public/openhab-addons
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Replace deprecated Google OAuth OOB flow (#12602)

Browse Source 
This replaces the deprecated OOB OAuth flow used in the Nest Binding and Google STT/TTS add-ons.

Instead they will now use https://www.google.com as redirect_uri.
The instructions in the README and config descriptions have been updated for this change.

See: https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html#disallowed-oob

Fixes #12455

Signed-off-by: Wouter Born <github@maindrain.net>
This commit is contained in:
Wouter Born
2022-04-12 22:39:10 +02:00
committed by GitHub
parent a868111a54
commit abc786c6a2
13 changed files with 54 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
bundles/org.openhab.binding.nest/README.md
View File

@@ -67,8 +67,9 @@ Now an OAuth 2.0 client is created and configured for using the SDM API by the b
1. Create a new client on the "Credentials" page ([APIs & Services > Credentials](https://console.cloud.google.com/apis/credentials)):
1. Click the "Create Credentials" button at the top of the page
1. Choose "OAuth client ID"
1. As "Application type" choose "TVs and Limited Input devices"
1. As "Application type" choose "Web application"
1. Give it a name so you can remember what it is used for (e.g. `Nest Binding SDM`)
1. Add "https://www.google.com" to the "Authorized redirect URIs"
1. Click "Create" to create the client
1. Copy and save the generated **Client ID** (e.g. `1046297811237-3f5sj4ccfubit0fum027ral82jgffsd1.apps.googleusercontent.com`) and **Client Secret** (e.g. `726kcU-d1W4RXxEJA79oZ0oG`) somewhere
1. Configure the SDM project to use the created client:
@@ -88,19 +89,19 @@ Finally, an SDM Account Thing can be created to access the SDM project using the
1. Create an authorization code for the binding:
1. Replace the **Project ID** and **Client ID** in the URL below with your SDM Project ID and SDM OAuth 2.0 Client ID and open the URL in a new browser tab:
`https://nestservices.google.com/partnerconnections/<ProjectID>/auth?redirect_uri=urn:ietf:wg:oauth:2.0:oob&access_type=offline&prompt=consent&client_id=<ClientID>&response_type=code&scope=https://www.googleapis.com/auth/sdm.service`
`https://nestservices.google.com/partnerconnections/<ProjectID>/auth?scope=https://www.googleapis.com/auth/sdm.service&access_type=offline&include_granted_scopes=true&response_type=code&redirect_uri=https://www.google.com&client_id=<ClientID>`
For the example values used so far this is:
`https://nestservices.google.com/partnerconnections/585de72e-968c-435c-b16a-31d1d3f76833/auth?redirect_uri=urn:ietf:wg:oauth:2.0:oob&access_type=offline&prompt=consent&client_id=1046297811237-3f5sj4ccfubit0fum027ral82jgffsd1.apps.googleusercontent.com&response_type=code&scope=https://www.googleapis.com/auth/sdm.service`
`https://nestservices.google.com/partnerconnections/585de72e-968c-435c-b16a-31d1d3f76833/auth?scope=https://www.googleapis.com/auth/sdm.service&access_type=offline&include_granted_scopes=true&response_type=code&redirect_uri=https://www.google.com&client_id=1046297811237-3f5sj4ccfubit0fum027ral82jgffsd1.apps.googleusercontent.com`
1. Enable all the permissions you want to use with the binding and click "Next" to continue
1. Login using your Google account when prompted
1. On the "Google hasn't verified this app" page, click on "Advanced"
1. Then click on "Go to ... (advanced)"
1. Now "Allow" the SDM permissions and confirm your choices again by clicking "Allow"
1. Next the "Sign in" page will show the **Authorization Code**
1. After your browser has been redirected to https://www.google.com, the **Authorization Code** will be set in the browser URL as value of the "code" URL query parameter
1. Copy/paste the **Authorization Code** to the SDM group parameter in the openHAB Nest SDM Account Thing configuration
1. All required SDM Account Thing configuration parameters have now been entered so create it by clicking "Create Thing".
1. All required SDM Account Thing configuration parameters have now been entered so create it by clicking "Create Thing"
The SDM Account Thing should now be ONLINE and have as status description "Using periodic refresh".
It should also be possible to use the configured account to discover your Nest devices via the Inbox.
@@ -134,8 +135,9 @@ Next an OAuth 2.0 client is created which is used to create a Pub/Sub subscripti
1. Open the "Credentials" page ([APIs & Services > Credentials](https://console.cloud.google.com/apis/credentials)):
1. Click the "Create Credentials" button at the top of the page
1. Choose "OAuth client ID"
1. As "Application type" choose "TVs and Limited Input devices"
1. As "Application type" choose "Web application"
1. Give it a name so you can remember what it is used for (e.g. `Nest Binding Pub/Sub`)
1. Add "https://www.google.com" to the "Authorized redirect URIs"
1. Click "Create" to create the client
1. Copy and save the generated **Client ID** (e.g. `1046297811237-lg27h26kln6r1nbg54jpg6nfjg6h4b3n.apps.googleusercontent.com`) and **Client Secret** (e.g. `1-k78-XcHhp_gdZF-I6JaIHp`) somewhere
@@ -151,18 +153,18 @@ Finally, the existing SDM Account Thing can be updated so it can subscribe to SD
1. Create an authorization code for the binding:
1. Replace the **Client ID** in the URL below with your Pub/Sub OAuth 2.0 Client ID and open the URL in a new browser tab:
`https://accounts.google.com/o/oauth2/auth?client_id=<ClientID>&redirect_uri=urn:ietf:wg:oauth:2.0:oob&response_type=code&scope=https://www.googleapis.com/auth/pubsub`
`https://accounts.google.com/o/oauth2/v2/auth?scope=https://www.googleapis.com/auth/pubsub&access_type=offline&include_granted_scopes=true&response_type=code&redirect_uri=https://www.google.com&client_id=<ClientID>`
For the example client this is:
`https://accounts.google.com/o/oauth2/auth?client_id=1046297811237-lg27h26kln6r1nbg54jpg6nfjg6h4b3n.apps.googleusercontent.com&redirect_uri=urn:ietf:wg:oauth:2.0:oob&response_type=code&scope=https://www.googleapis.com/auth/pubsub`
`https://accounts.google.com/o/oauth2/v2/auth?scope=https://www.googleapis.com/auth/pubsub&access_type=offline&include_granted_scopes=true&response_type=code&redirect_uri=https://www.google.com&client_id=1046297811237-lg27h26kln6r1nbg54jpg6nfjg6h4b3n.apps.googleusercontent.com`
1. Login using your Google account when prompted
1. On the "Google hasn't verified this app" page, click on "Advanced"
1. Then click on "Go to ... (advanced)"
1. Now "Allow" the Pub/Sub permissions and confirm your choices again by clicking "Allow"
1. Next the "Sign in" page will show the **Authorization Code**
1. After your browser has been redirected to https://www.google.com, the **Authorization Code** will be set in the browser URL as value of the "code" URL query parameter
1. Copy/paste the **Authorization Code** to the Pub/Sub group parameter in the openHAB Nest SDM Account Thing configuration
1. All required Pub/Sub Account Thing configuration parameters have now been entered so click "Save" to update the SDM Account Thing configuration.
1. All required Pub/Sub Account Thing configuration parameters have now been entered so click "Save" to update the SDM Account Thing configuration
The SDM Account Thing should now be ONLINE and have as status description "Using periodic refresh and Pub/Sub".

