Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrate your OAuth out-of-band flow to an alternative method #272

Open
VDP07 opened this issue May 4, 2022 · 25 comments
Open

Migrate your OAuth out-of-band flow to an alternative method #272

VDP07 opened this issue May 4, 2022 · 25 comments

Comments

@VDP07
Copy link

VDP07 commented May 4, 2022

Hi,
I've got email with the above title and say that this assistant relay will be effected by this. Any suggestion on this matter?
@olealm
Copy link

olealm commented May 7, 2022

Same here.
Hope we won't lose the Google broadcast functionality. It is so much better than usual tts, in that it just pauses whatever is going on the actual speaker..

@wmichael3
Copy link

Me too. I know you aren't supporting this any more, but certainly we'd appreciate either a fix or being pointed to how to fix ourselves or some replacement option. If I Google how to use Google Broadcasts, all I see is this option over and over.

@ackfool
Copy link

ackfool commented Jun 9, 2022

Anyone have an update they can share? Worried this will bomb out in a few months and leave everyone stranded

@wmichael3
Copy link

Also concerned here. Have figured out I can replace this with Node Red - but can't seem to get the voice I want. Would prefer to stay with this which has worked perfectly.

@ryancasler
Copy link
Contributor

What version are you currently running? The latest version uses an Oauth2 method for authentication which should still be good from what I am reading online. I know I didn't receive such a message for my Assistant Relay instance and I don't see any warnings at all when I look at the project in the Cloud Console.

@wmichael3
Copy link

I am on v3.3.2b according to the About page. Is there something newer than this?

@ryancasler
Copy link
Contributor

That's odd. When you set it up originally, what "client" did you pick when you set up your oauth authentication? If you selected "other" that might be why you're getting the message. I selected "Desktop". "Other" isn't an allowable choice anymore when setting up Oauth2 with Google.

@ackfool
Copy link

ackfool commented Jul 5, 2022

This is the issue i see. The Google side isn't documented properly for the assistant requirements. You're pointed to a Google instruction page and i had problems following this last year as I've never created a project. Lots of YouTube and Google searches to get it up and running... And not stop after a week

@wmichael3
Copy link

I last set this up last December when I moved it to a new server - I can't exactly recall all of the options but when I go to the Credentials page it lists it as of type "Web Application." It is also trying to get me to complete an OAuth Consent Screen that I don't remember before - something has changed. That screen wants me to select "External" where it says it will only run in Testing Mode - it says that "Internal" is only for Google Workspace users. Color me confused.

@ryancasler
Copy link
Contributor

When you go to the Oauth Consent Screen page, linked to on the left hand menu under Credentials, all you have to enter is your app name and your email address. Since you are the only one using your app, you are the only one who is ever going to see the consent screen. And the fact that the app is unverified only really matters to folks who are distributing their apps to the public. Do you care that your app is unverified? Of course not. So, you can put it into production with the warning that the app is unverified without a problem. If you were distributing the app to the public this would be bad (I would never approve an app I didn't write that was unverified) but you're not sending your app to the public.
Once you do that you have to move your app to production. I will go through and create a whole new project from start and grab all the screenshots since the screens have changed quite a bit since the last time I grabbed them. I will let you know what I will let you know if I am able to find the correct settings you need to avoid the expiration of those older Oauth2 methods. Won't have time for a couple days, so stay tuned.

@ackfool
Copy link

ackfool commented Jul 6, 2022

That would be extremely helpful. Thanks so much

@ryancasler
Copy link
Contributor

ryancasler commented Jul 6, 2022
edited
Loading

I have created a PDF that should walk you through it step by step. If you have trouble, let me know:
https://github.com/ryancasler/assistant-relay/blob/master/Create%20Cloud%20Proejct.pdf

(Also, I think I've hidden all my personal info but if you see any, please let me know that too.)

