-
Notifications
You must be signed in to change notification settings - Fork 286
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Google will revoke Gmvault access March 31, 2019 #335
Comments
nice. remove our ability to archive our emails to help protect it 😂 |
I’m hoping this can worked around by replacing an api token somewhere in the source and/or requiring users to register their own app with google. It’s not ideal but it’s easy enough and free for our level of usage I would guess. I looked a little in the code but I’m on mobile so I’ll have to look later when I’m on my laptop. |
see gmvault/src/gmv/credential_utils.py Lines 38 to 58 in ee915c2
|
@tofurky Wow, I was in the file and even scrolled over but didn’t scroll far enough to see the “default values”. I even dug in gmvaul_utils a little after that before I gave up on my phone lol. That gives me hope that we can work around this, potentially, if I’m scanning that code right, with just a config/defaults file? |
I am interested in whatever solution is ultimately reached here. |
Would somebody please find a procedure for users to get their own token, and post the steps required? Then each person doesn't have to figure it out separately. |
I started generating new credentials and this was interesting. I'm guessing this the option that gmvault uses:
I'm still reading but:
This looks like a realistic option for us if option 3 is ever removed. I think it will be but I also think we have more time. Right now we can focus on getting to to work past March 31st. |
The client_id and secret are in |
Ok this should be as easy as replacing 2 lines in you config (~/.gmvault/gmvault_defaults.conf)
Those last 2 lines are what we are going to need to change. I generated 2 new ones but it will only allow for 100 "Sensitive logins" unless my "app" is approved. I don't really want to be the one responsible for this going forward and maybe it's best instead of publishing new keys we write a guide on how to generate your own? It literally takes less than 5 minutes. |
Note: I already had an account setup, I just had to create a new "Project" so I don't know how long it would take for someone who had never used the google API console or if they will have to setup billing info (My account does have billing on file). |
falling back to generating an app password and using that is an option. i think that should bypass any of the oauth stuff.
see https://support.google.com/accounts/answer/185833?hl=en for details on app passwords. |
@tofurky Yeah, I saw that mentioned in a different issue. That might be the easier long-term solution. I wish github made it easy to see if any of the 200+ forks on this saw any real development. I'd switch to a fork of this if I knew there was at least some housekeeping going on. |
Procedure to get yourself a new client ID & secret:
Repeat this last step for all other Gmail accounts you are backing up using Gmvault on this particular computer, or the last 3 steps on other computers. (No need to create multiple clientIDs & secrets to backup multiple accounts or for multiple installs.) Someone pointed out that:
|
There is a "Submit for verification" beside the "save" button. Not sure if that speeds up the process at all... |
Questions:
|
I'm confused: why is there a need to work around it instead of getting the current key reviewed once and for all? gmvault doesn't move user data to a cloud storage or anything where the data of multiple users gets centralized, so it should be straightforward, no? |
I successfully created App credentials with @gboudreau 's great instructions above. |
Daneroo - did you get confirmation that you won't have access issues or will you have to wait until after March 31st? Thanks |
Not sure @dan20047 ,
|
@joshstrange and others interested, here is a list of forks with a last commit date in 2017 and later. Now you can search for ones with the most current development. Anything useful should preferably be merged back here if possible. 2019: https://github.com/Anmol-Singh-Jaggi/gmvault 2018: https://github.com/fossabot/gmvault 2017: https://github.com/andriusadamonis/gmvault |
Answers re: the consent screen/verification here: https://support.google.com/cloud/answer/7454865 In brief:
EDIT: Well, now that I actually try the login, I get the same "Sign in with Google temporarily disabled" screen some have reported despite not being anywhere close to the 100 new user cap. Looking at the URL and then the file, looks like gmvault is reverting the changes to $HOME/.gmvault/gmvault_defaults.conf and putting its own app keys back in. I guess this is the known issue at #245 and #273 and some of you may be running the beta version as I am on 1.9.1. @gboudreau @daneroo you may want to check if your changes to the conf file actually did stick or you perhaps just reauthed using the standard gmvault keys (client_id=1070918343777-0eecradokiu8i77qfo8e3stbi0mkrtog.apps.googleusercontent.com). |
In regards to the issue with |
@dygordon Yes, my changes did stick. But while I am using version 1.9.1 of gmvault, my .conf shows 1.9 (because it was created when I was running 1.9 I would guess), so like @seanlane pointed out, that seems to prevent the overwriting problem from happening. I'll add that to the guide I posted above. |
I overlooked a critical step at first; I needed to move or delete the old oauth2 token and repeat the sign-in process. I'm using the docker image from https://hub.docker.com/r/aubertg/gmvault-docker so for me the process was:
|
Followed @gboudreau instructions for new client ID and secret. Google's Oauth2 endpoint: Had to remove the old Oauth2 token and generate a new one (similar to @yesrod). Might want to update instructions to include the generation of new tokens. |
