Last step of Xoauth configuration fails

[Roderick]

I follow the link in the message alpine shows when I try to go to
the folder, and get in the browser what I reproduce bellow.

Any hint?

Thanks in advance
Rodrigo

--


Authorization Error
Error 403: access_denied
The developer hasn’t given you access to this app. It’s currently being
tested and it hasn’t been verified by Google. If you think you should have
access, contact the developer (.....@googlemail.com).
Learn more

The content in this section has been provided by the app developer. This
content has not been reviewed or verified by Google.

...

[Eduardo Chappa]

On Fri, 4 Mar 2022, Roderick wrote:

> I follow the link in the message alpine shows when I try to go to
> the folder, and get in the browser what I reproduce bellow.
>
> Any hint?
>
> Thanks in advance
> Rodrigo
>
> --
>
>
> Authorization Error
> Error 403: access_denied
> The developer hasn’t given you access to this app. It’s currently being
> tested and it hasn’t been verified by Google. If you think you should have
> access, contact the developer (.....@googlemail.com).
> Learn more

Dear Rodrigo, go back to the page you accessed to create your client-id
and client-secret and make sure you "publish" your app. Go back an check
in the "OAuth consent screen" that your app is "in production" and not in
testing.

I hope this helps.

--
Eduardo
https://tinyurl.com/yc377wlh (web)
http://repo.or.cz/alpine.git (Git)

[Roderick]

On Fri, 4 Mar 2022, Eduardo Chappa wrote:

> Dear Rodrigo, go back to the page you accessed to create your client-id and
> client-secret and make sure you "publish" your app. Go back an check in the
> "OAuth consent screen" that your app is "in production" and not in testing.

Dear Eduardo,

thanks. Now I get what it is written below.

Rodrigo

---

Authorization Error
Error 400: invalid_request

You can't sign in to this app because it doesn't comply with Google's
OAuth 2.0 policy for keeping apps secure.

You can let the app developer know that this app doesn't comply with one
or more Google validation rules.

Request Details

The content in this section has been provided by the app developer. This

content has not been reviewed or verified by Google.

If you’re the app developer, make sure that these request details comply
with Google policies.

redirect_uri: urn:ietf:wg:oauth:2.0:oob

[Roderick]

On Fri, 4 Mar 2022, Eduardo Chappa wrote:

> Dear Rodrigo, go back to the page you accessed to create your client-id and
> client-secret and make sure you "publish" your app. Go back an check in the
> "OAuth consent screen" that your app is "in production" and not in testing.

Well I did only one thing: go to "oauth consent" and click on "publish",
then it was not more "test", but "in production".

Was something else necessary?

Thanks again!

Rodrigo

[Eduardo Chappa]

I do not think so. Are you having any other problems?

[Roderick]

On Fri, 4 Mar 2022, Eduardo Chappa wrote:

> On Fri, 4 Mar 2022, Roderick wrote:
>>
>> Well I did only one thing: go to "oauth consent" and click on "publish",
>> then it was not more "test", but "in production".
>>
>> Was something else necessary?
>
> I do not think so. Are you having any other problems?

Yes, a lot, but not with alpine. :)

Google send me a mail anouncing that end of may there will be no
more password login. Terrible!

I tried with two gmail accounts, one original gmail.com and one
original googlemail.com (used by google in germany). Both show
the same problem.

Below is result of alpine -v

Thanks
Rodrigo

----

Alpine 2.25 (BSF 592 2021-09-18) built Sun Oct 3 21:32:02 UTC 2021 on
machine.domain
Alpine was built with the following options:
./configure --prefix=/usr/opt/Alpine --disable-nls --disable-debug \
--with-passfile=filename --without-krb5 \
--with-interactive-spellcheck=ispell \
--with-ssl-certs-dir=/usr/local/share/certs --without-tcl

[Roderick]

I deleted all coockes. Now I get the same message, but in german.
Google does not ask for login before.

Rodrigo

[Eduardo Chappa]

On Sat, 5 Mar 2022, Roderick wrote:

> I deleted all coockes. Now I get the same message, but in german.
> Google does not ask for login before.
>
> Rodrigo
>>

>> Authorization Error
>> Error 400: invalid_request
>>
>> You can't sign in to this app because it doesn't comply with Google's
>> OAuth 2.0 policy for keeping apps secure.
>>
>> You can let the app developer know that this app doesn't comply with
>> one or more Google validation rules.

Dear Rodrigo,

there are a number of things happening that I am not sure you are
telling me about, but I think we need to make sure you and I are at the
same place.

Let me tell you the steps you should make to configure Alpine.

