cypht-org
I cant add a gmail account
đź’¬ Question
I have tried adding several of my gmail accounts. Whenever I do, I just get a popup saying "AUTHENTICATION FAILED". I cant find any more detail. The run log in docker shows nothing and neither does the javascript console.
Could this be because I have multifactor auth enabled on the gmail accounts, or that I am running cypht on port 81 instead of using https?
Perhaps helpful?
- https://github.com/cypht-org/cypht/wiki/OAUTH2-over-IMAP
- https://workspaceupdates.googleblog.com/2023/09/winding-down-google-sync-and-less-secure-apps-support.html
Thanks @marclaporte
I have now tried following the OAUTH2-over-IMAP. In my gmail account I created keys:
GMAIL_CLIENT_ID=(redacted).apps.googleusercontent.com GMAIL_CLIENT_SECRET=(redacted) GMAIL_CLIENT_URI=http://localhost/
I set them in env vars and restarted cypht. I can tell its using the vars I set since I can see their values in the query params of the calls to accounts.google.com/signin/oauth
But then I end up at a google error page that tells me:
Error 400: redirect_uri_mismatch
You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy.
If you're the app developer, register the redirect URI in the Google Cloud Console. Request details: redirect_uri=http://localhost:8000/
I was concerned localhost is not valid, but it seems acceptable according to this: https://developers.google.com/identity/protocols/oauth2/javascript-implicit-flow#origin-validation
Question 1: Does anyone have gmail succfully working?
Question 2: Does cypht support only a single gmail account, or is there a way to use multiple gmail accounts?
@jonocodes
The GMAIL_CLIENT_URI must be set to http://localhost/?page=home as class Hm_Handler_process_oauth2_authorization handle adding servers after google redirection
You must also add http://localhost/?page=home in list of authorized redirect URLs in google developers. Thanks.
You can use multiple gmail accounts.
@jonocodes
The GMAIL_CLIENT_URI must be set to http://localhost/?page=home as class Hm_Handler_process_oauth2_authorization handle adding servers after google redirection
You must also add http://localhost/?page=home in list of authorized redirect URLs in google developers. Thanks.
Thanks! With a bit of trickery that allowed me to log into one account.
To the wiki that '?page=home' part should be added. Also it should be added that you need to 'publish' your oauth2 app in google to production. Setting the credentials is not enough.
You can use multiple gmail accounts.
How? Today I tried like this.
- setup a single gmail account
- setup oauth keys for the second account in google
- once it is getting messages, clear the three above vars
- set the vars to the values for the second account
- restart the server
- add the second account in the cypht UI
Once I approve it in google, I am sent back to the cypht login screen instead of the servers page.
You can add several gmail accounts with only one oauth2 app ids Just return back here and use a different email.
If your oauth2 app is not in production you can add test users who will have to it
I also noticed that Cypht redirects to the login page instead of the execution handlers at /page=home. I will try to debug
You can add several gmail accounts with only one oauth2 app ids
Ok, perhaps I dont know how oauth works.
But lets say I log into my [email protected] account in google and create oauth2 keys. Would I be able to use the same keys for my [email protected] account? I would not need to create keys for jono2? How would that work?
Vous pouvez ajouter plusieurs comptes Gmail avec un seul identifiant d’application oauth2
Ok, peut-ĂŞtre que je ne sais pas comment fonctionne oauth.
Mais disons que je me connecte à mon compte [email protected] dans Google et que je crée des clés oauth2. Pourrais-je utiliser les mêmes clés pour mon compte [email protected] ? Je n’aurais pas besoin de créer des clés pour jono2 ? Comment cela fonctionnerait-il ?
The keys you create are not tied to a specific account, they are used to connect your app to g-mail server.
You can add several gmail accounts with only one oauth2 app ids
Ok, perhaps I dont know how oauth works.
But lets say I log into my [email protected] account in google and create oauth2 keys. Would I be able to use the same keys for my [email protected] account? I would not need to create keys for jono2? How would that work?
That it: [email protected] and [email protected] and many other gmail accounts will use the same keys. You just need to go to cypht ?/page=servers and add another gmail email.
