Migrate your OAuth out-of-band flow to an alternative method.
Google has announced that they will block the usage of OOB based OAuth starting from January 31, 2023. This has forced developers to migrate from OOB flow, or else all non-compliant authorization requests will be blocked with an invalid_request
error when loading Google’s OAuth 2.0 authorization endpoint. This blog details how OOB flow works and options on how to migrate from it
What is the OOB flow
OAuth out-of-band (OOB), also referred to as the manual copy/paste option, is a legacy flow developed to support native clients which do not have a redirect URI to accept the credentials after a user approves an OAuth consent request. The OOB flow poses a remote phishing risk and clients must migrate to an alternative method to protect against this vulnerability.
OOB Google OAuth authorization endpoints uses redirect_uri parameter from any of the following values:
redirect_uri=urn:ietf:wg:oauth:2.0:oob
redirect_uri=urn:ietf:wg:oauth:2.0:oob:auto
redirect_uri=oob
Methods to move away from OOB flow
Method 1: Providing a redirect_uri
Go to the google console create a new client_id (from February 28, 2022, we cant create OOB clients).
- Provide a redirect_uri which is a public URL to which the authorization code will be sent to after google authorization, make sure you handle this request on your app, Thats it.
- If you are using a OOB to validate only one specific user and only want to perform authorization once, then can provide “http://localhost:3000” (or any local path) as redirect_uri. Once google authorization is done it will send back the authorization code to the local path so thath the code can be copied from the URL and can be used to generate the access token, refresh token, etc.
Method 2: Use of Google App password (for single user authentication, not an OAuth flow.)
- Go to Manage Google account of the account to which you need to access via an app
- Select the securiry tab
- Scroll down to reveal the ‘2-step verification’ set it up if not already done
- After 2-step verification is done, a new option ‘App password’ will be unlocked, go ahead and create a password for the Google service that you want
- After this you will receive a new password, which can be copied and used in the app along with the username(your email)
- Google has removed the option of ‘Less secure apps'(May 30, 2022) So this is the only way to access your google services via a custom app
Rails example for the above methods
Method 1
One of our Rails app uses gmail_cli. So here is an example of how to fix above issue for that
gmail_cli provides an Oauth helper that handles the Google authorization. Make sure to provide a redirect_uri beacsue the default value is one of the OOB links mentioned above.
gmail_cli = GmailCli::Oauth2Helper.new({
client_id: <client_id>,
client_secret: <client_secret>,
redirect_uri: "http://localhost:3000" })
gmail_cli.authorize!
This generates a link which brings you to authorization page of your google account, once that is done, the page gets redirected to the
http://localhost:3000/?code=<code>&scope=https://mail.google.com/
.
From this we can extract the code and provide it to gmail_cli prompt.
The gmail_cli will use this code to get:-
- access_token
- refresh_token
- username
We can use refresh token to get new access_tokens. which we can use for the gmail APIs
gmail_cli = GmailCli::Oauth2Helper.new({ refresh_token: <refresh_token>,
client_id: <client_id>,
client_secret: <client_secret>,
redirect_uri: "http://localhost:3000" })
gmail_cli.refresh_access_token! #new access_tokens
For simple API functionalities for your gmail account we use this gem gmail
To connect to the gmail account simply use this command
gmail = Gmail.connect(:xoauth2, <username>, <access_token>)
gmail
now can be used to perform various Gmail functionalities
Method 2
Implementing method 2 is much more easier once you have setup an app password. Here we will be using gmail gem, but instead of access_token, We can use the app password.
gmail = Gmail.connect(<username>, <password>)
Conclusion
To summarise, we discussed how to solve the “OAuth out-of-band (OOB) flow will be deprecated” error and also looked at code samples to fix this for Rails application