How to fix "OAuth out-of-band (OOB) flow will be deprecated" error for Google apps API access.

Mathew Thomas 17 Jan 2023

Migrate your OAuth out-of-band flow to an alternative method.

Google has announced that they will block the usage of OOB based OAuth starting from January 31, 2023. This has forced developers to migrate from OOB flow, or else all non-compliant authorization requests will be blocked with an invalid_request error when loading Google’s OAuth 2.0 authorization endpoint. This blog details how OOB flow works and options on how to migrate from it

What is the OOB flow

OAuth out-of-band (OOB), also referred to as the manual copy/paste option, is a legacy flow developed to support native clients which do not have a redirect URI to accept the credentials after a user approves an OAuth consent request. The OOB flow poses a remote phishing risk and clients must migrate to an alternative method to protect against this vulnerability. OOB Google OAuth authorization endpoints uses redirect_uri parameter from any of the following values:

  • redirect_uri=urn:ietf:wg:oauth:2.0:oob
  • redirect_uri=urn:ietf:wg:oauth:2.0:oob:auto
  • redirect_uri=oob

Methods to move away from OOB flow

Method 1: Providing a redirect_uri

Go to the google console create a new client_id (from February 28, 2022, we cant create OOB clients). image

  • Provide a redirect_uri which is a public URL to which the authorization code will be sent to after google authorization, make sure you handle this request on your app, Thats it.
  • If you are using a OOB to validate only one specific user and only want to perform authorization once, then can provide “http://localhost:3000” (or any local path) as redirect_uri. Once google authorization is done it will send back the authorization code to the local path so thath the code can be copied from the URL and can be used to generate the access token, refresh token, etc. image

Method 2: Use of Google App password (for single user authentication, not an OAuth flow.)

  • Go to Manage Google account of the account to which you need to access via an app
  • Select the securiry tab
  • Scroll down to reveal the ‘2-step verification’ set it up if not already done
  • After 2-step verification is done, a new option ‘App password’ will be unlocked, go ahead and create a password for the Google service that you want

image

  • After this you will receive a new password, which can be copied and used in the app along with the username(your email)
  • Google has removed the option of ‘Less secure apps’(May 30, 2022) So this is the only way to access your google services via a custom app

Rails example for the above methods

Method 1

One of our Rails app uses gmail_cli. So here is an example of how to fix above issue for that
gmail_cli provides an Oauth helper that handles the Google authorization. Make sure to provide a redirect_uri beacsue the default value is one of the OOB links mentioned above.

 gmail_cli = GmailCli::Oauth2Helper.new({ 
  client_id: <client_id>,
  client_secret: <client_secret>,
  redirect_uri: "http://localhost:3000" })

gmail_cli.authorize!

This generates a link which brings you to authorization page of your google account, once that is done, the page gets redirected to the http://localhost:3000/?code=<code>&scope=https://mail.google.com/.
From this we can extract the code and provide it to gmail_cli prompt.
The gmail_cli will use this code to get:-

  • access_token
  • refresh_token
  • username

We can use refresh token to get new access_tokens. which we can use for the gmail APIs

gmail_cli = GmailCli::Oauth2Helper.new({ refresh_token: <refresh_token>,
 client_id: <client_id>,
 client_secret: <client_secret>,
 redirect_uri: "http://localhost:3000" })

gmail_cli.refresh_access_token! #new access_tokens

For simple API functionalities for your gmail account we use this gem gmail To connect to the gmail account simply use this command

gmail = Gmail.connect(:xoauth2, <username>, <access_token>)

gmail now can be used to perform various Gmail functionalities

Method 2

Implementing method 2 is much more easier once you have setup an app password. Here we will be using gmail gem, but instead of access_token, We can use the app password.

gmail = Gmail.connect(<username>, <password>)

Conclusion

To summarise, we discussed how to solve the “OAuth out-of-band (OOB) flow will be deprecated” error and also looked at code samples to fix this for Rails application

Related Posts

A Tutorial for a Ruby on Rails Application

Ankur Singh Chauhan - 02 Apr 2024

Read

Mastering Ruby Parallelism and Concurrency, From Basics to Real-World Applications

Deepak Chauhan - 10 Mar 2024

Read

Set Up Dual Databases in Rails

Deepak Chauhan - 06 Feb 2024

Read