Skip to content

gdrive backend relies on soon-to-be-deprecated OOB flow

I have:

  • ([x] when completed)
  • searched https://gitlab.com/duplicity/duplicity/-/issues for similar issues. If you find a similar issue and the issue is still open, add a comment to the existing issue instead of opening a new one. If you find a Closed issue that seems like it is the same thing that you're experiencing, open a new issue and include a link to the original issue in the body of your new one.
  • searched https://bugs.launchpad.net/duplicity for similar issues. If you find a similar issue, open a new issue on here and include a link to the original issue in the body of your new one.
  • tested that this issue still occurs on the latest stable snap (install instructions: https://snapcraft.io/duplicity), please include the snap version (snap info duplicity | grep installed) output: installed: x.xx.xx (xx)
  • ideally, tested that this issue still occurs on the latest edge snap, if you can test without risking your data. Please include the snap version output: installed: x.xx.xx (xx)

Summary

The gdrive backend currently uses the "out of band" flow for authorization to Google OAuth. This path is being deprecated, as described in this blog post https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html and the follow on page https://developers.google.com/identity/protocols/oauth2/resources/oob-migration This will start to fail on October 3, 2022 You can tell that this is using oob, because the oauth URL contains &redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob (note the "oob" at the end)

Environment

(OS and Version) Ubuntu 22.04.1 LTS

(duplicity --version) duplicity 0.8.21

(command line used) duplicity collection-status gdrive://MYUSERID.apps.googleusercontent.com/mandy_backup/home/pfr?myDriveFolderID=root

Steps to reproduce

Any first usage of a gdrive client will generate an oauth URL that starts with https://accounts.google.com/o/oauth2/auth?response_type=code&

What is the current bug behaviour?

Uses deprecated OOB flow

What is the expected correct behaviour?

Should use an internal loopback with http server listening

Relevant logs and/or screenshots

n/a

Possible fixes

Relevant code from google-auth-oauthlib to deprecate, but will require implementation that runs a local server. https://github.com/googleapis/google-auth-library-python-oauthlib/pull/175