googleapis
Support 2FA for AuthorizedUserCredentials
Context: This is branching off from #579 and creating child issues for each unimplemented credential feature that was mentioned there. We may decide that this isn't needed, but we should have an issue open to track it regardless.
The Storage client library currently supports several OAuth2 credential types, one of which is AuthorizedUserCredentials. The current implementation does not handle the edge case in which a user is enrolled in 2FA -- in this scenario, a regular Refresh() call will fail with a reply informing us that a reauth proof token (RAPT) is required. The refresh flow in this case varies depending on the approved second factor auth'n methods and the environment in which the library is being used (i.e. whether you should launch a web browser, prompt on the command line (assuming it's an interactive session -- if not, there's not a clean way to proceed, so we recommend that you use service account creds instead of 2FA user creds), etc). After obtaining a RAPT, we'd need to store the RAPT in the credential object so that we could re-use it for the next Refresh() call... and if the program ran for longer than the RAPT token is good for, we'd also have to account for that case and fetch a new RAPT.
An example implementation of the necessary logic, written in Python, can be seen at https://github.com/google/google-reauth-python.
That being said, we strongly recommend using service account credentials with Cloud client libraries rather than user credentials, so this isn't very high priority (as mentioned in this comment).
