MeshCentral
MeshCentral copied to clipboard
Ylianst
Some OAuth flows deprecated soon
Hi Ylian!
Some OAuth flows will be deprecated soon. More information here: https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html
At this moment, to use Google Drive backup resource, if one sets and use a new credential to fits new Google criteria , returns an error 400 "invalid_request". The error description could be found here: https://support.google.com/accounts/answer/12379384?hl=en
I don't know if this was addressed yet.
Thanks in advance!
So, some OAuth flows will be deprecated, specifically loopback and out-of-band. I don't think MeshCentral uses these, so we should be fine. Regardless of these removals, are you saying the Google Drive auto-backup feature does not currently work?
Sorry about the title, it was implicit that are "some". I am not a native English speaker, and I ask you to kindly take this into account.
For now, it is working fine.
I've received a communication from Google indicating that the credential that I use in MeshCentral will be deprecated. Setted a new one, when I try to use on MeshCentral, returns an error informing that is a invalid request.
If I misunderstood the situation, I apologize.
Error message when setting a new credential is:
Error 400: invalid_request
You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy for keeping apps secure.
You can let the app developer know that this app doesn't comply with one or more Google validation rules.
Request details:
The content in this section has been provided by the app developer. This content has not been reviewed or verified by Google.
If you’re the app developer, make sure that these request details comply with Google policies.
redirect_uri: urn:ietf:wg:oauth:2.0:oob
Same for me. My drive backup stopped a few days ago. Today, I went to re-connect it...
Error 400: invalid_request
You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy for keeping apps secure.
You can let the app developer know that this app doesn't comply with one or more Google validation rules. Learn more Request Details The content in this section has been provided by the app developer. This content has not been reviewed or verified by Google. If you’re the app developer, make sure that these request details comply with Google policies. redirect_uri: urn:ietf:wg:oauth:2.0:oob
Something to note. If I put the project back to testing on the Google console, the process works. But this will make it so that it will fail in a number of days.
Yep, this only works for me for about 5-6 days and then stops backups again. This is related to https://github.com/Ylianst/MeshCentral/issues/4358 I wish I knew anything about NodeJS, I would be happy to look at the code but I really don't feel I could help much.
@Ylianst This is still an issue. This only works for a limited time while the project on Google is in testing. If I publish the app on the console, the google Drive integration fails with the following error.
The strange thing is, this works fine on my setup at work. But I cannot figure out what is different between there and home. At work, we are using a free gmail account, just like I am at home. Maybe you could do a video on the full setup, start to finish on how to make this work.
Workaround
Add http://localhost:1/ to your redirect URIs in Google's API Console.
Edit node_modules/meshcentral/meshuser.js, line 4592, and replace urn:ietf:wg:oauth:2.0:oob with http://localhost:1/.
You can use the following one-liner to update the file using sed, you may need to update the file path depending on your install:
sed -i "s/urn:ietf:wg:oauth:2.0:oob/http:\/\/localhost:1\//" ~/node_modules/meshcentral/meshuser.js
Then restart MeshCentral (go to console in MeshCentral and type "resetserver"). As of the latest version it seems like meshcentral reinstalls itself from npm everytime it restarts and I had to wait until the meshuser.js file got acquired to apply the change. There is probably an easier way though.
You can then go through the normal steps, and when you get redirected you'll find the code in the URL which you'll copy. You'll get redirected to http://localhost:1/?code=CODE&scope=https://www.googleapis.com/auth/drive.file. Just copy the code, not the scope part, and supply that code.
Then go to the console and run autobackup to test if. If it succeeds, you're good to go! This workaround is only needed for setting it up, once it is working there should be no issue.
Important: Google Cloud API Publishing Status:
When you create your API credentials in Google Cloud, go to the "OAuth Consent Screen" page and sense you set the publishing status to production. If it is in testing status your token will expire after 7 days.
Google Cloud Step-By-Step
This guide assumes you are accessing Google Cloud from an account that hasn't access it before.
- Click the link provided by MeshCentral (or go here)
- Agree to the Terms of Service.
- Click "Select a project" at the top left then "New Project" at the top right.
- Name the project and confirm creation.
- It'll take a moment, then it'll redirect you to a page that for the Google Drive API with an "Enable" button at the top left. Click "Enable".
- Click "OAuth consent screen" on the left sidebar.
- Click "External" and then "Create".
- Give the app a name, select the user support email, add developer contact information, click "Save and continue".
- Click "cancel" on the next page (Scopes).
- Under "Publishing status" click "Publish App", then "Confirm".
- Click "Credentials" on the let sidebar.
- Click "Create Credentials" then "OAuth client ID".
- Select "Web application" for application type, give it a name, and under "Authorized redirect URIs" add
http://localhost:1/. Finally, click "Create". - Copy and save the Client ID and Client secret. You will use these in Mesh Central.
After you applied the change mentioned at the top of this comment
These instructions still work on 1.1.11, I just checked / verified on 9/14/2023.
@zikeji this works for me but it still stops working after about a week. Then I need to disconnect and reconnect, same as before.
Actually, I think it now works for me, the issue is that the app must be in production AND use the above hack from @zikeji
Ah, yes, a Google API project that is in testing mode automatically invalidates each token after a week since it's for "testing". I also just found that out the hard way in another project.
yep, and when you create credentials in the google cloud console, make sure you select web application as the type.....for anyone else looking on here. Hopefully the dev can write this in so that meshcentral can just capture the code....I have just never written anything for node....
I can look into this next week, So does the Google drive not work at all? Are there certain steps we have to follow for it to work currently?
If the "app" is set to testing, it will work as it is right now but the token expires every few days and needs to be setup again. If the "app" is set to production, the current setup give the oob error above. Modifying as per @zikeji above will work in production but it requires to manually copy the code from the browser to the mesh central interface.
I can look into this next week, So does the Google drive not work at all? Are there certain steps we have to follow for it to work currently?
I just updated to 1.1.11 and reset my configuration to double check / update my instructions here https://github.com/Ylianst/MeshCentral/issues/4450#issuecomment-1427431575
The reason it fails is because MeshCentral uses a removed feature that would get the oauth screen to display the code afterwards, now you must redirect. My workaround changes the redirect URI in the code (which is necessary vs. just altering the URL) and then you copy the URL from the GET parameters.
In terms of fixing this in MeshCentral itself, the solution would be to remove the "Code" entry step of the little wizard and instead add a path to express that handles the redirect from Google, and updating the instructions in the wizard to have you input the proper redirect URI into Google Cloud. e.g. https://mesh.domain.com/oauth/callback. Then that path just reads code from the GET params and saves that to the database.
(also adding a note about the app being in testing mode on Google Cloud like I mention in my comment)
Thank you @zikeji for the very helpful hints!
Similar to how we do the oauth of logins and sso! Got u!
And after that we can update the documentation on how to setup everything in the Google cloud console.
Workaround
Thank you @zikeji I found the instructions clear, and I was able to implement the changes. Working so far. We'll see in a couple of weeks!