@vanyacooper
Copy link

As long as you are updating the security information there is one thing you might want to add that I did not originally understand when setting it up. That is the security is only between Assistant Relay and Google. ANYONE with access to port 3000 on the system where Assistant Relay is running can execute arbitrary commands for any of the authorized users in Google Assistant such as making calls, sending/reading email, etc. So it is very important not to allow public access to that port.

@ryancasler
Copy link
Contributor

Yes, absolutely. You do not want to leave Assistant Relay public facing. No port forwarding or the like. All requests should come from other devices on your LAN. Mine come from my Hubitat.

@wmichael3
Copy link

wmichael3 commented Jul 7, 2022 via email

@oywino
Copy link

oywino commented Aug 3, 2022

Also concerned here. Have figured out I can replace this with Node Red - but can't seem to get the voice I want. Would prefer to stay with this which has worked perfectly.

Sorry to butt in - could you please elaborate on how you made this work using NodeRed?

@wmichael3
Copy link

wmichael3 commented Aug 3, 2022 via email

@ackfool
Copy link

ackfool commented Aug 12, 2022

I have created a PDF that should walk you through it step by step. If you have trouble, let me know: https://github.com/ryancasler/assistant-relay/blob/master/Create%20Cloud%20Proejct.pdf

(Also, I think I've hidden all my personal info but if you see any, please let me know that too.)

Thank you so much. Finally got the time to do this and seems to work!. Take care

mcmoe added a commit to mcmoe/assistant-relay that referenced this issue Aug 19, 2022
@mcmoe
Quick fix for OAuth2 OOB deprecation - provide explicit callback and …
166dd79 
…respond to user with token

* see greghesp#272)
* see https://developers.google.com/identity/protocols/oauth2/resources/oob-migration
* IMPORTANT: Make sure your credentials have the property `"redirect_uris":["http://your-relay-server-hostname:your-relay-server-port/auth/callback"]}`
@ackfool
Copy link

ackfool commented Aug 27, 2022 via email

@wmichael3
Copy link

wmichael3 commented Aug 27, 2022 via email

@ackfool
Copy link

ackfool commented Aug 27, 2022 via email

@ryancasler
Copy link
Contributor

ryancasler commented Sep 9, 2022
edited
Loading

From what I have read, as long as your redirect URL doesn't use "localhost" your OAUTH flow should not be affected. I removed my old OAUTH files from my project in the console and everything is still working. I wasn't sure that everything was going to work correctly but it turned out that the problem I was having was with the Oauth json file. It seems that once you use that file to activate one user, you can't use it to activate another. You would have to download another copy of the JSON file. As long as this is working for other folks, I will re-publish that fix that I removed.

I think I have a method that will work to get this running without any code changes at all. And it has to do with how you create your Oauth Client. Instead of choosing Desktop, choose "Web Application". You will then be presented with a screen to add your redirect URI. Simply enter https:.//www.example.com and click create. This will create a json file for you to download that will not use localhost as the redirect URI, so it should still work.

186997622-8561a331-eec3-47d3-aee2-733c15be6146
Once you go to add your user using that JSON file, you will eventually get
to an example.com page where the address will contain a code:
186997821-f7c68aae-fddf-4136-be53-1708a686b309
(don't worry, that's not the real one, I subbed in a lot of fake
characters)
just copy everything after "code=" to "&scope". So, mine would be:
4/0AdQt8q474dfdydghdsdbdbtRrzq0QC_lObsRrsdwa4yXIssdfvxkgF8zHrvrtyrrhdyz4EumCwwett433g
Use that to enter the code into GAR to authorize the user.

I used this method a while ago and everything is still working so far.

@ackfool
Copy link

ackfool commented Sep 9, 2022 via email

@ryancasler
Copy link
Contributor

It is now after Oct 3rd, and it is still working. So, we should be good. PHEW!

@wmichael3
Copy link

wmichael3 commented Oct 11, 2022 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@oywino @ackfool @ryancasler @vanyacooper @olealm @wmichael3 @VDP07