google-auth-library-nodejs icon indicating copy to clipboard operation
google-auth-library-nodejs copied to clipboard

Published 20 hours ago • verified publisher icon googleapis

Recommended Electron oauth2 flow is no longer valid.

Open minht11 opened this issue 2 years ago • 1 comments

From August 2022 Google oauth2 iOS key will no longer support localhost redirects, this was a recommended way for Electron apps to use this library and still is inside the docs.

Given the policy changes what is the new recommended alternative? Just publishing client secret inside the app code?

minht11 avatar May 09 '22 06:05 minht11

I am also wondering. I ended up with a backend server storing client_secret, but this is not a convenient solution and the library does not seem to support it out of the box. I would like to know:

  1. What is the security risk of exposing client_secret?
  2. If a server is recommended for storing client_secret and fetching the tokens, what is the best approach to combine it with this library?

komret avatar Jun 20 '22 18:06 komret

I've just faced the same problem, has anybody found a solution yet?

cronon avatar Nov 25 '22 14:11 cronon

We played it extra safe and created a backend authorization service so that we did not have to expose the client_secret, here's the implementation: https://github.com/trezor/trezor-suite/pull/5669. Super annoying, especially if you do not need a backend otherwise.

komret avatar Nov 25 '22 16:11 komret

yh i've run into this problem recently too, and don't already have a backend. I'd much prefer to not have to create a whole sever just for this, so an alternative recommendation would be great.

Theplayer592 avatar Aug 10 '23 03:08 Theplayer592

Hey folks - we're working on improving support for this library on Electron. For now I'll remove this confusing documentation.

Additionally, if you don't want to spin up a separate backend (understandable) you can use GIS's OAuth 2 implicit flow and use its access token for requests: https://developers.google.com/identity/oauth2/web/guides/use-token-model. It's a bit tricky to wire-up with this library, but it is possible.

danielbankhead avatar Aug 31 '23 19:08 danielbankhead

how do you get around google's insistance on a javascript origin? Electron doesn't really have a URL

Theplayer592 avatar Sep 01 '23 20:09 Theplayer592

Just as another usecase which is not possible with the current limitations:

I'm working on @cpvalente's https://github.com/cpvalente/ontime to provide support for syncing with google sheets. Since it is an open-source (Electron) app, we cannot include a client secret (not even as a secret at build time, since it can be unpacked easily). Also, we can't require users to create their own google cloud project, setup api keys or oauth and whatnot because that is just too complicated.

Electron doesn't really have a URL

Ontime can be used directly in the electron ui or by pointing a browser to the webserver it automatically hosts. Therefore, we do have a url. However, users can configure the port and when accessing it externally, we don't know the ip in advance. Therefore, we can't set valid web origins in our cloud project...

hrueger avatar Sep 02 '23 11:09 hrueger

@danielbankhead Thanks for taking a look at this.

we're working on improving support for this library on Electron

is there a separate issue tracking that (since this one is now closed)?

hrueger avatar Sep 07 '23 18:09 hrueger

Here's a public tracking issue:

  • https://github.com/googleapis/google-auth-library-nodejs/issues/1638

I've closed this via #1635 as outdated documentation was the original issue. In the meantime we're actively working on alternate runtime support.

danielbankhead avatar Sep 07 '23 20:09 danielbankhead