Replace Google authentication strategy

[marcocaberletti]

This PR changes the authentication strategy, using the OAuth2 Device code flow (aka "Desktop app" in Google credentials language)

This change resolves also #341

[gilesknap]

This looks great. Thanks. I'll give it a try this weekend and update the docs too.

I'm not sure why I did not use 'desktop app' in the first place, but its too long ago to remember!

[gilesknap]

Hi Marco,

I think I need help generating the application token. Using your code I'm still getting the error in #341.

Did you use a different workflow to generate the App token?

Thanks

[marcocaberletti]

Verify the client_secret.json content: you should only have this:

 "redirect_uris": [
      "http://localhost"
    ]

in redirect URIs

[gilesknap]

Thanks, I now have it working.

One of the things I need to support is non-GUI authentication for people running gphotos-sync on a server or in a container.

It looks like I can achieve this with:
flow.run_local_server(open_browser=False, host=)

This is only going to work if host is routable from the workstation where the user runs their browser. Its a new limitation but worth the fix.

Many thanks.

[marcocaberletti]

I think the limitation can be solved using run_console:

flow.run_console()

Maybe a new CLI parameter can be added to choose with strategy use. I'll try and open a new PR

[gilesknap]

Hi Marco, The first thing I tried was run_console and it does not seem to use the localhost server. If you can make it work I would be interested as this would be the preferred solution. Thanks.

…

On Mon, 25 Apr 2022 at 07:57, Marco Caberletti ***@***.***> wrote: I think the limitation can be solved using run_console <https://google-auth-oauthlib.readthedocs.io/en/latest/reference/google_auth_oauthlib.flow.html#google_auth_oauthlib.flow.InstalledAppFlow.run_console> : flow.run_console() Maybe a new CLI parameter can be added to choose with strategy use. I'll try and open a new PR — Reply to this email directly, view it on GitHub <#342 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAHLRW5HLI2A5MBUZB3XV4DVGY665ANCNFSM5TSW56NA> . You are receiving this because you modified the open/close state.Message ID: ***@***.***>

[gilesknap]

@marcocaberletti any ideas on this?

flow.run_local_server(open_browser=False)
and
flow.run_console()
present the following URLs respectively:

https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=922694661112-hso5f9cqnuafdqap2k9nkc1qbatlf5am.apps.googleusercontent.com&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fphotoslibrary.readonly+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fphotoslibrary.sharing&state=d4cKp4V5ar49FsafOtoFK9YjKzF9Ee&access_type=offline
https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=922694661112-hso5f9cqnuafdqap2k9nkc1qbatlf5am.apps.googleusercontent.com&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fphotoslibrary.readonly+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fphotoslibrary.sharing&state=WOIbBskf9JZ22x3H71kX8NOpBBgOmb&prompt=consent&access_type=offline

So you can see why the second one does not work.

[marcocaberletti]

I see the deprecated redirect uri in the second URL.
Now, I don't remember all the details. I have to dig into it and try.

[marcocaberletti]

Hi @gilesknap ,
You are right, run_console is deprecated and it doesn't work.
I've tried to implement this: https://developers.google.com/identity/protocols/oauth2/limited-input-device.
But as you can see at the end of the page, GooglePhotos scopes are not yet supported.
So, for servers and containers, I guess the workaround is:

• create the access on a device with a browser
• copy the saved token file .gphotos.token into the destination folder

[gilesknap]

Thanks,

I'm going to go with this:

flow.run_local_server(open_browser=False, host=hostname)

where hostname can be passed on the command line.

Then it can be made to work as long as you have a workstation with a browser that can route to hostname.