Server: Google Drive: new security protection

Created on 20 Jul 2017 · 11Comments · Source: nextcloud/server

Hello,

Google has changed their security to protect users against 'unverified apps'.
https://gsuite-developers.googleblog.com/2017/07/new-security-protections-to-reduce-risk.html

The problem is, every user who is using Google Drive in Nextcloud is creating an 'unverified app'.
https://docs.nextcloud.com/server/12/admin_manual/configuration_files/external_storage/google.html
When you create a new project it is already under this new rules and you can't connect your account (1).

As described in the article this feature will be soon affecting already existing projects and the whole Google Drive integration will stop working in Nextcloud.

The main problem about this is, that a normal user is not able to verify this app since you need to proof that you control the domain and a lot more. Which means a normal user can't use Google Drive in the future.

Greetings,
MrKrabat

(1) It is possible to allow unverified apps with joining this Google Group https://groups.google.com/forum/#!forum/risky-access-by-unreviewed-apps
It's obviously dangerous for your account. Currently it is possible to leave the group after connecting GDrive with Nextcloud.

bug external storage technical debt

Source

MrKrabat

Most helpful comment

Please don't remove Google Drive functionality. It's still useful for G Suite users. From https://support.google.com/code/contact/oauth_app_verification:

Apps that are going to be used only by users within your G Suite organization
You should not be seeing the unverified app screen. See this FAQ for more details.

I've just set up Google Drive in my Nextcloud instance, and it doesn't show the unverified app consent screen.

yan12125 on 20 Sep 2017

👍6

All 11 comments

mmm so that would probably mean that we should rip out google drive of files_external...

rullzer on 22 Jul 2017

👎3

mmm so that would probably mean that we should rip out google drive of files_external...

Once we do this following tickets will be obsolete too: #99, #4028, #5748,

MorrisJobke on 14 Aug 2017

👎1

Please don't remove Google Drive functionality. It's still useful for G Suite users. From https://support.google.com/code/contact/oauth_app_verification:

Apps that are going to be used only by users within your G Suite organization
You should not be seeing the unverified app screen. See this FAQ for more details.

I've just set up Google Drive in my Nextcloud instance, and it doesn't show the unverified app consent screen.

yan12125 on 20 Sep 2017

👍6

The screen actually looks like this:
nextcloud
If you press the link at the bottom, google will allow you to proceed but opens an input box and want that you enter "Weiter" (german for continue) to confirm.
(like in the gif-animation in the google blog entry)

This new "feature" still exists, but this input box is a nicer way to skip this.

MrKrabat on 21 Sep 2017

@MorrisJobke: Once we do this following tickets will be obsolete too: #99, #4028, #5748,

I don't hope so

gvmura on 9 Oct 2017

@icewind1991 Mind to do the same app for Google drive as for Dropbox?

MorrisJobke on 23 Oct 2017

The main problem about this is, that a normal user is not able to verify this app since you need to proof that you control the domain and a lot more. Which means a normal user can't use Google Drive in the future.

In my opinion, the user shouldn't have to care about the app credentials anyways. An admin should create an app, go through the verification process, configure the app credentials globaly for all users. (see #2861) Then the user only has to allow this app access to his account to use this feature.

seimsel on 1 Nov 2017

I have turned the "allow unsafe apps" feature off and on again and get the infamous
Google_Auth_Exception: Error refreshing the OAuth2 token, message: '{ "error" : "invalid_grant" }'.
message.
it seems to me that the refresh token is out of date.
https://stackoverflow.com/questions/35878859/google-oauth2-error-refreshing-the-oauth2-token-message-error-invalid
how can I update the refresh token in nextcoud???