Fix login by implementing oauth2

[dheerajbhaskar]

Hi guys, this is still a wip.

What has been done so far?

I'm using this article

1. Add permissions to your manifest and upload your app.
2. Copy key in the installed manifest.json to your source manifest, so that your application ID will stay constant during development.
3. Get an OAuth2 client ID for your Chrome App.
4. Update your manifest to include the client ID and scopes.
5. Get the authentication token. (I'm working on this right now)

Help I need

1. What scopes are required for this app?
2. Where is the login button code in the existing app (just putting it out there; I'm sure I can figure this one out)

PS: I'd need help from you guys later to identify which of these keys I need to revoke now that they're public.

[dheerajbhaskar]

update 1:

• I've found the code for the login button in options.js . Working on it.
• I've also updated the first comment in this thread with work done so far

[dheerajbhaskar]

update 2: login working and token is showing up for google drive. We don't want Google drive, now, do we :)
Picking something from the Google play side. Let me check what's there.

[dheerajbhaskar]

Help I need

1. What scopes are required for this app?
2. Where is the login button code in the existing app (just putting it out there; I'm sure I can figure this one out)

Now we need to figure out what scopes are needed. And perhaps a few details about refresh tokens, etc.

[dheerajbhaskar]

Oauth2 playground might be a good resource for people looking at this pull request:
https://developers.google.com/oauthplayground/

[dheerajbhaskar]

To give context, this is regarding #22 Issue

[dheerajbhaskar]

@Lekensteyn @Rob--W I would need a little help here, I'm a little lost on how to test if the token we've received is sufficient (as in, will it work). Is there a simple (even hackish) way for me to test that, rather than fiddle with code all over the place?

[dheerajbhaskar]

The evozi addon asks for your GSF id, how come we don't need it?

[dheerajbhaskar]

Shouldn't a button show up when we're on any app on playstore? It isn't showing up. Have I missed setting something in the code?

[Rob--W]

@dheerajbhaskar Does your patch already provide the desired functionality?

To test, just use the APK downloader on any app in the Play store.

[dheerajbhaskar]

@Rob--W The desired functionality was to get the extension working given that ClientLogin endpoint has been shut down. I thought oauth2 was a good way to go. The oauth2 flow has been integrated to up till getting the token. I don't know how to use the token to make an APK download happen.

Also, I've the token has access to your email and a few basic details, I don't know if that's sufficient or more access level is needed.

I'm also unable to see the download APK button on play store app details pages. Am I missing something?

PS: Perhaps, we should also explore app specific passwords. Might be a quicker fix, just thinking out loud.

[Lekensteyn]

App-specific passwords is what I have been using so far, but it is only an authentication mechanism. The ClientLogin API will disappear, but I don't know if OAuth can replace this yet.

[dheerajbhaskar]

Yes, now I understand - app specific passwords are the mechanism and the
clientlogin is the api.

In the docs for clientlogin, it was suggested that one move to oauth2.

Right now I'm getting a invalid token error while downloading. To fix this,
I'm thinking of adding all possible scopes to the manifest and see if it
works then, if it works, great then, we need to find a minimum set which
works. Else, oauth2 doesn't cut it yet or we need moar scopes! :)

Do you have any other ideas to go about this?

On Thu, Jul 16, 2015 at 5:36 PM, Peter Wu [email protected] wrote:

App-specific passwords is what I have been using so far, but it is only an
authentication mechanism. The ClientLogin API will disappear, but I don't
know if OAuth can replace this yet.

—
Reply to this email directly or view it on GitHub
#23 (comment)
.

[cyberdudedk]

Any news on this? Seems it's been a few months now, and no news? :(

[dheerajbhaskar]

I remember that it was not working even with oauth. For the apk downloading
endpoint, somewhere along the flow, it needed username password if I recall
correctly. I tried replacing it with username token, then username refresh
token. I tried a lot of other things, couldn't get it to work.

I found a python script for which the clientlogin endpoint was still
working so, using that now.