@jonocodes Merge request to solve redirection to /servers has been merged. Can you confirm it is working please ?
Ok just checked out master and tried it. My env vars are set GMAIL_CLIENT_URI=http://localhost:8000/?page=home
Once I logged into google, it brought me back to the cypht login form. This url: http://localhost:8000/?page=home&state=nux_authorization&code=xxxxxx&scope=https://mail.google.com/%20https://www.googleapis.com/auth/contacts
Ok just checked out master and tried it. My env vars are set GMAIL_CLIENT_URI=http://localhost:8000/?page=home
Once I logged into google, it brought me back to the cypht login form. This url: http://localhost:8000/?page=home&state=nux_authorization&code=xxxxxx&scope=https://mail.google.com/%20https://www.googleapis.com/auth/contacts
If you had a logged in session you should log out your Cypht user to clear browser cookies and log in again. To debug after logging in You can inspect browser and ensure that hm_session and hm_id cookies are set to Lax for SameSite option. Thanks.
Ok that got it to work. Both hm_session and hm_id are set to strict when I log in. So I manually set them to LAX and it worked. So lets check what should happen going forward:
- Fix the strict vs lax issue. I presume thats a bug in code?
- Update instructions for oauth/gmail (I dont know if this is gmail specific) for multiple accounts with the same service.
- How about setting the default value GMAIL_CLIENT_URI=http://localhost/?page=home because it seems the page=home part is important?
But the issue of Lax vs Strict has been fixed here https://github.com/cypht-org/cypht/pull/1021/files. Just make sure you have the very latest code.
Ok that got it to work. Both hm_session and hm_id are set to strict when I log in. So I manually set them to LAX and it worked. So lets check what should happen going forward:
- Fix the strict vs lax issue. I presume thats a bug in code?
- Update instructions for oauth/gmail (I dont know if this is gmail specific) for multiple accounts with the same service.
- How about setting the default value GMAIL_CLIENT_URI=http://localhost/?page=home because it seems the page=home part is important?
Points 2 and 3 are fixed here https://github.com/cypht-org/cypht/pull/1036
But the issue of Lax vs Strict has been fixed here #1021 (files). Just make sure you have the very latest code.
Ah you are right. I thought I had synced the branch, but did not. My bad.
Ok that got it to work. Both hm_session and hm_id are set to strict when I log in. So I manually set them to LAX and it worked. So lets check what should happen going forward:
- Fix the strict vs lax issue. I presume thats a bug in code?
- Update instructions for oauth/gmail (I dont know if this is gmail specific) for multiple accounts with the same service.
- How about setting the default value GMAIL_CLIENT_URI=http://localhost/?page=home because it seems the page=home part is important?
Points 2 and 3 are fixed here #1036
Cool. I'll use point 3 once it gets released.
Concerning the instructions I was referring to the wiki: https://github.com/cypht-org/cypht/wiki/OAUTH2-over-IMAP because that is where I was directed to get instructions for gmail setup.
Made updates to https://github.com/cypht-org/cypht/wiki/OAUTH2-over-IMAP as well
Made updates to https://github.com/cypht-org/cypht/wiki/OAUTH2-over-IMAP as well
Great. One comment. It says "Each token corresponds to a specific user's permissions and account data."
But that's not the case. I got a single Auth token from Google. Then I was able to sign into multiple Gmail accounts with it.
Also I don't think there is an hm3.ini file anymore.
@jonocodes It is correct There are 2 distinct things:
First you create an app, let suppose a gmail app which will allow other gmail users to add their accounts. Gmail gives you client_id and client_secret for this step
Next step users add their gmail accounts, they authorize the app you created to use their data and set some permissions. For that purpose gmail generates a token whenever you authorize the app to use data. That token will be used to get data, post data and other actions to gmail.
That it why I said "Each token corresponds to a specific user's permissions and account data."
Let's say you have a gmail account [email protected]
- Add it to Cypht and select all permissions
- Delete it
- Re-add it but select some permissions
Gmail will generate 2 tokens the first with all permissions and the second with specific permissions you chose.