Just used @gboudreau instructions and worked perfectly. They've been updated with the feedback from the successive comments so the instructions are comprehensive. |
Thank you @gboudreau, could you please clarify what the name should be:
|
I'm writing this in case anyone is wondering if Gmvault is still working. I have just performed auth credentials update as per #335 (comment) and all emails are syncing without issue. Thanks again for this great tool! |
Procedure to set-up works fine :
But it stops working after a while (10 days or so, or maybe a number use, I've no clue.) Can someone help on how to fix or troubleshoot this. I'm really stuck. |
This works indeed, but it stops working after a while (10 days or so, or maybe a number use, I've no clue.) I get "http error 400 or 401". Anyone some expertise on this ? Or a way to troubleshoot ? PS : In the meantime, current workaround is recreating the token each time again. |
@mimijojo I updated my instructions above with more details, since the flow changed since I wrote that. |
Thanks, I'll redo the procedure and hope it won't expire anymore... |
I can confirm the authorization seems to have expired after 7 days. The app I gave access to using the gmvault OAuth process was simply gone from https://myaccount.google.com/permissions |
My token was also revoked after +/- 7 days. I was about to try recreating the token one more time following your instructions even more accurately. According to what you just wrote, this won't help unfortunately. |
In the Google developer console, under the OAuth consent screen section (https://console.developers.google.com/apis/credentials/consent) my GMVault project had somehow been switch from "Testing" status to "Production" status. Once I switched it back to "Testing" status and added my email to the "Test users" list GMVault started working for me again. |
Ref: https://developers.google.com/identity/protocols/oauth2#expiration So sadly, until someone can have Google verify their OAuth Consent screen, refresh tokens obtained using gmvault will always expire after 7 days, unless you were lucky enough to already have a "In production" app in your Google developer console before they added this limit, or you are using Google Workspace (and want to backup only domain users). When the refresh token expires, you just need to run |
Refreshing with "gmvault check --renew-oauth2-tok your_email_address@gmail.com" works indeed ! Only solution is to schedule this manual process once a week... Rather tricky, as my goal was to run this gmvault backup |
Thank you for the guide. I follow it and successfully backup my emails. |
The git repo has not seen any commit since 2016. It is insecure: gaubert/gmvault#330 Login is mostly broken: gaubert/gmvault#335
This should be pinned so it's easier for newcomers to find. This information is extremely important, but requires some digging right now in order to be found. |
@matthewhelmke It looks like Got-Your-Back also requires you to create a test project. Does it have this issue as well now? |
@DavidBerdik Got-Your-Back is still working for me. I haven't touched my script that calls it in ages, but it runs without error regularly and spot checks of the backup are successful. |
@matthewhelmke Awesome! Thanks! I experimented with moving to Got-Your-Back over the weekend, but I prefer GMvault over it. Fortunately, I've found a way to work around the renewal revocation issue: if you submit the app for verification but don't fill out the necessary forms to actually be formally verified, your project gets put in a state in which it is only available to users that are specified as test users, but since you are also not in test mode anymore, the 7-day expiration no longer happens. |
@DavidBerdik How to send for verification ? In the OAuth Consent screen does not have submit for verification button or similar ? Is it to publish app ? Sorry, novice here. |
I have followed the steps but after I paste the verification code, I have the error return as below : Error: Problems when trying to connect to Google oauth2 endpoint: https://accounts.google.com/o/oauth2/token. === Exception traceback === === End of Exception traceback === |
@dlmv123 I'm not a computer at the moment so I can't check exactly what it is called, but it's somewhere in the Google Console that you use to set up the application. I believe it's under the OAuth credentials page. |
(this is a little late... but for anyone else) I have just successfully completed the process of connecting GMvault... |
I was excited to find this information, and was following the instructions using a Windows install of GMvault...until I tried my first sync, and got a Google error that reads:
Following the error details link gets you here: https://developers.google.com/identity/protocols/oauth2/resources/oob-migration I'm not a dev and may be misunderstanding, but it looks to me like GMVault is now broken unless there's a code update to use a new API...but also now requires a web server to be running on the machine running GMVault for the authorization to complete. Is that correct?? |
@MysticCobra Google deprecated the out-of-band OAuth flow on October 3. Here are the instructions you need to follow to work around it: #361 (comment) |
I have been in a loop of failure, still getting an error after entering this command:
I get this error after having entered the token:
Anybody got this error? Thanks a lot! |
FYI, I just received this email. I've been using Gmvault for a few years assuming it was abandoned, since there have been no commits since 2016, but thought I would create this issue anyway, just in case...
The text was updated successfully, but these errors were encountered: