SCTL is not End2End encryption, instead SCTL is more of an envelope, in which you store secrets until they are needed, and those secrets should only remain available in plain text while the operation that needs them is active.
The OOB OAUTH flow we were using was discontinued by Google in October 2022
oob-migration.
This PR implements the loopback flow recommended for Desktop clients
oob-migration/desktop-client, fixing the current sctl breakage.
This doesn't make the headless workflow any easier; that might require a service-account and the server-to-server flow.
This also implements a --port flag to use in case the default port (currently 9999) is in use or otherwise unavailable. This port needs to match the redirect_uris in the configured credentials.
# Note that `redirect_uris` should point to localhost and an available port
$ sctl credential add
{
"installed": {
"client_id": "<redacted>",
"project_id": "myproject",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_secret": "<redacted>",
"redirect_uris": [
"http://localhost:9999/auth/google/callback"
]
}
}
Go to the following link in your browser then type the authorization code:
https://accounts.google.com/o/oauth2/auth?access_type=offline&client_id=<redacted>&redirect_uri=http%3A%2F%2F127.0.0.1%3A9999&response_type=code&scope=https%3A%2F%2Fwww.googleap
is.com%2Fauth%2Fcloudkms&state=2lyAnj9cAojVooC5UxnlTg%3D%3D
The OOB OAUTH flow we were using was discontinued by Google in October 2022 oob-migration.
This PR implements the loopback flow recommended for Desktop clients oob-migration/desktop-client, fixing the current sctl breakage.
This doesn't make the headless workflow any easier; that might require a service-account and the server-to-server flow.
This also implements a
--port
flag to use in case the default port (currently 9999) is in use or otherwise unavailable. This port needs to match theredirect_uris
in the configured credentials.