16
bundles/org.openhab.binding.nest/src/main/java/org/openhab/binding/nest/internal/sdm/api/PubSubAPI.java
View File

@@ -86,13 +86,13 @@ public class PubSubAPI {
if (pullResponse != null && pullResponse.receivedMessages != null) {
logger.debug("Subscription '{}' has {} new message(s)", subscriptionId,
pullResponse.receivedMessages.size());
forEachListener((listener) -> pullResponse.receivedMessages
.forEach((message) -> listener.onMessage(message.message)));
forEachListener(listener -> pullResponse.receivedMessages
.forEach(message -> listener.onMessage(message.message)));
List<String> ackIds = pullResponse.receivedMessages.stream().map(message -> message.ackId)
.collect(Collectors.toList());
acknowledgeSubscriptionMessages(subscriptionId, ackIds);
} else {
forEachListener((listener) -> listener.onNoNewMessages());
forEachListener(PubSubSubscriptionListener::onNoNewMessages);
}
scheduler.submit(this);
@@ -100,15 +100,15 @@ public class PubSubAPI {
logger.debug("Expected exception while pulling message for '{}' subscription", subscriptionId, e);
Throwable cause = e.getCause();
if (!(cause instanceof InterruptedException)) {
forEachListener((listener) -> listener.onError(e));
forEachListener(listener -> listener.onError(e));
scheduler.schedule(this, RETRY_TIMEOUT.toNanos(), TimeUnit.NANOSECONDS);
}
} catch (InvalidPubSubAccessTokenException e) {
logger.warn("Cannot pull messages for '{}' subscription (access token invalid)", subscriptionId, e);
forEachListener((listener) -> listener.onError(e));
forEachListener(listener -> listener.onError(e));
} catch (Exception e) {
logger.warn("Unexpected exception while pulling message for '{}' subscription", subscriptionId, e);
forEachListener((listener) -> listener.onError(e));
forEachListener(listener -> listener.onError(e));
scheduler.schedule(this, RETRY_TIMEOUT.toNanos(), TimeUnit.NANOSECONDS);
}
}
@@ -125,7 +125,7 @@ public class PubSubAPI {
private static final String AUTH_URL = "https://accounts.google.com/o/oauth2/auth";
private static final String TOKEN_URL = "https://accounts.google.com/o/oauth2/token";
private static final String REDIRECT_URI = "urn:ietf:wg:oauth:2.0:oob";
private static final String REDIRECT_URI = "https://www.google.com";
private static final String PUBSUB_HANDLE_FORMAT = "%s.pubsub";
private static final String PUBSUB_SCOPE = "https://www.googleapis.com/auth/pubsub";
@@ -203,7 +203,7 @@ public class PubSubAPI {
listeners.remove(listener);
if (listeners.isEmpty()) {
subscriptionListeners.remove(subscriptionId);
scheduler.getQueue().removeIf((runnable) -> runnable instanceof Subscriber
scheduler.getQueue().removeIf(runnable -> runnable instanceof Subscriber
&& ((Subscriber) runnable).subscriptionId.equals(subscriptionId));
}
}

