gcalcli icon indicating copy to clipboard operation
gcalcli copied to clipboard
verified publisher icon insanum

How should authentication work?

Open dbarnett opened this issue 1 year ago • 2 comments

High-level tracking issue to collect together some context on auth issues from various issue reports and figure out the direction we want to go.

I've seen a few flavors of issues:

  • Setup is a pain in general (#572, #691)
  • Auth seems completely broken (#497, #580)
  • Frequently needing to reauthenticate (#628, #663)
  • Awkward remote server cases and concerns about "out-of-band flow" deprecation (#626)
  • Other corner cases (#650)

Overall I believe auth is generally functional again now that we've switched off of the deprecated oauth2client dep in #683, but only if you carefully follow the setup instructions from the README and don't trip over some huge gotchas.

dbarnett avatar Aug 23 '24 17:08 dbarnett

@insanum @michaelmhoffman can I get your input on known quirks in the existing auth setup, any context on how any existing Google project is set up, and LMK any bad assumptions I'm making above?

Do you know if the default auth is supposed to work somehow if you don't pass --client-id and --client-secret, or if it's indeed just broken?

dbarnett avatar Aug 23 '24 17:08 dbarnett

I checked and the similar gmailctl project that I use for Gmail integrations has the same manual setup process: https://github.com/mbrt/gmailctl/blob/69c24b795402ff895cc90262b3cbdebd501c8b53/cmd/gmailctl/localcred/local_provider.go#L21. I suspect that's the best option available. But still would be helpful to publish a doc about the howto & why for users.

dbarnett avatar Aug 25 '24 19:08 dbarnett

This is now much improved as of 4.4-pre, rolling over into 4.5 for the rest.

I'm almost positive there's no workable alternative to the self-service auth setup, which is the same as most other open source projects seem to be doing. #572 mentioned a PKCE mechanism, but I suspect that wouldn't work for "Testing" auth clients either, and I haven't confirmed yet but I suspect getting a "Production" client and sharing it with all users entails paying Google to give it high enough limits for all the users.

I created https://github.com/insanum/gcalcli/blob/HEAD/docs/api-auth.md with more explanations, moved some of the details from the README into there, and linked it from the app and README.

dbarnett avatar Aug 27 '24 19:08 dbarnett

K, overall status here is I'm pretty sure there's no good easy alternative to the auth setup we have now, but I forked off #759 to still keep an eye out for better options.

Still don't understand how PKCE would fit into this equation, asked for clarification on #572 but didn't get a response. If anyone knows, please follow up there...

And with that, I'm going to call this issue "Done". The current setup has some shortcomings, but have an overall sense for how it can/should work, and so far nobody's volunteered any categorically better alternatives.

dbarnett avatar Sep 16 '24 21:09 dbarnett