How should authentication work?

[dbarnett]

High-level tracking issue to collect together some context on auth issues from various issue reports and figure out the direction we want to go.

I've seen a few flavors of issues:

• Setup is a pain in general (Initial setup is long. #572, Improve experience when gcalcli is missing auth #691)
• Auth seems completely broken (Sign in with Google temporarily disabled for this app #497, App is blocked by Google #580)
• Frequently needing to reauthenticate (I have renew the token every 7 days #628, Hourly authentication "The authentication flow has completed."  #663)
• Awkward remote server cases and concerns about "out-of-band flow" deprecation (you may lose access to apps that are using less secure sign-in technology (OOB flow) #626)
• Other corner cases (Same account on multiple devices cause app block  #650)

Overall I believe auth is generally functional again now that we've switched off of the deprecated oauth2client dep in #683, but only if you carefully follow the setup instructions from the README and don't trip over some huge gotchas.

[dbarnett]

@insanum @michaelmhoffman can I get your input on known quirks in the existing auth setup, any context on how any existing Google project is set up, and LMK any bad assumptions I'm making above?

Do you know if the default auth is supposed to work somehow if you don't pass --client-id and --client-secret, or if it's indeed just broken?

[dbarnett]

I checked and the similar gmailctl project that I use for Gmail integrations has the same manual setup process: https://github.com/mbrt/gmailctl/blob/69c24b795402ff895cc90262b3cbdebd501c8b53/cmd/gmailctl/localcred/local_provider.go#L21. I suspect that's the best option available. But still would be helpful to publish a doc about the howto & why for users.

[dbarnett]

This is now much improved as of 4.4-pre, rolling over into 4.5 for the rest.

I'm almost positive there's no workable alternative to the self-service auth setup, which is the same as most other open source projects seem to be doing. #572 mentioned a PKCE mechanism, but I suspect that wouldn't work for "Testing" auth clients either, and I haven't confirmed yet but I suspect getting a "Production" client and sharing it with all users entails paying Google to give it high enough limits for all the users.

I created https://github.com/insanum/gcalcli/blob/HEAD/docs/api-auth.md with more explanations, moved some of the details from the README into there, and linked it from the app and README.

[dbarnett]

K, overall status here is I'm pretty sure there's no good easy alternative to the auth setup we have now, but I forked off #759 to still keep an eye out for better options.

Still don't understand how PKCE would fit into this equation, asked for clarification on #572 but didn't get a response. If anyone knows, please follow up there...

And with that, I'm going to call this issue "Done". The current setup has some shortcomings, but have an overall sense for how it can/should work, and so far nobody's volunteered any categorically better alternatives.