8
bundles/org.openhab.binding.nest/src/main/java/org/openhab/binding/nest/internal/sdm/api/SDMAPI.java
View File

@@ -68,7 +68,7 @@ public class SDMAPI {
private static final String AUTH_URL = "https://accounts.google.com/o/oauth2/auth";
private static final String TOKEN_URL = "https://accounts.google.com/o/oauth2/token";
private static final String REDIRECT_URI = "urn:ietf:wg:oauth:2.0:oob";
private static final String REDIRECT_URI = "https://www.google.com";
private static final String SDM_HANDLE_FORMAT = "%s.sdm";
private static final String SDM_SCOPE = "https://www.googleapis.com/auth/sdm.service";
@@ -163,7 +163,7 @@ public class SDMAPI {
ContentResponse contentResponse = request.send();
logResponseErrors(contentResponse);
logger.debug("Retrieved camera image from: {}", url);
requestListeners.forEach(listener -> listener.onSuccess());
requestListeners.forEach(SDMAPIRequestListener::onSuccess);
return contentResponse.getContent();
} catch (ExecutionException | InterruptedException | TimeoutException e) {
logger.debug("Failed to get camera image", e);
@@ -302,7 +302,7 @@ public class SDMAPI {
logResponseErrors(contentResponse);
String response = contentResponse.getContentAsString();
logger.debug("Response: {}", response);
requestListeners.forEach(listener -> listener.onSuccess());
requestListeners.forEach(SDMAPIRequestListener::onSuccess);
return response;
} catch (ExecutionException | InterruptedException | IOException | TimeoutException e) {
logger.debug("Failed to send JSON GET request", e);
@@ -327,7 +327,7 @@ public class SDMAPI {
logResponseErrors(contentResponse);
String response = contentResponse.getContentAsString();
logger.debug("Response: {}", response);
requestListeners.forEach(listener -> listener.onSuccess());
requestListeners.forEach(SDMAPIRequestListener::onSuccess);
return response;
} catch (ExecutionException | InterruptedException | IOException | TimeoutException e) {
logger.debug("Failed to send JSON POST request", e);

4
bundles/org.openhab.binding.nest/src/main/resources/OH-INF/config/sdm-config.xml
View File

@@ -29,7 +29,7 @@
</parameter>
<parameter name="sdmAuthorizationCode" type="text" groupName="sdm">
<label>Authorization Code</label>
<description><![CDATA[The one time authorization code used to retrieve the refresh and access token used with the SDM API. The code is obtained by following the instructions at the following URL in your browser:<br><br>https://nestservices.google.com/partnerconnections/{{ProjectID}}/auth?redirect_uri=urn:ietf:wg:oauth:2.0:oob&access_type=offline&prompt=consent&client_id={{ClientID}}&response_type=code&scope=https://www.googleapis.com/auth/sdm.service]]></description>
<description><![CDATA[The one time authorization code used to retrieve the refresh and access token used with the SDM API. The code is obtained by following the instructions at the following URL in your browser:<br><br>https://nestservices.google.com/partnerconnections/{{ProjectID}}/auth?scope=https://www.googleapis.com/auth/sdm.service&access_type=offline&include_granted_scopes=true&response_type=code&redirect_uri=https://www.google.com&client_id={{ClientID}}<br><br>After your browser has been redirected to https://www.google.com, the authorization code will be set in the browser URL as value of the "code" URL query parameter.]]></description>
</parameter>
<parameter name="pubsubProjectId" type="text" groupName="pubsub">
@@ -51,7 +51,7 @@
</parameter>
<parameter name="pubsubAuthorizationCode" type="text" groupName="pubsub">
<label>Authorization Code</label>
<description><![CDATA[The one time authorization code used to retrieve the refresh and access token used with the Pub/Sub API. The code is obtained by following the instructions at the following URL in your browser:<br><br>https://accounts.google.com/o/oauth2/auth?client_id={{ClientID}}&redirect_uri=urn:ietf:wg:oauth:2.0:oob&response_type=code&scope=https://www.googleapis.com/auth/pubsub]]></description>
<description><![CDATA[The one time authorization code used to retrieve the refresh and access token used with the Pub/Sub API. The code is obtained by following the instructions at the following URL in your browser:<br><br>https://accounts.google.com/o/oauth2/v2/auth?scope=https://www.googleapis.com/auth/pubsub&access_type=offline&include_granted_scopes=true&response_type=code&redirect_uri=https://www.google.com&client_id={{ClientID}}<br><br>After your browser has been redirected to https://www.google.com, the authorization code will be set in the browser URL as value of the "code" URL query parameter.]]></description>
</parameter>
</config-description>

