Bug 101630 - Google Drive two-factor authentication (2FA) not working again
Summary: Google Drive two-factor authentication (2FA) not working again
Status: NEW
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: LibreOffice (show other bugs)
Version:
(earliest affected)
5.2.0.4 release
Hardware: All All
: high major
Assignee: Not Assigned
URL:
Whiteboard: target:7.3.0 target:7.2.0.2 target:7.1.6
Keywords:
: 100914 103748 119511 123315 124291 124375 124439 126212 127662 129835 136562 136672 139088 141787 144460 149444 151415 154605 157883 162100 (view as bug list)
Depends on:
Blocks: Network
  Show dependency treegraph
 
Reported: 2016-08-21 02:47 UTC by Leandro Martín Drudi
Modified: 2024-08-19 03:07 UTC (History)
60 users (show)

See Also:
Crash report or crash signature:


Attachments
Start login (23.79 KB, image/png)
2016-08-21 02:47 UTC, Leandro Martín Drudi
Details
Error... The same error as before (11.67 KB, image/png)
2016-08-21 02:48 UTC, Leandro Martín Drudi
Details
LibreOffice 5.2.0.4 Google drive 2FA failing english (20.72 KB, image/png)
2016-09-02 12:19 UTC, Shrenik
Details
First screen grab for comment 7 (84.68 KB, image/jpeg)
2016-09-28 13:41 UTC, Bob Harvey
Details
Second screen grab for comment 7 (140.87 KB, image/png)
2016-09-28 13:43 UTC, Bob Harvey
Details
screen of the issue in ubuntu (32.63 KB, image/png)
2018-05-14 16:16 UTC, Cristiano
Details
PopUp in my Android Smartphone. Android 8.0 (48.40 KB, image/png)
2018-09-24 23:54 UTC, Leandro Martín Drudi
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Leandro Martín Drudi 2016-08-21 02:47:21 UTC
Created attachment 126925 [details]
Start login

In the new version this bug is not corrected (Bug 100113).
Now he asks for a PIN but never gets a message that does not accept PIN and the PIN generated by Autenticator App.
Comment 1 Leandro Martín Drudi 2016-08-21 02:48:25 UTC
Created attachment 126926 [details]
Error... The same error as before
Comment 2 Cor Nouws 2016-08-22 09:27:04 UTC
@guiseppe: maybe you can have a look?
thanks!
Comment 3 Giuseppe Castagno (aka beppec56) 2016-08-23 10:39:34 UTC
Checked with:

Version: 5.2.0.4
Build ID: 066b007f5ebcc236395c7d282ba488bca6720265
CPU Threads: 4; OS Version: Windows 6.2; UI Render: default; 
Locale: it-IT (it_IT)

I found it working on standard (e.g. not 2FA) account.
Unfortunately not working on a 2FA enabled account.
Strangely Google sent me always the same PIN code.

Until a few days ago 2FA worked, with the same LO version.
I think Google changed again the login page.

Unfortunately I don't have time to look into the matter ATM, it will be necessary to fix something in libcmis I think.
Comment 4 Aron Budea 2016-08-24 02:13:56 UTC
Confirmed based on Giuseppe's reply.
Comment 5 Shrenik 2016-09-02 12:19:26 UTC
Created attachment 127123 [details]
LibreOffice 5.2.0.4 Google drive 2FA failing english

Have experienced the same "Error saving the document <filename>: The specified device is invalid" error as before. The only advancement with 5.2.0.4 is that we are now being requested the PIN. But once we enter that, the result remains the same as in the screenshot attached.
Comment 6 Alberto Gaburro 2016-09-15 13:04:57 UTC
Same problem on Libreoffice 5.2.1.2 x64 on Windows 10.

After entering the PIN, I get the error "The specified device is invalid".
So I can't even browse my contents on Google Drive.
Comment 7 Bob Harvey 2016-09-28 13:39:34 UTC
I am not sure if my experience is appropriate to this bug, or if it something else.

But it is definitely a case of 2-factor not working!

I have installed the 64 bit version 5.2.2.2

When attempting to connect to google drive I get a dialogue asking me for a PIN from my account   There is a small dialgoue with a G- in front of the data entry box.

What pops up on my phone is a wholly different dialogue, asking me to tap on one of 3 numbers that are displayed on the login attempt.  They aren't.

So LibreOffice is asking for a number that is not displayed on the phone, and the phone is asking for a number that is not displayed by LibreOffice.  SOme mistake there, I feel.

Screen grabs wil follow
Comment 8 Bob Harvey 2016-09-28 13:41:50 UTC
Created attachment 127700 [details]
First screen grab for comment 7

This is Libre Office trying to log into my Google Drive account, and waiting for authentication
Comment 9 Bob Harvey 2016-09-28 13:43:36 UTC
Created attachment 127701 [details]
Second screen grab for comment 7

This is what the phone offers as the 2nd factor
Comment 10 Alberto Gaburro 2016-10-21 09:43:41 UTC
(In reply to Alberto Gaburro from comment #6)
> Same problem on Libreoffice 5.2.1.2 x64 on Windows 10.
> 
> After entering the PIN, I get the error "The specified device is invalid".
> So I can't even browse my contents on Google Drive.

Upgraded Libreoffice from 5.2.1.2 to 5.2.2.2 x64 on Windows 10.
Nothing changes :(
Comment 11 Alberto Gaburro 2016-11-04 15:58:52 UTC
(In reply to Alberto Gaburro from comment #10)
> (In reply to Alberto Gaburro from comment #6)
> > Same problem on Libreoffice 5.2.1.2 x64 on Windows 10.
> > 
> > After entering the PIN, I get the error "The specified device is invalid".
> > So I can't even browse my contents on Google Drive.
> 
> Upgraded Libreoffice from 5.2.1.2 to 5.2.2.2 x64 on Windows 10.
> Nothing changes :(

Upgraded Libreoffice from 5.2.2.2 to 5.2.3.3 x64 on Windows 10.
Nothing changes :(
Comment 12 vinixda 2017-01-29 11:38:58 UTC
I can confirm that Google Drive 2FA is broke again. 

LibreOffice 5.2.4.2 (Fresh PPA), Linux Mint 18.1.
Comment 13 Alberto Gaburro 2017-02-01 08:39:27 UTC
(In reply to Alberto Gaburro from comment #11)
> (In reply to Alberto Gaburro from comment #10)
> > (In reply to Alberto Gaburro from comment #6)
> > > Same problem on Libreoffice 5.2.1.2 x64 on Windows 10.
> > > 
> > > After entering the PIN, I get the error "The specified device is invalid".
> > > So I can't even browse my contents on Google Drive.
> > 
> > Upgraded Libreoffice from 5.2.1.2 to 5.2.2.2 x64 on Windows 10.
> > Nothing changes :(
> 
> Upgraded Libreoffice from 5.2.2.2 to 5.2.3.3 x64 on Windows 10.
> Nothing changes :(

Upgraded Libreoffice from 5.2.4.2 to 5.2.5.1 x64 on Windows 10.
Nothing changes :(
Comment 14 gijs 2017-02-04 16:13:25 UTC
Upgraded Libreoffice to 5.3.0.3 x64 on Windows 10.
Nothing changes :(
Comment 15 Aron Budea 2017-02-04 20:37:59 UTC
Version field is supposed to be the oldest version the bug was observed with, please don't change to a newer one.
Comment 16 blendergeek 2017-02-25 18:36:42 UTC
Just confirmed on XUbuntu 16.04.2 using the following LibreOffice build:
Version: 5.3.0.3
Build ID: 1:5.3.0~rc3-0ubuntu1~xenial1.1
CPU Threads: 4; OS Version: Linux 4.4; UI Render: default; VCL: gtk2; Layout Engine: new; 
Locale: en-US (en_US.UTF-8); Calc: group

Further, I noticed that when I enter a wrong password with two-factor enabled, the dialogue for two factor appears. Then I enter the six digit code and whatever I enter in that box I get "The specified device is invalid".

I also get this error if I type an unused email address or the wrong password.
Comment 17 Robert Cabane 2017-04-01 07:34:22 UTC
Same behavior here (using LO from TDF, version 5.3.1.2). In fact, my phone never receives the expected SMS from Google, so I can't even type the 6-digit G-code.
Comment 18 Max S. 2017-04-27 12:41:55 UTC
I confirm the bug in version 5.2.6.2 on Windows 10 x64.
2-FA enabled Google Account doesn't work.
Comment 19 Robert Cabane 2017-04-27 14:13:38 UTC
Just the same, LO from TDF, 5.3.2.2, Linux
Comment 20 Aron Budea 2017-04-27 15:52:45 UTC
Thanks for the update, but Max, please keep version at earliest (known) affected.
Comment 21 Alois Hammer 2017-05-10 02:46:48 UTC
Confirmed "The specified device is invalid." with good credentials and good OATH-TOTP code.

Let me know if I can add any information. It's not clear to me how or whether it's possible to enable any form of logging for LibreOffice on Windows.

Version: 5.3.2.2 (x64)
Build ID: 6cd4f1ef626f15116896b1d8e1398b56da0d0ee1
CPU Threads: 8; OS Version: Windows 6.1; UI Render: GL; Layout Engine: new; 
Locale: en-US (en_US); Calc: group

Oracle JRE 1.8.0_131 x86 and x64 installed system-wide, functioning, and enabled in LO options.

Java critical files -

C:\Windows\Sun\Java\Deployment\deployment.config -

deployment.system.config=file:///C:/Windows/Sun/Java/Deployment/deployment.properties
deployment.system.config.mandatory=true
deployment.system.config.locked
deployment.system.config.mandatory.locked


C:\Windows\Sun\Java\Deployment\deployment.properties -

#System Deployment Properties
deployment.cache.jarcompression.locked=true
deployment.cache.jarcompression=9
deployment.cache.max.size.locked=true
deployment.cache.max.size=256
deployment.console.startup.mode.locked=true
deployment.console.startup.mode=DISABLE
deployment.expiration.check.enabled.locked=true
deployment.expiration.check.enabled=false
deployment.insecure.jres.locked=true
deployment.insecure.jres=NEVER
deployment.javaws.associations.locked=true
deployment.javaws.associations=2
deployment.javaws.shortcut.locked=true
deployment.javaws.shortcut=ASK_USER
deployment.javaws.update.timeout.locked=true
deployment.javaws.update.timeout=2500
deployment.log.locked=true
deployment.log=false
deployment.proxy.type.locked=true
deployment.proxy.type=0
deployment.roaming.profile.locked=true
deployment.roaming.profile=false
deployment.security.authenticator.locked=
deployment.security.authenticator=true
deployment.security.level.locked=true
deployment.security.level=VERY_HIGH
deployment.security.revocation.check.locked=true
deployment.security.revocation.check=ALL_CERTIFICATES
deployment.security.SSLv3.locked=true
deployment.security.SSLv3=false
deployment.security.use.native.sandbox.locked=true
deployment.security.use.native.sandbox=true
deployment.security.validation.clockskew.locked=true
deployment.security.validation.clockskew=5
deployment.security.validation.crl.locked=true
deployment.security.validation.crl=true
deployment.security.validation.ocsp.locked=true
deployment.security.validation.ocsp=true
deployment.security.validation.timeout.locked=true
deployment.security.validation.timeout=5
deployment.trace.locked=true
deployment.trace=false
deployment.user.logdir.locked=true
deployment.user.logdir=null
install.disable.sponsor.offers.locked=true
install.disable.sponsor.offers=true
Comment 22 Oliver Brinzing 2017-05-14 08:03:45 UTC
Today i tried to connect to Google Drive with LO 5.3.3(32Bit) on Win10Pro 64Bit with 2FA, and i worked, but only, if i receive the PIN via SMS on my IPhone.
During the initial installation i received 2 PINs.

PIN via Autenticator App does not work for me too.
Comment 23 Leandro Martín Drudi 2017-05-14 14:14:42 UTC
[ES]
Yo no recibo nunca el mensaje con Movistar en Argentina. Si es para ingreso al Mail, sí, pero no para esto.
[EN]
I never receive the message with Movistar in Argentina. If it is to login to the Mail, yes, but not for this.
Comment 24 Sergejs Ušakovs 2017-08-15 09:50:04 UTC
For me also, authentication via Google Authenticator app on iOS didn't work.
As LO - strangely - doesn't offer a choice of alternative options to choice Google authentication code delivery method delivery, then you have to setup your phone as Default Google Authentication option - then, again problem, as Google, doesn't allow freely to choose delivery option, and set default delivery option itself, the only way to get phone as a default Google authenticator code delivery option is to remove all other options, namely, in my case, Google Prompt option, and Google Authenticator app option.
Then - again strangely - LO ask for GDrive credentials, incl. authenticator code again - I am just wondering, what the sense of going such loop..?

Then, when finally Gdrive directory get populated there are only just like 50-100 files and one directory, out of 1000s... - rendering it unusable.

LO Version: 5.4.0.3
Build ID: 7556cbc6811c9d992f4064ab9287069087d7f62c
CPU threads: 2; OS: Windows 6.2; UI render: default; 
Locale: en-IE (en_US); Calc: group
Comment 25 Robert Cabane 2017-08-15 10:33:12 UTC
I tried to connect to Google Drive just after having installed LO 5.4. No change appeared : my phone received non SMS from Google.
Comment 26 Miloš Jovanović 2018-01-23 12:42:49 UTC
Using LO 5.4.4.2 on Ubuntu 17.10, with 2FA *disabled*, I am asked for the PIN anyway. Unable to sign in.
Comment 27 Karl Foley 2018-02-04 11:53:40 UTC
Experiencing the same issue in Windows 6.0.0.3.
Comment 28 Robert Cabane 2018-03-02 07:41:12 UTC
The bug is still there on LO 6.0.4 (Linux). I tried opening Google drive giving my account either as (my Gmail address) or (the first part of my Gmail address), without success : my phone didn't receive any SMS.
Comment 29 Leandro Martín Drudi 2018-03-02 17:47:29 UTC
With Outlook. com accounts. the same thing happens.
Is another report required or can you see with this one as well?
With Outlook. com basins, the generated URL generates the same error.
Comment 30 Leandro Martín Drudi 2018-03-02 17:48:28 UTC
(In reply to Leandro Martín Drudi from comment #29)
> With Outlook. com accounts. the same thing happens.
> Is another report required or can you see with this one as well?
> With Outlook. com basins, the generated URL generates the same error.

Sorry, Basins*: Accounts
(I translate with google)
Comment 31 farside268 2018-03-10 01:22:20 UTC
This is still a problem in 6.0.2.1. I have 2FA enabled and get the phone notification to approve the login every time I try to login. I approve the login, which does nothing with LO. I try to enter the PIN from Authenticator and receive the message about the device being invalid.
Comment 32 Aron Budea 2018-03-10 04:08:27 UTC
Let's keep version field as the earliest known affected version.
Comment 33 Chris 2018-03-30 15:16:32 UTC
This bug also affects 2FA Google accounts that are using the App Password feature (https://support.google.com/accounts/answer/185833?hl=en) This is a feature that allows you to use a 16 character password that is unique to the app and it usually bypasses the need for any other 2FA method.  Whether you use the standard Google password or the App password, LibreOffice is still prompting for a G-Pin to complete the sign in.
Comment 34 Cristiano 2018-05-14 16:16:26 UTC
Created attachment 142096 [details]
screen of the issue in ubuntu

I'm using the version  6.0.3.2 with Ubuntu (Build ID: 1:6.0.3-0ubuntu1).

I was able to setup my google account in order to receive the 6-digits PIN in my smartphone. 
But even after type it I'm getting the "The specified device is invalid." when trying to setup the connection.

Btw, I'm able to connect to Drive using Nautilus.
Comment 35 Drew Jensen 2018-08-26 17:16:41 UTC
*** Bug 119511 has been marked as a duplicate of this bug. ***
Comment 36 Robert Cabane 2018-09-24 20:46:57 UTC
Hello, I just updated my LO install to the 6.1.1 version (Linux + KDE). And, suddenly, the connection with my Google drive works (with 2FA), that's really marvelous !
Thank you for your work.
Comment 37 Leandro Martín Drudi 2018-09-24 20:50:23 UTC
I try in Windows and don't work.
Versión: 6.1.1.2 (x64)
Id. de compilación: 5d19a1bfa650b796764388cd8b33a5af1f5baa1b
Subprocs. CPU: 4; SO: Windows 10.0; Repres. IU: predet.; 
Configuración regional: es-AR (es_AR); Calc: CL
Comment 38 Xisco Faulí 2018-09-24 23:43:45 UTC
(In reply to Robert Cabane from comment #36)
> Hello, I just updated my LO install to the 6.1.1 version (Linux + KDE). And,
> suddenly, the connection with my Google drive works (with 2FA), that's
> really marvelous !
> Thank you for your work.

Most likely fixed by https://cgit.freedesktop.org/libreoffice/core/commit/?h=libreoffice-6-1-1&id=2751f625990bc4d619eb2b0b895f9d510f768a02
Comment 39 Xisco Faulí 2018-09-24 23:44:09 UTC
(In reply to Leandro Martín Drudi from comment #37)
> I try in Windows and don't work.
> Versión: 6.1.1.2 (x64)
> Id. de compilación: 5d19a1bfa650b796764388cd8b33a5af1f5baa1b
> Subprocs. CPU: 4; SO: Windows 10.0; Repres. IU: predet.; 
> Configuración regional: es-AR (es_AR); Calc: CL

Do you get any erro message?
Comment 40 Leandro Martín Drudi 2018-09-24 23:52:58 UTC
(In reply to Xisco Faulí from comment #39)
> (In reply to Leandro Martín Drudi from comment #37)
> > I try in Windows and don't work.
> > Versión: 6.1.1.2 (x64)
> > Id. de compilación: 5d19a1bfa650b796764388cd8b33a5af1f5baa1b
> > Subprocs. CPU: 4; SO: Windows 10.0; Repres. IU: predet.; 
> > Configuración regional: es-AR (es_AR); Calc: CL
> 
> Do you get any erro message?

[ES]
El mismo de siempre: «El dispositivo especificado no es válido.»
Cuando he confirmado el LogIn en la ventana de LibreOffice, una ventana aparece en mi spartphone pidiendo autorización para el LogIn (con el fin de no usar el código).
Presione "OK" o presione "No, no soy yo", igualmente, el código no funciona. He probado con el que llega por SMS tanto como el que se genera con la App "Autenticator" y ninguna funciona. El resultado es siempre el mismo.

[EN]
The same like always: "The specified device is invalid."
When I have confirmed the LogIn in the LibreOffice window, a window appears on my spartphone asking for authorization for the LogIn (in order not to use the code).
Press "OK" or press "No, it's not me", likewise, the code does not work. I have tried with the one that arrives by SMS as much as the one generated with the "Authenticator" App and none of them work. The result is always the same.
Comment 41 Leandro Martín Drudi 2018-09-24 23:54:12 UTC
Created attachment 145146 [details]
PopUp in my Android Smartphone. Android 8.0
Comment 42 Oliver Brinzing 2018-09-25 07:14:14 UTC
it's not working  with

Version: 6.1.2.1 (x64)
Build-ID: 65905a128db06ba48db947242809d14d3f9a93fe
CPU-Threads: 4; BS: Windows 10.0; UI-Render: Standard; 
Gebietsschema: de-DE (de_DE); Calc:

and Authenticator App. 
Entering 6 digit code ends with error message:
"The specified device is invalid."

browser login with Authenticator App works on my notebook.
Comment 43 Karl Foley 2018-10-20 07:31:18 UTC
Still getting this in Linux 6.1.2.1 on Ubuntu 18.10.
Trying to use remote storage with 2FA application on phone.
Program prompts for pin, no popup on phone, pin from app results on "Invaid Device" message.
Comment 44 Aron Budea 2018-10-22 05:17:26 UTC
Thanks for checking, Karl, please note that the version field is for the oldest known affected version.
Comment 45 ATX 2018-10-31 20:53:29 UTC
This is not working for 6.1.2.1 and 6.2.0.0.alpha1 on W10.

