Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OOB auth flow is scheduled for deprecation #15

Closed
PBhadoo opened this issue May 9, 2022 · 3 comments
Closed

OOB auth flow is scheduled for deprecation #15

PBhadoo opened this issue May 9, 2022 · 3 comments

Comments

@PBhadoo
Copy link

PBhadoo commented May 9, 2022

Just learned about this: https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html?m=1#disallowed-oo

Can you fix this. Doesn't require much work if do this.

https://bdi-generator.hashhackers.com

I have used JS to get code from parameters and fill up in site automatically.
@anadius
Copy link
Owner

anadius commented May 9, 2022

I can, but it won't be that nice.

  • I can't use rclone's credentials with a redirect to my site - I can't add my site to allowed ones.
  • I won't make my own app because I can't be arsed to get it verified - and unverified apps can be used by only 100 people.
  • And you can't make your own app and add my site to allowed ones because Google requires you to verify ownership of it.

So the only solution is a redirection to 127.0.0.1:someport. And since I don't want to create any application that the user has to run on their PC, and since you can't create a server in JavaScript in your browser, people will get redirected to a page that doesn't load. Then they will have to copy the URL of it and paste it into a box. I have it ready but I'm not pushing it yet - because I know people will ask "what do I do, the page doesn't load" despite clear instructions telling them that this will happen.

@anadius anadius mentioned this issue May 9, 2022
Closed
@PBhadoo
Copy link
Author

PBhadoo commented May 10, 2022

Verification is not a big deal, i can get it verified for you. I can just make new Gmail and get it verified and send details of Gmail account to you.

Why?
The reason you said, people won't read and ask stupid questions. I had to push this so they won't ask. I've a pretty good trick to get app verified from Google.

@anadius
Copy link
Owner

anadius commented May 10, 2022

Good for you but my answer is still "no".

  1. Right now I use rclone's credentials by default. While obfuscated in rclone's source code - they are publicly known. If I use my own app - my credentials would be known too, and I don't want that.
  2. You can make it work with client ID alone - using Google API Client Library for JavaScript - but then you lose the ability to quickly switch between accounts, since you can be authorised with one account only.
  3. Other people host the decryption page on their websites. And my app would work with redirection to my website only. I'd either have to create different auth flows or require other people to create their own apps and get them verified. And I won't do that.

@PBhadoo PBhadoo closed this as completed May 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@anadius @PBhadoo