* Go to gmail to get your client-id and client-secret. Publish your app.
* In alpine go to the main screen and press "S U". Replace the values
for client-id and client-secret that exist in Alpine with the ones you
got from Google. Make sure you add your gmail address under username.
* Now attempt to open the folder and just follow the link that Alpine
will give you. Make sure the client-id you are using is the one you
got from Google.
* Complete the authorization on the google side. Google tries to scare
you that because your app is not verified you should not continue.
Ignore that is click to continue, assuming the risks that they are
trying the scare you to not to continue.

If these steps do not work for you, please let me know what failed at
which stage and the error message you got.

Thank you.

[John Levine]

According to Eduardo Chappa <cha...@washington.edu>:

> Let me tell you the steps you should make to configure Alpine.
>
> * Go to gmail to get your client-id and client-secret. Publish your app.
> * In alpine go to the main screen and press "S U". Replace the values
> for client-id and client-secret that exist in Alpine with the ones you
> got from Google. Make sure you add your gmail address under username.
> * Now attempt to open the folder and just follow the link that Alpine
> will give you. Make sure the client-id you are using is the one you
> got from Google.

Running Alpine on the Mac, compiled from recent github source, I get the
same thing, Error 400: invalid request.

I'm pretty sure I got this to work in the past and I doubt I'm doing anything
different.




--
Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

[Eduardo Chappa]

On Sat, 5 Mar 2022, John Levine wrote:

> According to Eduardo Chappa <cha...@washington.edu>:
>> Let me tell you the steps you should make to configure Alpine.
>>
>> * Go to gmail to get your client-id and client-secret. Publish your app.
>> * In alpine go to the main screen and press "S U". Replace the values
>> for client-id and client-secret that exist in Alpine with the ones you
>> got from Google. Make sure you add your gmail address under username.
>> * Now attempt to open the folder and just follow the link that Alpine
>> will give you. Make sure the client-id you are using is the one you
>> got from Google.
>
> Running Alpine on the Mac, compiled from recent github source, I get the
> same thing, Error 400: invalid request.

I do not use github, so please try this with the repository at

https://repo.or.cz/alpine.git

thank you.

[Eduardo Chappa]

On Sat, 5 Mar 2022, Eduardo Chappa wrote:

> On Sat, 5 Mar 2022, John Levine wrote:
>> Running Alpine on the Mac, compiled from recent github source, I get
>> the same thing, Error 400: invalid request.
>
> I do not use github, so please try this with the repository at
>
> https://repo.or.cz/alpine.git

I did try the latest bits of Alpine with a custom client-id and
client-secret for my gmail account and all worked well. John, please let
me know what problem you had.

Thank you.

[John Levine]

According to Eduardo Chappa <cha...@washington.edu>:

>On Sat, 5 Mar 2022, Eduardo Chappa wrote:
>
>> On Sat, 5 Mar 2022, John Levine wrote:
>>> Running Alpine on the Mac, compiled from recent github source, I get
>>> the same thing, Error 400: invalid request.
>>
>> I do not use github, so please try this with the repository at
>>
>> https://repo.or.cz/alpine.git

Sorry, I meant that it was a clone of your repo.

I do

$ ./configure --enable-from-encoding

and then build.

R's,
John

[Roderick]

On Sat, 5 Mar 2022, Eduardo Chappa wrote:

> there are a number of things happening that I am not sure you are telling
> me about, but I think we need to make sure you and I are at the same place.
>
> Let me tell you the steps you should make to configure Alpine.
>
> * Go to gmail to get your client-id and client-secret. Publish your app.
> * In alpine go to the main screen and press "S U". Replace the values
> for client-id and client-secret that exist in Alpine with the ones you
> got from Google. Make sure you add your gmail address under username.
> * Now attempt to open the folder and just follow the link that Alpine
> will give you. Make sure the client-id you are using is the one you
> got from Google.

Dear Eduardo,

it is this third step that fails. I recognise the correct ID in the
link alpine gives me.

I googled a little and found this:

https://laravelshowcase.com/question/google-oauth-from-localhost-throws-invalid_request-error

It is the same message, but I do not understand much of oauth2 and do
not know if it is relevant.

Thanks a lot
Rodrigo

[Eduardo Chappa]

On Sun, 6 Mar 2022, Roderick wrote:

> Dear Eduardo,
>

> it is this third step that fails. I recognize the correct ID in the link

> alpine gives me.
>
> I googled a little and found this:
>
> https://laravelshowcase.com/question/google-oauth-from-localhost-throws-invalid_request-error

Dear Rodrigo,

i read this link and it is not quite relevant to your situation. I'd like
to know if there is a chance we can zoom together so I can see exactly
what you are doing. Please contact me off newsgroup if you want to pursue
this. You can contact me through the email address of this message.