Issues:
- 6 digit code asked with and without 2FA enabled.
- Invalide device error message.
Comment 46 Warren Downs 2018-12-14 00:01:23 UTC
Same problem on LibreOfficeDev 6.2.0.0.beta1
Tried without 2FA, got prompt for 6 digit code.
Turned on 2FA, installed Google Authenticator, but code from Authenticator does not work.
Comment 47 Miloš Jovanović 2018-12-14 12:04:03 UTC
To add onto what was previously written. 

PIN is asked for irrespective of 2FA status.

Not using Authenticator, the 2FA SMS is not sent either.

Would happily volunteer my time to debug, but the information on https://wiki.documentfoundation.org/QA/BugReport/Debug_Information is daunting. Would need a bit of guidance.

Build ID: 1:6.1.3~rc2-0ubuntu0.18.04.2
CPU threads: 4; OS: Linux 4.15; UI render: default; VCL: gtk3; 
Locale: en-US (en_US.UTF-8); Calc: group threaded
Comment 48 Xisco Faulí 2018-12-14 12:11:41 UTC
@Muhammet, since you fixed the personas issue, I thought you might be interested in this issue as well. I know they are not related at all, I'm just trying to find someone who might fix this one...
Comment 49 Oliver Brinzing 2019-02-11 17:31:34 UTC
*** Bug 123315 has been marked as a duplicate of this bug. ***
Comment 50 Oliver Brinzing 2019-03-23 16:09:06 UTC
*** Bug 124291 has been marked as a duplicate of this bug. ***
Comment 51 Oliver Brinzing 2019-03-27 19:50:11 UTC
*** Bug 124375 has been marked as a duplicate of this bug. ***
Comment 52 Oliver Brinzing 2019-03-29 22:02:54 UTC
*** Bug 124439 has been marked as a duplicate of this bug. ***
Comment 53 Buovjaga 2019-05-27 15:33:58 UTC
*** Bug 100914 has been marked as a duplicate of this bug. ***
Comment 54 Oliver Brinzing 2019-07-03 17:08:19 UTC
*** Bug 126212 has been marked as a duplicate of this bug. ***
Comment 55 kvoz123 2019-07-04 04:44:41 UTC
This feature doesn't work with my Google account _w/o_
2FA.

Bug hasn't be resolved for about 3 years and "very soon"
we may celebrate 5 years anniversary.  %-(
Comment 56 Luis Alberto Hernández Monroy 2019-11-23 04:31:03 UTC
Google Drive two-factor authentication not working on 6.3.3.2 I'm getting the "The specified device is invalid." when trying to setup the connection.
Comment 57 Aron Budea 2020-01-06 16:09:13 UTC
*** Bug 129835 has been marked as a duplicate of this bug. ***
Comment 58 Xisco Faulí 2020-01-20 18:47:05 UTC
*** Bug 127662 has been marked as a duplicate of this bug. ***
Comment 60 Pedro 2020-04-19 16:41:58 UTC
Just tried to add my Google Drive and One Drive accounts and had the exact same error of "Specified device is invalid" with both services.
Also tried to make a connection via Sharepoint 2013 and it did not work as well.
Comment 61 Pedro 2020-05-16 09:10:26 UTC
Just an FYI. In the "This week in KDE" of May 15th 2020 Nate Ingraham reported that a similar issue to this one was solved for KMail and Kontacts.

