Error: invalid_scope from oauth2 #260
Comments
|
I've just had 2 people trying to use purple-hangouts report the same thing. There's probably a new scope needing to be requested :s |
|
Changing scope in hangups/auth.py to https://www.googleapis.com/auth/plus.login gets you the token, but KeyError: 'SAPISID' happens. Apparently we need 3 scopes according to this: https://developers.google.com/+/hangouts/running |
|
Interestingly, this showed up on my Gmail a little earlier |
|
This didn't work for me with purple-hangouts, but mentioning it for the sake of documenting what was tried, the android app requests these scopes to Specifically, it fails at I guess I need an iOS device to figure this one out. |
|
Forgot to mention, out of those scopes, the last two are rejected as The second one is recognized by the error page as The |
|
Hi! |
|
It looks like this is an issue for third party Hangout clients: |
|
Might be related to this announcement: One possible workaround is to revert to the old pre-OAuth login method (simulating a browser login): |
|
I tried logging into Hangouts for iOS while running mitmproxy, but Google blocks this now (probably certificate pinning). It did capture this one response which contains some OAuth details: |
|
Apparently you CAN request that scope to |
|
@tdryer i tried your url in a browser, inspected calls but i can't find a code |
|
is there any update on this one? Was this issue root cause? Any workaround? |
|
@tdryer Is there a way to check Web Hangouts instead? Perhaps that'd be easier. |
|
Can it be something related to the client ID and secrets? |
|
Same issue here as posted by @BartGarciaNathan, for the last 6 days as of 2016.09.07. [Pidgin 2.10.9; pidgin-hangouts 1.0; purple-hangouts 1.0] |
|
@tdryer It will disable ssl certificate validation allowing you to MiTM and inspect traffic. |
|
I haven't had a chance to work on this. If anyone is interested in helping out, I'd suggest trying to update the old pre-OAuth login method: |
Got a workaround here!Using one of the urls linked above, you can get to a I've made a video explaining how to get it: https://www.youtube.com/watch?v=hlDhp-eNLMU It's 41 secs long, no sound, with annotations. Used chrome but firefox is pretty much the same thing. The programmatic_auth url: Text version:
|
|
@dequis Wow, this indeed works. Thanks! |
|
Where do I put the code once I got it? |
|
Copy and use it... Where? |
|
In the same place where you'd put the code after clicking the url that throws the invalid_scope error. I'm being rather generic here because I don't use hangups, but purple-hangouts. The method is pretty much the same for any client that displays the url. If you're using a hangups derivative that doesn't ask for the code after displaying the url, but uses an embedded browser, ask the devs of that project for help. In the case of yakyak |
|
Thank you good sir. |
|
@danhimalplanet care to share how! I'm trying to do the same thing, I can't figure where to paste the oauth code into ? I'm guessing it's one of the xmls. |
…sitory Google recently broke the previous login method, which involved logging in using a browser and copying an authorization code to hangups. This change implements a new login method to emulate a browser submitting login credentials, providing access to the authorization code via a cookie. See tdryer#260.
|
@dequis Interestingly the token I get with this workaround doesn't show up at https://myaccount.google.com/security#connectedapps. It looks like a security incident at Google's end, since it's impossible to revoke the token. |
|
@leni536 "Recently used devices", shows up as iOS |
|
@dequis Oh, I see! One can revoke access there. What's confusing that at https://myaccount.google.com/dashboard after unfolding "account" it shows up next to "Connected applications and sites" as "iOS Account Manager", but clicking on "Connected applications and sites" at the top doesn't list it at all (it still lists other apps like "Thunderbird" that supports OAuth2 too). |
|
Judging from a quick glance this method "steals" the oauth token of an iOs hangouts client? That is... kinda malicious. I strongly suggest you stop this or at the very least point out to users that this is actually not how it is supposed to work and how to revert it. NOBODY knows what permissions exactly are connected to this oauth token and it cannot be revoked using the usual methods. This undermines the whole oauth-system and "workarounds" like this familiarize users with similar shady methods which can be exploited by blackhats in the future. |
|
@t-animal I suggest you find a replacement before you suggest to stop using this current method. |
|
@avaidyam It's a matter of priorities and I don't think you should blindly tell users who probably don't know what they're doing how to grant access to their google account with unknown risks. I guess you know why the oauth-system is superior to the username/password-system and this method undermines it completely. It's basicly the same as activating "allow less secure apps" in the google account settings and authorize via username/password -- except then the user at least has the ability to revoke access at any time using the designated methods. |
Right, I'm not denying that. The issue is that the framework doesn't work unless you have a particular API token and there is no workaround. So if you'd like to use a third party Hangouts thing, you'll have to go with this. |
No, there are two differences:
Funny enough, we're having this discussion in the repo of the hangups implementation, which does ask the user for the password and simulates a browser. Heh. They have it easy because it's python and you can just import fancy libraries to simulate a browser.
No, that also authorizes other password based login methods (POP3, SMTP, XMPP). SMTP is a common target for bruteforcing. It really is less secure. |
|
You do not know that, because you do not know what permissions are granted using this oauth token. |
"That" being what? You can't retrieve a password having only a token. Google encrypts them like every service with at least a tiny bit of self-respect. |
|
You don't know what you can do or not do with this token or might be able to do in the future. It's certainly plausible that it allows to manage hangouts, alright. But it could authorize who-knows-what else. That is only one side of the coin, though. The bigger problem is that you actively teach users to undermine their security. Have you ever opened your browsers console on facebook? They do warn their users there to not paste anything, exactly because malicious people tell users to do so. And you legitimize this by what you're doing. The least you (and anyone using your library) should do is inform your users so that they know what they're doing, what consequences it has, how to undo it and why they should generally not trust someone trying to get access to their google account in such a manner. |
|
Giving hangups your password grants it unrestricted access to your Google Account. The documentation does explain how to revoke access, but I'll consider adding some kind of other warning. |
|
|
@jusplainmike It should not go into The path may differ with your OS, to find the correct path, you can run: from os.path import join
from appdirs import AppDirs
print(join(AppDirs('hangups', 'hangups').user_cache_dir, 'refresh_token.txt'))Or provide your own path with Note: everyone who has access to |
and others
Hey, I just installed Hangups and when trying to set it up, when I try to open the webpage url given by hangups I get this message :
400. That's an error
Error: invalid_scope
Request Details
scope=https://www.google.com/accounts/OAuthLogin
response_type=code
redirect_uri=urn:ietf:wg:oauth:2.0:oob
client_id=936475272427.apps.googleusercontent.com
The recently used devices list by google does not show anything 'new' that could be hangouts. Am I doing something wrong? Do you need any other info?
I am running Linux 4.1.31-1-MANJARO
Any help will be much appreciated
The text was updated successfully, but these errors were encountered: