Reimplement Account Authentication not using internal Web Browser

[Kyrodan]

Completely reimplement account authentication:

• remove WebView in favor of using System's Default Web Browser
• use internal (loopback) server instead of "URL/Document Title catching" (where possible)

Reasons:

• Google deprecated "WebView Authentication" in the end of 2016 and starts removing it's functionality by the end of April 2017 (see Authentication failed with Google drive #87)
  • https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html
  • https://developers.google.com/identity/protocols/OAuth2InstalledApp (Option 4, Programmatic Extraction)
• removing platform dependencies to support Mono/Linux (see Mono/.Net Core/Linux Support #18)
• WinForms WebBrowser control uses outdated compatibility mode of Internet Explorer, which ist not supported by many platforms anymore

[BurningEnlightenment]

FYI there is an ietf draft regarding oauth2 in native applications which might be helpful: https://tools.ietf.org/html/draft-ietf-oauth-native-apps-11#page-2
There is also a netstandard1.4 & net452 implementation of said draft: https://github.com/IdentityModel/IdentityModel.OidcClient2
HTH
EDIT: ooops, totally missed that the ietf draft was mentioned in the linked google blog post 🙈

[univerio]

@Kyrodan Here's an idea: what if we have a trampoline page hosted on an SSL domain, that just uses JS to redirect to a localhost URL, effectively bypassing all of the SSL, port, and URL fragment restrictions?

[BurningEnlightenment]

@Kyrodan have you begun implementing this feature? If yes, can I help speeding things up in some way? If not, would you mind if I start implementing?
Oh, btw: the ietf draft became an RFC by now: https://tools.ietf.org/html/rfc8252

[Kyrodan]

Hi @BurningEnlightenment I haven't begun with this issue.
A Pull Request for that is welcome.
But please be aware: Not all provides currently implement this RFC. So you have to check it for every provider.

[BurningEnlightenment]

Microsoft finally implemented the PKCE RFC in Azure AD via the v2 Endpoint 🎉

• docs
• doc-update-diff
• azure feedback ticket

(on a side note: I stopped working on this back then after I figured that it wouldn't work with OneDrive, so maybe I will give it another shot next month or so)

[marcomsousa]

I wasn't able to add my Google Drive Account.
Using last version about both the plugin and the KeePass. and Windows 10 Last version.

I was able to put my username/password and TFA PIN, but when Google show the allow or denied button grayed-out I can't press them.
Maybe because of incompatible with Web Browser, or deprecated..

[marcomsousa]

To fix issue my suggestion is to implement the same way as Cyberduck application.

When you choose the Google Drive, it open the Google Authentication/Verification in the default browser (outside the Application).
When to complete Google will give you a code to Copy it.

This Google oauth2 is configured as a Native App, the url is:
https://accounts.google.com/o/oauth2/approval/v2/approvalnativeapp?auto=false&response=state

Inside the Application you have a Google Drive windows to past the code retrieve in the browser:

This solutions should be easy to implement, is more or less just deleting code lines :-D

[Turiok]

Hi,

If I understand well, my bug is caused because this feature is not implemented.
So sync with gdrive is impossible?
Or someone found a workaround?

#212

[alabamatoy]

I appear to be broken as well. This link: https://accounts.google.com/o/oauth2/approval/v2/approvalnativeapp?auto=false&response=state Simply brings a 404 not found error.

[Kyrodan]

Releases v2.0.0 today.