4
bundles/org.openhab.binding.nest/src/main/resources/OH-INF/i18n/nest.properties
View File

@@ -35,7 +35,7 @@ thing-type.config.nest.sdm_account.group.pubsub.description = The parameters use
thing-type.config.nest.sdm_account.group.sdm.label = SDM
thing-type.config.nest.sdm_account.group.sdm.description = The parameters used when communicating with the SDM API
thing-type.config.nest.sdm_account.pubsubAuthorizationCode.label = Authorization Code
thing-type.config.nest.sdm_account.pubsubAuthorizationCode.description = The one time authorization code used to retrieve the refresh and access token used with the Pub/Sub API. The code is obtained by following the instructions at the following URL in your browser:<br><br>https://accounts.google.com/o/oauth2/auth?client_id={{ClientID}}&redirect_uri=urn:ietf:wg:oauth:2.0:oob&response_type=code&scope=https://www.googleapis.com/auth/pubsub
thing-type.config.nest.sdm_account.pubsubAuthorizationCode.description = The one time authorization code used to retrieve the refresh and access token used with the Pub/Sub API. The code is obtained by following the instructions at the following URL in your browser:<br><br>https://accounts.google.com/o/oauth2/v2/auth?scope=https://www.googleapis.com/auth/pubsub&access_type=offline&include_granted_scopes=true&response_type=code&redirect_uri=https://www.google.com&client_id={{ClientID}}<br><br>After your browser has been redirected to https://www.google.com, the authorization code will be set in the browser URL as value of the "code" URL query parameter.
thing-type.config.nest.sdm_account.pubsubClientId.label = Client ID
thing-type.config.nest.sdm_account.pubsubClientId.description = Identifies the OAuth 2.0 client used for accessing the Pub/Sub subscription
thing-type.config.nest.sdm_account.pubsubClientSecret.label = Client Secret
@@ -45,7 +45,7 @@ thing-type.config.nest.sdm_account.pubsubProjectId.description = Identifies the
thing-type.config.nest.sdm_account.pubsubSubscriptionId.label = Subscription ID
thing-type.config.nest.sdm_account.pubsubSubscriptionId.description = Identifies the subscription that is created for subscribing to SDM Pub/Sub events
thing-type.config.nest.sdm_account.sdmAuthorizationCode.label = Authorization Code
thing-type.config.nest.sdm_account.sdmAuthorizationCode.description = The one time authorization code used to retrieve the refresh and access token used with the SDM API. The code is obtained by following the instructions at the following URL in your browser:<br><br>https://nestservices.google.com/partnerconnections/{{ProjectID}}/auth?redirect_uri=urn:ietf:wg:oauth:2.0:oob&access_type=offline&prompt=consent&client_id={{ClientID}}&response_type=code&scope=https://www.googleapis.com/auth/sdm.service
thing-type.config.nest.sdm_account.sdmAuthorizationCode.description = The one time authorization code used to retrieve the refresh and access token used with the SDM API. The code is obtained by following the instructions at the following URL in your browser:<br><br>https://nestservices.google.com/partnerconnections/{{ProjectID}}/auth?scope=https://www.googleapis.com/auth/sdm.service&access_type=offline&include_granted_scopes=true&response_type=code&redirect_uri=https://www.google.com&client_id={{ClientID}}<br><br>After your browser has been redirected to https://www.google.com, the authorization code will be set in the browser URL as value of the "code" URL query parameter.
thing-type.config.nest.sdm_account.sdmClientId.label = Client ID
thing-type.config.nest.sdm_account.sdmClientId.description = Identifies the OAuth 2.0 client used for accessing the SDM project
thing-type.config.nest.sdm_account.sdmClientSecret.label = Client Secret