Google OOB End-of-life

[maraino]

Discussed in smallstep/certificates#926

^{Originally posted by pladen May 5, 2022}

Some news from Google

OAuth out-of-band (OOB) flow will be deprecated on October 3, 2022
Note: New OOB usage has already been disallowed since February 28, 2022.

Since this is the only flow supported by step-cli to achieve OIDC token issuance from a shell without browser access, we definitely need an alternative. It seems that the flow is considered not secure at all because it could be easy to trick a user to copy/paste the code in a MITM context.

Our use-case is the following

• we use an OIDC provider (Google) to authenticate against our step-ca
• we access a remote device through a very limited SSH (no port forwarding, no agent forwarding)
• this device does not have any browser nor GUI
• the awesome step-cli tool launch a OOB flow with Google (with --console flag)
• which let us copy/paste the login link,
• then copy/paste back the authorization code
• tada, token is available on remote device to be used for next operations

The alternative could be to implement "Sign-In on TVs and Limited Input Devices" which involves sending the user to a generic URL, and let him paste a unique code and consent to give a token to the app.
Here is the doc
https://developers.google.com/identity/gsi/web/guides/devices

We are not skilled enough to implement ourselves but will be happy to discuss or test any progress on this.

More info on oauth flows at google
https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html

[dopey]

After internal discussion we've decided to implement the Device Authorization Grant flow (https://datatracker.ietf.org/doc/html/rfc8628) - an extension to the oauth 2.0 protocol.

[dopey]

Move the step oauth --device flow to the existing step oauth --console once Google completely deprecates OOB (October 3rd, 2022).