[Kde-imaging] [kipiplugins] [Bug 330181] New: Picasa export needs new password every time with 2-step verification

Siu Chung Cheung (Clement) clement.cc at gmail.com
Mon Jan 20 02:05:00 UTC 2014 

https://bugs.kde.org/show_bug.cgi?id=330181

            Bug ID: 330181
           Summary: Picasa export needs new password every time with
                    2-step verification
    Classification: Unclassified
           Product: kipiplugins
           Version: 3.5.0
          Platform: Gentoo Packages
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: NOR
         Component: PicasaWeb
          Assignee: kde-imaging at kde.org
          Reporter: clement.cc at gmail.com

Every since I started using 2-step verification at Google, Picasa web album
export requires a new application specific password to be generated every time!
(unless previous token is still valid)

Reproducible: Always

Steps to Reproduce:
1. Wait a few days for token to expire
2. Start Picasa export plugin

Actual Results:  
1. It asks for password, which is not remembered in kwallet. Username is a long
number instead of username.
2. Enter the application specific password (previously copied down manually
since it's not remembered)
3. Login still fails!
4. Go to Google accounts, revoke old password, generate new password
5. Come back and enter new password.
6. Now it works. But after the token expires, have to generate a new password
again, which is incredibly annoying.

Expected Results:  
Password remembered in kwallet, or at least doesn't have to generate a new
password every time.

I found a previous bug #292223, which is closed as fixed without any code
change. That's odd because it never worked for me. Note that this only happens
with 2-step verification and only if token expired.

Looks like digikam is not alone with this problem.
http://lists.yorba.org/pipermail/shotwell/2011-July/002523.html
http://redmine.yorba.org/issues/3445

It appears that we're still using the ClientLogin mechanism, which has been
deprecated.
https://developers.google.com/picasa-web/docs/2.0/developers_guide_protocol#Auth
The old mechanism doesn't support newer features like this 2-step verification,
refresh tokens, etc. So once token expired, there's no way to get new ones.

I believe they might have assumed you can refresh tokens. So they don't accept
the inital app specific password anymore neither. Judging from the experience
in shotwell, the only way to fix this is to migrate to the newer oauth, which
allows you to keep refreshing the token.

Here's the changeset for this migration in shotwell:
https://git.gnome.org/browse/shotwell/commit/?id=b74643f639c35c6bcdb842e38d3eb4c338cd0705

Most of the changes are just different, not really that complicated. But a few
things are needed to move forward.

FIrst of all, this requires a client ID and secret. Somebody needs to get one
on behalf of this project. (Note that we cannot just "borrow" one from other
open source projects. Because oauth do seem to keep track of how many refresh
tokens are issued. If user has both clients, we may exceed the limit and one of
them will get invalidated. Then we'll have to get new app specific password
again.)

Second, oauth requires showing an html page as one of the login steps. This is
the hairy part. It requires creating an HTML dialog and hooking up the events
to fetch the response. Looks like the Facebook export plugin (also uses oauth)
currently just opens the URL and tells the user to copy the text back when it's
done. That sounds a bit ugly.

As more and more services are using oauth, it may be time to finally build an
oauth dialog, which can go to the common directory and be shared by all the
oauth plugins. It's not easy. But it doesn't sound too horribly complicated
neither. I found a few resonably simple QT examples on the web:

http://kunalmaemo.blogspot.com/2012/01/posting-on-facebook-wall-from-qt.html
http://www.johanpaul.com/blog/2011/05/oauth2-explained-with-qt-quick/
http://gargidas.blogspot.com/2012/01/facebook-component-in-qml.html

The shotwell commit mentioned previously is another example but in Vala/GTK+.

I've been re-generating passwords almost every month in the past year. If
somebody can fix this, that would be great. I've also tried to delete the
plugins rc file to make it forget the previous token. Same results. (Cannot get
token with the old password and have to generate a new one.)

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the Kde-imaging mailing list