This is their bug report:
https://bugs.kde.org/show_bug.cgi?id=404990

In comment 122 from that bug report they state the following:

<<Google has approved KMail access to Gmail via Googla Sign-in today, so it should work again. Should you still see some errors, please let us know.>>

They link to a Reddit topic where a lot of the steps to fix this are detailed!
https://www.reddit.com/r/kde/comments/gi5bol/kmailkontact_oauth_signin_with_gmail_enabled_again/

Here are the relevant comments:

"Hi all,

I would like to share some news :) This morning Google has approved our verification request to allow KMail/Kontact to sign into Gmail using the Google Sign In, which supports 2FA out-of-the-box and is more secure, since KMail/Kontact never sees your password.

If you have your IMAP account in KMail already configured in KMail and you would like to start using the OAuth sign-in, go to the account configuration (Settings→Configure KMail→Accounts→Receiving→[your Gmail IMAP account]→Modify) and in the Advanced tab select "Gmail" in the Authentication combo box.

If you want to add a new account, the Gmail authentication method will be chosen automatically by KMail.

I apologize it took so long to make Gmail login work again. The bureaucracy that had to be sorted out in order to comply with Google usage policies was non-trivial and I'll admit then whenever I had some spare time to work on KDE, I usually chose to write some code rather than read legal documents and write privacy policy...

Should you still see "Sign in with Google temporarily disabled for this app" or some other error, let me know, please."

"Nothing was wrong with KMail really, but if any application wants to access Gmail through OAuth, it needs to request access to this part of API from Google. Google considers Gmail to be a "restricted" scope and applications needs to pass verification and satisfy some extra requirements to get access to it. So there's a manual process of submitting the application for verification, writing a dedicated privacy policy, having numerous rounds with Google support to clear things app and making sure everything is aligned with their terms and policies for accessing the restricted scopes - it might be fun for a lawyer, but it certainly isn't the kind of activity a programmer would want to do in their spare time... :)"

Here's more detail to satisfy Google's requirements to link to Gmail:
https://support.google.com/cloud/answer/9110914?hl=en

Additional Requirements for Specific API Scopes:
https://developers.google.com/terms/api-services-user-data-policy#additional_requirements_for_specific_api_scopes

Example of privacy policy that Google requires:
https://community.kde.org/KDE_PIM/Privacy_Policy


Hopefully this is enough information for work to be done to fix this bug. It's worth research how this works for Microsoft's One Drive as well since that one is also broken.
Comment 63 David Ring Jr 2020-06-05 20:01:31 UTC
In Windows Version: 7.0.0.0.beta1 (x64)
Build ID: 94f789cbb33335b4a511c319542c7bdc31ff3b3c
CPU threads: 4; OS: Windows 10.0 Build 18362; UI render: Skia/Raster; VCL: win
Locale: en-US (en_US); UI: en-US
Calc: CL

Also in latest Linux version - unknown as I am on Windows at the moment, but it's broken exactly the same way on Linux.

When asking to save remotely, Google prompts for six digit PIN which I do not have.

It is a wonderful feature that used to work.

It no longer works.

Regards,

David
Comment 64 libre officer 2020-06-20 20:39:25 UTC
Same issue here.
Tested with my google drive account and still asking for the 6 digits PIN.

2FA is not activated.


Version: 7.0.0.0.beta1 (x64)
Build ID: 94f789cbb33335b4a511c319542c7bdc31ff3b3c
CPU threads: 4; OS: Windows 10.0 Build 17763; UI render: Skia/Raster; VCL: win
Locale: fr-CH (fr_FR); UI: en-GB
Calc: threaded
Comment 65 Michael Meeks 2020-08-05 16:23:06 UTC
Florian - this looks like something that TDF would need to chase to fix ? a nice list of things to do from Pedro; is this something you can handle ?
Comment 66 Florian Effenberger 2020-08-06 14:32:24 UTC
Oh, indeed, looks like lots of fun... :-)
I'll chase this with the team and try to get the paperwork done
Comment 67 Christian Lohmaier 2020-09-07 15:11:29 UTC
google authentication is https://github.com/tdf/libcmis/issues/22 / a bit more involved. (but I think it should also be fixable by using plain oauth2 and the same copy-URL-to-Browser and copy-the-result-back workflow.