The clientlogin endpoint seems to be only deprecated for apps.

On Sun, Dec 20, 2015 at 9:11 PM cyberdudedk [email protected]
wrote:

Any news on this? Seems it's been a few months now, and no news? :(

—
Reply to this email directly or view it on GitHub
#23 (comment)
.

--- Disclaimer --- The information in this mail is confidential and is
intended solely for addressee. Access to this mail by anyone else is
unauthorised. Copying or further distribution beyond the original recipient
may be unlawful. Any opinion expressed in this mail is that of sender and
does not necessarily reflect that of OSW Technologies Pvt Ltd.---

[Lekensteyn]

@cyberdudedk Progress has stalled, not enough time/interest I'm afraid.

@dheerajbhaskar What is that Python script you are referring to?

[dheerajbhaskar]

Peter, here's the python script. https://github.com/egirault/googleplay-api
This worked on my PC.

On Mon, Dec 21, 2015 at 10:58 PM Peter Wu [email protected] wrote:

@cyberdudedk https://github.com/cyberdudedk Progress has stalled, not
enough time/interest I'm afraid.

@dheerajbhaskar https://github.com/dheerajbhaskar What is that Python
script you are referring to?

—
Reply to this email directly or view it on GitHub
#23 (comment)
.

--- Disclaimer --- The information in this mail is confidential and is
intended solely for addressee. Access to this mail by anyone else is
unauthorised. Copying or further distribution beyond the original recipient
may be unlawful. Any opinion expressed in this mail is that of sender and
does not necessarily reflect that of OSW Technologies Pvt Ltd.---

[thomas3217]

how is this coming? I have the same issue.

[dheerajbhaskar]

Does anyone know what the fix is? I can implement if someone can help.

Oauth is new to me, if someone can help me there we can work further down
that path.

On Wed 10 Feb, 2016, 8:48 PM Tom Harmon [email protected] wrote:

how is this coming? I have the same issue.

—
Reply to this email directly or view it on GitHub
#23 (comment)
.

--- Disclaimer --- The information in this mail is confidential and is
intended solely for addressee. Access to this mail by anyone else is
unauthorised. Copying or further distribution beyond the original recipient
may be unlawful. Any opinion expressed in this mail is that of sender and
does not necessarily reflect that of OSW Technologies Pvt Ltd.---

[IMAN4K]

@dheerajbhaskar
Oh! finally found someone that is familiar to this big issue!
It seems ClientLogin AND c2dm is still working because this desktop APK downloader is still operational and it means the android.clients.google.com server is alive
CL was suppose to be deprecated on 2012 and c2dm also in 2015 but the're still working
If we're going to use OAuth we need the clientID that should be taken from developer console: https://console.developers.google.com/
But there is no Google play store API scope for that :(
And it makes us stuck in our new open source project!
So i'm ready to hear your ideas about this
Can we contact Google play directly for this ?

[dheerajbhaskar]

Hey I'd be happy to work on this if there's a workaround. I couldn't check out the racoon 4 link because it's broken, can you repost please?

Google play customer support I think you're planning of contacting might not help because I think we're taking advantage of an undocumented api. We can however talk to them about the login part though. Good thinking :-)

Would you mind talking to them about this? You can loop me in if you want some help with that though.

[IMAN4K]

Should work: https://github.com/onyxbits/raccoon4
Ok we don't tell them directly ;)
Could you please give me the right page url for customer support

[dheerajbhaskar]

@IMAN4K I'm not sure where to contact for login, perhaps google play developer support? Here's the link for that: https://support.google.com/googleplay/android-developer/?hl=en#topic=15868

[Walkman100]

Just thought I'd put this here, Yalp Store works: https://f-droid.org/packages/com.github.yeriomin.yalpstore/
GitHub repo: https://github.com/yeriomin/YalpStore
Although I don't know enough about android apps and what this repo needs to dig into this, maybe it could help others as it's a viable solution if you have an Android device.