Sorry for my english, hope I was clear.
The confusing part here is how to add two Gmail accounts to cypht. You only need a single client ID and secret from Google. And it is not tied to you Gmail address. The tokens are just a way of talking to Google, right? The token just has to be from Google and does not have to come from your Google account for that email address.
I am not sure if I am suppose to post a reply here or open a new issue. Please tell me if I'm wrong.
I am also using the docker image from https://hub.docker.com/r/jonocodes/cypht. I followed the instructions above. I click "enable" in Cypht, Google asks me to select an account and warns me that the app is not verified. When I click "continue", I receive a "Something went wrong. Sorry, something went wrong there. Please try again." error (https://accounts.google.com/info/unknownerror).
I don't know how to troubleshoot. The redirect URI is https://my.domain.tld/?page=home. It is added to the authorized redirect URLs in google developers.
I am not sure if I am suppose to post a reply here or open a new issue. Please tell me if I'm wrong.
I am also using the docker image from hub.docker.com/r/jonocodes/cypht. I followed the instructions above. I click "enable" in Cypht, Google asks me to select an account and warns me that the app is not verified. When I click "continue", I receive a "Something went wrong. Sorry, something went wrong there. Please try again." error (accounts.google.com/info/unknownerror).
Did you 'publish' your oauth app? I had to do something like that to make it live in google before I could use it.
I don't know how to troubleshoot. The redirect URI is my.domain.tld/?page=home. It is added to the authorized redirect URLs in google developers.
Ok, it sounds like you set up your keys as described here: https://github.com/cypht-org/cypht/wiki/OAUTH2-over-IMAP
Could you perhaps include a screenshot of the error? Sometimes there is more detail, like a 400 code or something.
Did you 'publish' your oauth app? I had to do something like that to make it live in google before I could use it.
I tried both the error does not look the same the effect is the same.
Could you perhaps include a screenshot of the error? Sometimes there is more detail, like a 400 code or something.
The error does not show many details. This is with a testing (unpublished) app:
When the app is published, the screen is different but when I show Advanced and click Go to mydomain, something is wrong again.
@VVincentt can you confirm that this is only an issue with the docker image and does not happen when running cypht locally instead.
@VVincentt can you confirm that this is only an issue with the docker image and does not happen when running cypht locally instead.
I have not tried to run it locally. I run all my services with Docker. I may be worth mentionning that the address my.domain.tld is resolved by a local DNS server in my network. This address is not accessible from the internet.
@VVincentt can you confirm that this is only an issue with the docker image and does not happen when running cypht locally instead.
I have not tried to run it locally. I run all my services with Docker. I may be worth mentionning that the address my.domain.tld is resolved by a local DNS server in my network. This address is not accessible from the internet.
I believe that should be ok, considering I use http://localhost/?page=home in my setup.
This sounds like the issue is on the google side, not the cypht side. So for now I am going to presume this is not docker related. In which case @josaphatim may be of more help.
All these tests were done with Firefox, with a full suite of privacy extentions. I just tried with a naked Edge and I moved further. Google allows me to give some permissions. It then sends me back to Cypht where I need to login again but I receive an error 502 Bad Gateway from nginx at the address https://my.domain.tld/?page=home&state=nux_authorization&code=4/0AdLIrYdTGNb1AbpIRWS2xSJ8aP6-8wTKREN0_swudJGRzNut3e_5GIyGW4Qx7r-QEcE-ig&scope=https://mail.google.com/%20https://www.googleapis.com/auth/contacts
I have tried many times and I managed to make it work with Edge. When going back from Google to Cypht, I need to refresh the page. With a second tab with Cypht open and logged in, it is easier. I can add my accounts in Edge, save and they appear in Firefox. I suppose all these extensions break some stuff sometimes.
Many thanks for your help and your prompt replies. I remain at your disposal, should you want to troubleshoot what happened into more details.
Refreshing the page was making it to working in all browsers. But I'm not sure if this fix https://github.com/cypht-org/cypht/pull/1021/files is included in @jonocodes Docker image