Google OOB End-of-life

[pladen]

Some news from Google

OAuth out-of-band (OOB) flow will be deprecated on October 3, 2022
Note: New OOB usage has already been disallowed since February 28, 2022.

Since this is the only flow supported by step-cli to achieve OIDC token issuance from a shell without browser access, we definitely need an alternative. It seems that the flow is considered not secure at all because it could be easy to trick a user to copy/paste the code in a MITM context.

Our use-case is the following

• we use an OIDC provider (Google) to authenticate against our step-ca
• we access a remote device through a very limited SSH (no port forwarding, no agent forwarding)
• this device does not have any browser nor GUI
• the awesome step-cli tool launch a OOB flow with Google (with --console flag)
• which let us copy/paste the login link,
• then copy/paste back the authorization code
• tada, token is available on remote device to be used for next operations

The alternative could be to implement "Sign-In on TVs and Limited Input Devices" which involves sending the user to a generic URL, and let him paste a unique code and consent to give a token to the app.
Here is the doc
https://developers.google.com/identity/gsi/web/guides/devices

We are not skilled enough to implement ourselves but will be happy to discuss or test any progress on this.

More info on oauth flows at google
https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html

[maraino]

It looks like the only alternative to replace OOB is the device code flow, I will convert this conversation to an issue in the cli.

It doesn't looks like this is a problem for desktop apps which redirect to http://127.0.0.1:port, so I believe using step ca token [email protected] and copy the token will be always an option.

[maraino]

Added here smallstep/cli#675

[pladen]

Thanks for the quick answer

Copy paste full token will require having step cli installed on user computer too. The oob flow (as well as the device flow) only involve a browser on user side. The verification code is really convenient, it can be transmitted by various ways (SMS, phone etc).

Another workaround : We may put a small web oauth client online, just to display token which can be copied as input for cli. But users handling tokens is never a good option.

Regarding your remark about the future of flow redirecting to 127.0.0.1 : it seems like Google will still allow it for some times. But implicit flow is discouraged, as well as authorization code without pkce.

Edit: mentioned the need of pkce, just noticed that it is available in last cli release, awesome!

[maraino]

PKCE was added a couple of years ago.