false security. There is no way that we can keep the client secret really secret. Google at least understands that (see the second paragraph in https://developers.google.com/identity/protocols/OAuth2#installed), so for Google we don't even have to pretend to care.

We might need to do the trick you suggest with other OAuth providers, but I'd wait until they complain (in 5 years, no one did). :-)

UniversalSuperBox commented 5 years ago

Alright, all seems to work fine here. One thing though, the Google login page says Ubports rather than UBports. UBports is the correct capitalization. If you have power over that, could you set it correctly?

mardy commented 5 years ago

UBports is the correct capitalization. If you have power over that, could you set it correctly?

Sure, I will!

Flohack74 commented 5 years ago

I am still voting for not having our secret exposed in public.

UniversalSuperBox commented 5 years ago

It really doesn't matter, the secret is hardly so.

The process results in a client ID and, in some cases, a client secret, which you embed in the source code of your application. (In this context, the client secret is obviously not treated as a secret.)

https://developers.google.com/identity/protocols/OAuth2#installed

Flohack74 commented 5 years ago

Please remove WIP: marker before merging in the future, for sanity.