From dc7e3ea1e3ae70088f6783a1726428ef6b6d12c7 Mon Sep 17 00:00:00 2001 From: Nick Craig-Wood Date: Fri, 18 Feb 2022 12:46:30 +0000 Subject: [PATCH] drive,gcs,googlephotos: disable OAuth OOB flow (copy a token) due to google deprecation Before this change, rclone supported authorizing for remote systems by going to a URL and cutting and pasting a token from Google. This is known as the OAuth out-of-band (oob) flow. This, while very convenient for users, has been shown to be insecure and has been deprecated by Google. https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html#disallowed-oob > OAuth out-of-band (OOB) is a legacy flow developed to support native > clients which do not have a redirect URI like web apps to accept the > credentials after a user approves an OAuth consent request. The OOB > flow poses a remote phishing risk and clients must migrate to an > alternative method to protect against this vulnerability. New > clients will be unable to use this flow starting on Feb 28, 2022. This change disables that flow, and forces the user to use the redirect URL flow. (This is the flow used already for local configs.) In practice this will mean that instead of cutting and pasting a token for remote config, it will be necessary to run "rclone authorize" instead. This is how all the other OAuth backends work so it is a well tested code path. Fixes #6000 --- backend/drive/drive.go | 2 +- backend/googlecloudstorage/googlecloudstorage.go | 2 +- backend/googlephotos/googlephotos.go | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/backend/drive/drive.go b/backend/drive/drive.go index 798db047f..5aa1c02bb 100644 --- a/backend/drive/drive.go +++ b/backend/drive/drive.go @@ -84,7 +84,7 @@ var ( Endpoint: google.Endpoint, ClientID: rcloneClientID, ClientSecret: obscure.MustReveal(rcloneEncryptedClientSecret), - RedirectURL: oauthutil.TitleBarRedirectURL, + RedirectURL: oauthutil.RedirectURL, } _mimeTypeToExtensionDuplicates = map[string]string{ "application/x-vnd.oasis.opendocument.presentation": ".odp", diff --git a/backend/googlecloudstorage/googlecloudstorage.go b/backend/googlecloudstorage/googlecloudstorage.go index fca84b57d..a838d2350 100644 --- a/backend/googlecloudstorage/googlecloudstorage.go +++ b/backend/googlecloudstorage/googlecloudstorage.go @@ -65,7 +65,7 @@ var ( Endpoint: google.Endpoint, ClientID: rcloneClientID, ClientSecret: obscure.MustReveal(rcloneEncryptedClientSecret), - RedirectURL: oauthutil.TitleBarRedirectURL, + RedirectURL: oauthutil.RedirectURL, } ) diff --git a/backend/googlephotos/googlephotos.go b/backend/googlephotos/googlephotos.go index 7a07356be..cb9fda888 100644 --- a/backend/googlephotos/googlephotos.go +++ b/backend/googlephotos/googlephotos.go @@ -69,7 +69,7 @@ var ( Endpoint: google.Endpoint, ClientID: rcloneClientID, ClientSecret: obscure.MustReveal(rcloneEncryptedClientSecret), - RedirectURL: oauthutil.TitleBarRedirectURL, + RedirectURL: oauthutil.RedirectURL, } )