cyberduck icon indicating copy to clipboard operation
cyberduck copied to clipboard

Published 20 hours ago verified publisher icon iterate-ch

CLI OAuth workflow never finishes with custom URI in redirect_url

Open soumith opened this issue 2 years ago • 16 comments

Describe the bug

In the duck CLI, take a simple workflow such as duck -l googledrive:/. The CLI opens a browser, which does the OAuth workflow. Once authenticated, the expectation is that you either have the OAuth redirect the CLI or some code shows on browser that you can paste back into CLI. However, the OAuth redirect_url is set to open the CyberDuck app, and does not respect that the duck CLI originated the OAuth workflow.

To Reproduce Steps to reproduce the behavior:

  1. Go to command-line
  2. Run duck -l googledrive:/
  3. Try to finish authentication workflow

Expected behavior You expect the workflow to finish. Either the OAuth takes you back to CLI and CLI finishes auth, or you get instructions on how to manually finish the workflow.

Desktop (please complete the following information):

  • macOS 12.4
  • [Also checked] Linux Ubuntu 20.04

Logs with --debug : foo.log

soumith avatar Jul 19 '22 05:07 soumith

This was missed in #13366.

dkocher avatar Jul 19 '22 08:07 dkocher

Not sure how we should implement this, as manual copy & paste of authentication code [^1] is deprecated .

[^1]: Important: The manual copy/paste option, also referred to as an out of band (OOB) redirect method, is DEPRECATED and will be removed in October 2022. Review the OOB migration guide for instructions on how to migrate to a secure alternative. https://developers.google.com/identity/protocols/oauth2/native-app#manual-copypaste

dkocher avatar Aug 15 '22 13:08 dkocher

from the migration guide, the most matching option seems to be a loopback IP address -- so cyberduck temporarily listens on some localhost+port and that is given as the redirect_uri

https://developers.google.com/identity/protocols/oauth2/native-app#redirect-uri_loopback

soumith avatar Aug 17 '22 00:08 soumith

Relates to #13476.

dkocher avatar Aug 17 '22 13:08 dkocher

from the migration guide, the most matching option seems to be a loopback IP address -- so cyberduck temporarily listens on some localhost+port and that is given as the redirect_uri

https://developers.google.com/identity/protocols/oauth2/native-app#redirect-uri_loopback

We don't currently have an implementation using a listener on the loopback address as it is prone to man in the middle attacks. it is still feasible for desktop apps according to the documentation ^1

…but will continue to be supported on desktop apps.

dkocher avatar Aug 17 '22 13:08 dkocher

You should be able to work with Cyberduck CLI by connecting first with Cyberduck and then use duck --username <email> -l googledrive:/.

dkocher avatar Apr 06 '23 19:04 dkocher

Can it be done from another machine with cyberduck gui? If we installed duck in a unix system we can go for a walk with that workaround, it is useless in that case

Ripper346 avatar Apr 07 '23 21:04 Ripper346

The problem occurs with onedrive as well.

pedrohgmacedo avatar Aug 26 '23 05:08 pedrohgmacedo

Also occurs with Dropbox (as mentioned in #14282). Seems like you can't really use the CLI on Linux for any service with an oauth flow since there is no GUI for Linux.

stuckj avatar Sep 15 '23 20:09 stuckj

Find attached [^1] a connection profile for Dropbox that can be used with Cyberduck CLI using

duck --profile ~/Downloads/Dropbox\ \(CLI\).cyberduckprofile --list dropbox:/

[^1]: Dropbox (CLI).cyberduckprofile.zip

  • [ ] https://github.com/iterate-ch/profiles/pull/69

dkocher avatar Nov 22 '23 14:11 dkocher

@dkocher, I appreciate your message, but I'm not sure how that is helpful. The oauth client secret is blank in there (and kinda has to be since any secret you gave me would be to your account! :) ). And, you can't complete the oauth flow to get the secret.

I guess if you use a GUI on a windows machine with cyberduck (non-CLI) installed and connect on there you can find the profile on the machine and copy the key from there. At that point, you can just take that whole profile though, right? Where could we find that on a windows machine? Maybe I can just grab it from my windows installation (I dual boot with Linux and Windows).

stuckj avatar Nov 22 '23 20:11 stuckj

@dkocher, I appreciate your message, but I'm not sure how that is helpful. The oauth client secret is blank in there…

The OAuth Authorization Code Flow implemented by Dropbox does not require a client secret and is therefore intentionally left blank in the profile.

dkocher avatar Nov 22 '23 20:11 dkocher

Find attached [^1] a connection profile for Microsoft OneDrive that can be used with Cyberduck CLI using

duck --profile ~/Downloads/OneDrive\ \(CLI\).cyberduckprofile --list "onedrive:/My Files/"

[^1]: OneDrive (CLI).cyberduckprofile.zip

  • [x] https://github.com/iterate-ch/profiles/pull/77

dkocher avatar Jan 10 '24 20:01 dkocher

Make sure to use the --username parameter like

--username dkocher\@iterate.ch

to read saved tokens from the keychain or credentials manager.

dkocher avatar Jan 11 '24 09:01 dkocher

Find attached [^1] a connection profile for Microsoft SharePoint that can be used with Cyberduck CLI using

duck --profile ~/Downloads/Microsoft\ SharePoint\ \(CLI\).cyberduckprofile --list "sharepoint:/"

[^1]: Microsoft SharePoint (CLI).cyberduckprofile.zip

  • [x] https://github.com/iterate-ch/profiles/pull/77

dkocher avatar Jan 28 '24 16:01 dkocher

Find attached 1 a connection profile for Microsoft SharePoint that can be used with Cyberduck CLI using

duck --profile ~/Downloads/Microsoft\ SharePoint\ \(CLI\).cyberduckprofile --list "sharepoint:/"

Footnotes

  1. Microsoft SharePoint (CLI).cyberduckprofile.zip

@dkocher Is this an updated profile from the one posted previously?

mcx808 avatar Jan 29 '24 09:01 mcx808