Command line example in documentation does not work anymore

[chutzimir]

With the recent enforcement of non-copy-paste authorization flows the "Command line" examples in this library's README.md are no longer working.

I already posted this at StackOverflow but the gist of it is what Command Line applications now fail to authorize with the following error:

Error 400: invalid_request

You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy for keeping apps secure.

You can let the app developer know that this app doesn't comply with one or more Google validation rules.

Request details:

The content in this section has been provided by the app developer. This content has not been reviewed or verified by Google.

If you’re the app developer, make sure that these request details comply with Google policies.

redirect_uri: urn:ietf:wg:oauth:2.0:oob

Basically the code which uses urn:ietf:wg:oauth:2.0:oob will fail.

Steps to reproduce

1. Just try the example in README.md

Code example

require 'googleauth'
require 'googleauth/stores/file_token_store'

OOB_URI = 'urn:ietf:wg:oauth:2.0:oob'

scope = 'https://www.googleapis.com/auth/drive'
client_id = Google::Auth::ClientId.from_file('/path/to/client_secrets.json')
token_store = Google::Auth::Stores::FileTokenStore.new(
  :file => '/path/to/tokens.yaml')
authorizer = Google::Auth::UserAuthorizer.new(client_id, scope, token_store)

user_id = ENV['USER']
credentials = authorizer.get_credentials(user_id)
if credentials.nil?
  url = authorizer.get_authorization_url(base_url: OOB_URI )
  puts "Open #{url} in your browser and enter the resulting code:"
  code = gets
  credentials = authorizer.get_and_store_credentials_from_code(
    user_id: user_id, code: code, base_url: OOB_URI)
end

# OK to use credentials

[cwant]

I sure could use an example of how this is supposed to work now, whether it's in the documentation or not.
I would be deeply grateful if a Googler had a simple example they can add to this issue while waiting for new documentation.

[shivgautam]

@bajajneha27 - Can you look into this?

[cwant]

I did get something working (in a dependent gem) using duct tape and bailing wire:

gimite/google-drive-ruby#424 (comment)

This is likely not the solution Google had in mind when they made this change (copy/paste a chunk of a URL from an error message).

[chutzimir]

I did get something working (in a dependent gem) using duct tape and bailing wire:

gimite/google-drive-ruby#424 (comment)

This is likely not the solution Google had in mind when they made this change (copy/paste a chunk of a URL from an error message).

@cwant I did post a more "proper" solution on the StackOverflow question you are referring to in your link.

https://stackoverflow.com/a/71491500/1213346

It is more in line with what was envisioned, i.e., the app received the code automatically from the redirected of the browser.

[mfroment]

Thanks a lot @cwant, I did the same as what you suggested and it worked for me. Thanks @chutzimir for sharing your more proper solution too.

It would still be great if a Googler could provide reference code that works following OOB flow deprecation. Thanks in advance!

[bajajneha27]

Thank you all for reporting this and for your patience.
The Google Auth OOB flow has been discontinued on January 31, 2023. We have updated our documentation for the same PR#435. We'll eventually remove the code from the library too.
I'll go ahead and close this issue for now. Please feel free to reopen in case you need anything.

[richardkmichael]

Closing this with #435 is disappointing.

The people commenting in this thread would like sample code to authenticate a command line application. This is also why I enabled notifications for this issue. Is that no longer possible.. easily? (I am currently doing so with puppeteer, a huge dependency for a command line program, and a brittle auth mechanism.) If not, it would be helpful to state clearly, instead of the simple reference to the Google documentation -- which is not particularly straight forward.

[bajajneha27]

@richardkmichael Apologies for the inconvenience caused. But the command line mechanism is deprecated.

If the migration guide looks complicated, I'd suggest you to look at this web sample here or here ( this will be shortly updated ). Hope this helps.

[cwant]

I agree with Richard, this is a definite lose for users of the APIs. There are use cases for these APIs (automation, data mining) that don't involve browsers and phones.

[meredithslota]

Hi folks — I understand your concerns. However, this is outside of our control (for this library) as it's impacting all auth libraries. There's more detail here: https://developers.google.com/identity/protocols/oauth2/resources/oob-migration in addition to what @bajajneha27 already shared. Specifically: "This effort is a protective measure against phishing and app impersonation attacks during interactions with Google's OAuth 2.0 authorization endpoints."