search

vapor-ware / sctl

SCTL is not End2End encryption, instead SCTL is more of an envelope, in which you store secrets until they are needed, and those secrets should only remain available in plain text while the operation that needs them is active.
GNU General Public License v3.0
8 stars 2 forks source link

[VIO-2757] Implement loopback OAUTH flow #94

Closed AdamIsrael closed 1 year ago

AdamIsrael commented 1 year ago

The OOB OAUTH flow we were using was discontinued by Google in October 2022 oob-migration.

This PR implements the loopback flow recommended for Desktop clients oob-migration/desktop-client, fixing the current sctl breakage.

This doesn't make the headless workflow any easier; that might require a service-account and the server-to-server flow.

This also implements a --port flag to use in case the default port (currently 9999) is in use or otherwise unavailable. This port needs to match the redirect_uris in the configured credentials.

# Note that `redirect_uris` should point to localhost and an available port
$ sctl credential add
{
    "installed": {
        "client_id": "<redacted>",
        "project_id": "myproject",
        "auth_uri": "https://accounts.google.com/o/oauth2/auth",
        "token_uri": "https://oauth2.googleapis.com/token",
        "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
        "client_secret": "<redacted>",
        "redirect_uris": [
            "http://localhost:9999/auth/google/callback"
        ]
    }
}

Go to the following link in your browser then type the authorization code: 
https://accounts.google.com/o/oauth2/auth?access_type=offline&client_id=<redacted>&redirect_uri=http%3A%2F%2F127.0.0.1%3A9999&response_type=code&scope=https%3A%2F%2Fwww.googleap
is.com%2Fauth%2Fcloudkms&state=2lyAnj9cAojVooC5UxnlTg%3D%3D