Public bug reported: Hello! I'm the maintainer of Deja Dup. I was recently made aware that Google is removing an oauth workflow that Deja Dup uses, in September.
Here's their blog post about it: https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html Here's the upstream bug about switching to a new oauth flow: https://gitlab.gnome.org/World/deja-dup/-/issues/222 I've released version 43.3 with a new oauth workflow. This basically switches us from redirecting the oauth page to a local http://localhost:xxxx/ page being served by deja-dup and instead has the browser launch a custom URI like 'com.googlecontent.xxx:/oauth2redirect?code=yyy', which then launches deja-dup and gives it the correct oauth token. The key differences for packagers is just to note that now deja-dup will register itself as a handler for those weird URI schemes (they are specific to deja-dup, as they include its client ids for the service). I think this deserves a backport to all supported releases. I can whip up a patch for you in a bit, just wanted to get this registered as an issue. To be a bit more specific about what will break: - Existing users that have already granted deja-dup access to Google will continue to work without any issue. - In August, users will see a warning on the oauth screen. - And then in September, any new attempt to connect deja-dup to Google will not work. ** Affects: deja-dup (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to deja-dup in Ubuntu. https://bugs.launchpad.net/bugs/1973816 Title: Deja Dup's Google support will break in September 2022 for versions < 43.3 Status in deja-dup package in Ubuntu: New Bug description: Hello! I'm the maintainer of Deja Dup. I was recently made aware that Google is removing an oauth workflow that Deja Dup uses, in September. Here's their blog post about it: https://developers.googleblog.com/2022/02/making-oauth-flows- safer.html Here's the upstream bug about switching to a new oauth flow: https://gitlab.gnome.org/World/deja-dup/-/issues/222 I've released version 43.3 with a new oauth workflow. This basically switches us from redirecting the oauth page to a local http://localhost:xxxx/ page being served by deja-dup and instead has the browser launch a custom URI like 'com.googlecontent.xxx:/oauth2redirect?code=yyy', which then launches deja-dup and gives it the correct oauth token. The key differences for packagers is just to note that now deja-dup will register itself as a handler for those weird URI schemes (they are specific to deja-dup, as they include its client ids for the service). I think this deserves a backport to all supported releases. I can whip up a patch for you in a bit, just wanted to get this registered as an issue. To be a bit more specific about what will break: - Existing users that have already granted deja-dup access to Google will continue to work without any issue. - In August, users will see a warning on the oauth screen. - And then in September, any new attempt to connect deja-dup to Google will not work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/deja-dup/+bug/1973816/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