[Eduardo Chappa]

On Sun, 6 Mar 2022, John Levine wrote:

> Sorry, I meant that it was a clone of your repo.
>
> I do
>
> $ ./configure --enable-from-encoding
>
> and then build.

Dear John,

do you have an outlook/office365 account you can use to test? If the
answer is yes, and alpine cannot be configured with oauth2, then please
contact me off newsgroup, and I would like to see if it is possible to
meet with you throuh zoom to see exactly what you are doing and narrow the
source of the error.

[Eduardo Chappa]

It seems that a solution has been found to this issue, but needs to be
tested by more people, but here is something that seems to be working for
some people.

In the same page that is used to get the client-id and client-secret one
needs to click on "OAuth consent screen", and then put the App in
"Testing" (that is DO NOT publish) and then add your email addres to the
list of "Test Users" (below the above, in the same screen).

For anyone having this problem, please try this and see if this works.

Thank you.

[Roderick]

On Sun, 6 Mar 2022, Eduardo Chappa wrote:

> It seems that a solution has been found to this issue, but needs to be tested
> by more people, but here is something that seems to be working for some
> people.

For 7 days.

Google anounced, end of may they will only allow "secure apps".
It seems, we will have to do our Email work with android
smartphones. I regret that I decided to use gmail as my
main email account, I never though this was a trap.

Rodrigo.

[Eduardo Chappa]

Alpine will still be able to access your email in June, but you will have
to reauthorize Alpine every 7 days. Less than optimal. By far.

[Roderick]

On Sat, 19 Mar 2022, Eduardo Chappa wrote:
> On Sat, 19 Mar 2022, Roderick wrote:

>> Google anounced, end of may they will only allow "secure apps". It seems,
>> we will have to do our Email work with android smartphones. I regret that I
>> decided to use gmail as my main email account, I never though this was a
>> trap.
>
> Alpine will still be able to access your email in June, but you will have to
> reauthorize Alpine every 7 days. Less than optimal. By far.

This authorization process is not simple, and with my nettop, when
I am not at home, difficult, if not impossible.

The question is why google rejects alpine as not fulfilling who
knows what. And even if the problem is solved, it seems google
changes the rules continuosly, one cannot rely on google.

When I have time, I will try alpine with mbsync and msmtp, for
working offline, by far not a solution, but an alternative when
things do not work. See:

http://blog.onodera.asia/2020/06/how-to-use-google-g-suite-oauth2-with.html

Or is there other alternative?

Thanks
Rodrigo

[Harold Stevens]

In <6e3b5f35-3b58-6b9...@gmail.com> Roderick:

> The question is why google rejects alpine as not fulfilling who
> knows what. And even if the problem is solved, it seems google
> changes the rules continuosly, one cannot rely on google.

IMO, Google has legitimate security concerns about any app trying
to access its services. For the record, I am certain, after using
Pine/Alpine literally decades, Google has no legitimate beef with
Eduardo et al about Pine/Alpine security.

The actual subsurface issue all advertising based business models
like Google have with CLI apps (like Alpine) is simple: money.

You can't as easily track and bombard consumers with ads on a CLI
app, because it's ... CLI. Graphics and glitz are not strong suit
draws for CLI; access and speed on low-resorce gear, are draws.

It's why I still use lynx (or links) for some browsing. Who needs
obnoxious distracting advertisement overloading?

What's amazing to me is that Google actually even cares the least
bit about Alpine (etc) support.

Finally: kudos to Eduardo et al for continuing Alpine support.

--
Regards, Weird (Harold Stevens) * IMPORTANT EMAIL INFO FOLLOWS *
Pardon any bogus email addresses (wookie) in place for spambots.
Really, it's (wyrd) at att, dotted with net. * DO NOT SPAM IT. *
I toss GoogleGroup (http://twovoyagers.com/improve-usenet.org/).

[Roderick]

I get the same message below (in german) when calling

python2.7 oauth2.py \
--user=email@gmail --client_id=.. --client_secret=.. --generate_oauth2_token

Where oauth2.py is the google program in

https://
raw.githubusercontent.com/google/gmail-oauth2-tools/master/python/oauth2.py

Rodrigo

[Roderick]

And again, in test modus ouath2.py works.

lies perhaps the problem in the configuration of the project in the
google portal?

Rod.

[Eduardo Chappa]

On Sun, 20 Mar 2022, Roderick wrote:

> This authorization process is not simple, and with my nettop, when I am
> not at home, difficult, if not impossible.
>
> The question is why google rejects alpine as not fulfilling who knows
> what. And even if the problem is solved, it seems google changes the
> rules continuosly, one cannot rely on google.

I do not want to speak badly about google when they already speak badly
about themselves.

