Replace OOB with loopback 3LO flow

[bsidhom]

The out-of-band flow is deprecated and can no longer be used to authorize new clients: https://developers.google.com/identity/protocols/oauth2/resources/oob-migration#what-is-oob. Desktop clients should be migrated to the loopback flow: https://developers.google.com/identity/protocols/oauth2/resources/oob-migration#desktop-client.

Fixes #1140.

[bsidhom]

This patch is a bit rough, but I've verified that it works with new clients and also when redirected through a SOCKS proxy. This is important since it's now the only way to authorize a remote server (short of using service account credentials directly).

[indev29]

Thanks for the patch, worked for me!
Got this message after the auth: error closing loopback server: <nil>, is something wrong with handling the response? Everything worked fine, just a suspicious message.

[bsidhom]

Ah, I think that's an issue due to partially-typed interfaces never evaluating as nil. Anyway, as the contents of the message indicate, there's no error there, so it's fine. Further, this is just supposed to be a (non-blocking) warning when the server fails to shut down cleanly. I'll try to figure out how to fix that nil check.

[bsidhom]

Turns out there were 2 problems. I wasn't checking for http.ErrServerClosed and I was printing the wrong error message (err instead of closeErr). Should be fixed now.

[amirkhiz]

@bsidhom Thanks for your patch I really don't know how to use this patch and install instead of the main one could you please help me with this?

[grovera-md]

Hello!! I just completed a fresh installation with the command "go install github.com/odeke-em/drive/cmd/drive@latest", but the authentication step doesn't work. Could you please provide some guidance on the steps/commands required to solve this issue? Best regards

[djtinus]

Hello!! I just completed a fresh installation with the command "go install github.com/odeke-em/drive/cmd/drive@latest", but the authentication step doesn't work. Could you please provide some guidance on the steps/commands required to solve this issue? Best regards

You have to clone the source and fetch the Pull request. Then build from source and copy the generated binary into the $GOPATH/bin

Steps i've done (with the installation of drive already done with go install github.com/odeke-em/drive/cmd/drive@latest:

~# git clone https://github.com/odeke-em/drive.git
~# cd drive/
~# git fetch origin pull/1142/head:loopback-auth
~# git checkout loopback-auth
~# go build ~/drive/cmd/drive/
~# mv drive $GOPATH/bin/drive

After completing this steps I was able to authenticate the client. Since this is my very first comment on Github feel free to correct me if i'm wrong

[grovera-md]

You have to clone the source and fetch the Pull request. Then build from source and copy the generated binary into the $GOPATH/bin

Steps i've done (with the installation of drive already done with go install github.com/odeke-em/drive/cmd/drive@latest:

~# git clone https://github.com/odeke-em/drive.git ~# cd drive/ ~# git fetch origin pull/1142/head:loopback-auth ~# git checkout loopback-auth ~# go build ~/drive/cmd/drive/ ~# mv drive $GOPATH/bin/drive

After completing this steps I was able to authenticate the client. Since this is my very first comment on Github feel free to correct me if i'm wrong

Thank you very much for the clear instructions. I will try them as soon as possible. Best regards

[alievrusik]

Hello!! I just completed a fresh installation with the command "go install github.com/odeke-em/drive/cmd/drive@latest", but the authentication step doesn't work. Could you please provide some guidance on the steps/commands required to solve this issue? Best regards

You have to clone the source and fetch the Pull request. Then build from source and copy the generated binary into the $GOPATH/bin

Steps i've done (with the installation of drive already done with go install github.com/odeke-em/drive/cmd/drive@latest:

~# git clone https://github.com/odeke-em/drive.git ~# cd drive/ ~# git fetch origin pull/1142/head:loopback-auth ~# git checkout loopback-auth ~# go build ~/drive/cmd/drive/ ~# mv drive $GOPATH/bin/drive

After completing this steps I was able to authenticate the client. Since this is my very first comment on Github feel free to correct me if i'm wrong

Thanks for your comment! After this fix I was able to authenticate, but got error from google after authentication:

This app is blocked
This app tried to access sensitive info in your Google Account. To keep your account safe, Google blocked this access.

Have you encountered such issue? How to fix it?

[bsidhom]

I'm guessing that's because you're using the default client ID. You may need to create your own client id and secret as mentioned here. Note that these environment variables are only used while running drive init (i.e., you only need to set them while authorizing the drive app). Note that this is intended for developers and will require you to jump through some hoops (and possibly update things periodically).

To set up a client ID, you'll need a Google Cloud project. Once you've set up your project, you'll need to enable the Google Drive API. After that, you can go to the credentials page and create a new credential for OAuth. You'll need to select "desktop app" when creating the credentials.

There are some additional security benefits to using your own client secrets (assuming you're vetting the drive client code, only building from source, and keeping your client secrets safe). You'll also get your own quota pool, which is the reason this was historically recommended.

If you don't want to actively manage your own developer project for this purpose, you might also consider switching to Rclone, which I believe supports the new Google OAuth flows. (On the other hand, if you're security-conscious, that's a much larger code base with a larger surface area; but with that, you also have more eyes on the project.)

[jean-christophe-manciot]

@djtinus
I've successfully tried your build steps.
However, we lost the environment variables used by drive version:

drive version
drive version: 0.3.9.1
Commit Hash: <CURRENT_COMMIT>
Go Version: <GO_VERSION>
OS: <OS_INFO>
BuildTime: 

I suppose they were populated in drive-gen.
Any suggestion?

[jelabarre59]

I'm guessing that's because you're using the default client ID. You may need to create your own client id and secret as mentioned here. Note that these environment variables are only used while running drive init (i.e., you only need to set them while authorizing the drive app). Note that this is intended for developers and will require you to jump through some hoops (and possibly update things periodically).

Yep, Google trying to make everything MORE hostile to anyone who would dare to use anything outside of their barbed-wire walled garden (look at the discussion about their intentionally-kneecapped Google Photos API https://issuetracker.google.com/issues/80379228 ).

There are some additional security benefits to using your own client secrets (assuming you're vetting the drive client code, only building from source, and keeping your client secrets safe). You'll also get your own quota pool, which is the reason this was historically recommended.

If you don't want to actively manage your own developer project for this purpose, you might also consider switching to Rclone, which I believe supports the new Google OAuth flows.

The problem with RClone is it doesn't export GoogleDocs to local files. This is the only utility I've seen that can do that. And Google is doing everything (legal or otherwise) to make sure you can't leave their ecosystem. I really need to find an alternative that lets me do my writing from multiple devices/platforms, where I can set the docs to work offline as well.

[jelabarre59]

Well, that was a waste of time. Managed to browbeat Google's system to let me access the API, and when I run the sync to bring down all my doc updates, it exits and says "Everything is up-to-date" without pulling ANYTHING. I have definitely done edits recently, so there should be new files.

Yes, I DEFINITELY need to move my docs off of Google. Every week they become more and more arrogant, and more hostile to the end-users.

[hightowe]

@jelabarre59 - Newer versions of rclone will export Google Docs to local files. I recently moved to rclone from drive for one of my Google Docs backups (I have several). It worked well. I may move more over after I have some more experience with it and the time to do so.