> When I have time, I will try alpine with mbsync and msmtp, for working
> offline, by far not a solution, but an alternative when things do not
> work. See:
>
> http://blog.onodera.asia/2020/06/how-to-use-google-g-suite-oauth2-with.html
>
> Or is there other alternative?

I do not know what you want to accomplish. The problem you found using
Alpine you will have it with any other app that uses the same client-id
and client-secret that you are using with Alpine. You do not need to get a
client-id and client-secret anymore, all you need to do is to authorize
Alpine every week using the same client-id and client-secret. I have done
this process so many times that I can do it in a short amount of time, and
so I see it as a small incovenience, but since you went through a painful
process to get this working, the memory of the pain is still fresh on you
and no matter what you do (using mbsync or Alpine) you will have to go
through this process every week. I am sorry this is the case, but this
issue will not disappear because you will use other programs than Alpine,
so if there is a better app than Alpine for you, use that because it is
better. This issue that you want to solve will not go away.

[Eduardo Chappa]

On Sun, 20 Mar 2022, Harold Stevens wrote:

>> The question is why google rejects alpine as not fulfilling who knows
>> what. And even if the problem is solved, it seems google changes the
>> rules continuosly, one cannot rely on google.
>
> IMO, Google has legitimate security concerns about any app trying to
> access its services. For the record, I am certain, after using
> Pine/Alpine literally decades, Google has no legitimate beef with
> Eduardo et al about Pine/Alpine security.

I agree with your statement about Google, however, I still do not
understand why Google does not do what other companies do, so Alpine users
can still use the program they know. The way Google solved this issue is
evil. There are better ways.

> The actual subsurface issue all advertising based business models like
> Google have with CLI apps (like Alpine) is simple: money.
>
> You can't as easily track and bombard consumers with ads on a CLI app,
> because it's ... CLI. Graphics and glitz are not strong suit draws for
> CLI; access and speed on low-resorce gear, are draws.
>
> It's why I still use lynx (or links) for some browsing. Who needs
> obnoxious distracting advertisement overloading?
>
> What's amazing to me is that Google actually even cares the least
> bit about Alpine (etc) support.

There are many reasons that can be argued as to the motivation of Google.
I was told (by a Google employee I discussed access of Alpine to Gmail) it
had to do with security and Google protecting itself from lawsuits. In
other words, this was a decision made by lawyers. All I can say is that
not all lawyers decide the same way.

[Roderick]

On Sun, 20 Mar 2022, Eduardo Chappa wrote:

> client-secret that you are using with Alpine. You do not need to get a
> client-id and client-secret anymore, all you need to do is to authorize
> Alpine every week using the same client-id and client-secret.

May I ask how?

I get the message: token has ben expired or revoked. No offer to
enter a new token, no instructions how to get it.

How to get the new token and how to enter it in alpine?

Thanks
Rodrigo

[Eduardo Chappa]

On Sun, 20 Mar 2022, Roderick wrote:

>
> And again, in test modus ouath2.py works.
>
> lies perhaps the problem in the configuration of the project in the
> google portal?

Yes, the issue you are having you will always have it no matter what app
you use. You need a client-id and client-secret that is not in test mode.

[Roderick]

I got the screen with the authorization info (links to google,
C command to enter code). It seems a ^C spoiled the
password file, because I had to enter passwords again, this deleted
perhaps also the invalid tokens, what made the screen to appear.

Is the solution to delete the password file (with the tokens)
in order to get the screen with the links?

Thanks
Rodrigo

[Eduardo Chappa]

On Sun, 20 Mar 2022, Roderick wrote:

> I got the screen with the authorization info (links to google, C command
> to enter code). It seems a ^C spoiled the password file, because I had
> to enter passwords again, this deleted perhaps also the invalid tokens,
> what made the screen to appear.
>
> Is the solution to delete the password file (with the tokens) in order
> to get the screen with the links?

Rodrigo,

once you get the screen with the link to google, do that again. Ignore
the part that tell you to get a client-id, etc., and proceed to follow the
link.

Recreating the password file willsend you to that screen, but you should
be sent to that screen even if you do not remove the password file. If you
are not being sent to that screen, can you run alpine with the command

alpine -d http

and look into there to see if you can identify the issue in the debug
file? If you need help, let me know.

[Roderick]

On Sun, 20 Mar 2022, Eduardo Chappa wrote:

> Recreating the password file willsend you to that screen, but you should be
> sent to that screen even if you do not remove the password file. If you are
> not being sent to that screen, can you run alpine with the command
>
> alpine -d http
>
> and look into there to see if you can identify the issue in the debug file?

I will do that the next time the problem appears.

Well, the procedure to authorize alpine is not worse than reading
mail with the browser.

Once a week reading mail with the browser is too much, but I think
would survive it. There are people that do it many times every day.

Rodrigo