Google's docs mention to just listen on a local loopback IP address and get the result that way - that is of course also an option to at least avoid copy-back into the dialog. But that's a "stretch goal" :-)
Google lists the Manual copy/paste with a hint of "may be discontinued in the future" 
https://developers.google.com/identity/protocols/oauth2/native-app


For onedrive it seems that the API was never migrated from the old/deprecated/now-non-function live apis to Microsoft graph.
The only "not-so-nice" thing is that we ask the user to copy'n'paste back between the browser and the LO dialog, but that's easy enough to do. Furthermore we can get rid of the username/pw entry that LO cannot use anyway
(or rather: It (LO/libcmis) should not attempt to imitate a user using the browser and try to parse the response of whatever login window appears that is augmented with webX.y stuff :-))

Fixing onedrive should be easy enough to do:
* Fix endpoints/scopes to match the Graph scheme
* Fix libcmis to use the new (or rather current) OneDrive REST API (instead of the old skydrive one that doesn't work anymore since end of 2018....)
* Fix remote-server dialog to not ask for username and password - authentication/login is handled in the user's browser

https://docs.microsoft.com/en-us/onedrive/developer/rest-api/concepts/migrating-from-live-sdk
Comment 68 Julien Nabet 2020-09-11 18:18:19 UTC
*** Bug 136672 has been marked as a duplicate of this bug. ***
Comment 69 BogdanB 2020-09-18 05:20:01 UTC
*** Bug 136562 has been marked as a duplicate of this bug. ***
Comment 70 Colin 2020-12-04 09:14:38 UTC
This from Google drive support in response to me asking them how to gain access;

Currently, Google Drive does not have a feature where you can set a pin or password to a certain files. Google Drive only saved the files the way we created it. If you forgot the password on the file you want to access you need to contact the program developer who created the apps or program you used prior saving it to Google Drive. 

Since you are trying to unlock Libre Office documents, you need to reach their support for further assistance. 

    Libre Office Community Support
    Libre Office Professional Support

When you contact Libre Office Support, please let them know that you need help with the 6 digit PIN so that it will allow remote access from your Libre Office account.

Where does the 6 digit pin originate?

I imagine even if LO fixes the issue then "newer" LO users who haven't previously availed themselves of the service simply won't have a 6 Digit PIN.

That's certainly my situation. I'm not trying to access existing files, just trying to implement the cloud storage for some CALCs by File> Open Remote> Add Service (from the dropdown menu defaulting to Manage services.
Comment 71 Colin 2020-12-04 09:16:22 UTC Comment hidden (duplicated, obsolete)
Comment 72 Julien Nabet 2020-12-20 13:05:41 UTC
*** Bug 139088 has been marked as a duplicate of this bug. ***
Comment 73 Christian Lohmaier 2021-02-05 10:41:58 UTC
(In reply to Colin from comment #70)
> This from Google drive support in response to me asking them how to gain
> access;
> 
> When you contact Libre Office Support, please let them know that you need
> help with the 6 digit PIN so that it will allow remote access from your
> Libre Office account.
> 
> Where does the 6 digit pin originate?

That pin was part of the now no longer supported login mechanism into your gdrive account, it wasn't used by LibreOffice as a pin or password to protect the documents, but rather just how the login worked..

> I imagine even if LO fixes the issue then "newer" LO users who haven't
> previously availed themselves of the service simply won't have a 6 Digit PIN.

And they won't need that pin.

> That's certainly my situation. I'm not trying to access existing files, just
> trying to implement the cloud storage for some CALCs by File> Open Remote>
> Add Service (from the dropdown menu defaulting to Manage services.

Both cases will be solved when the login/token generation is changed as described in comment#67, similar as it has been done for onedrive for 7.1.0 (fixing gdrive login is on the todo, but just didn't make it into 7.1.0).

So then the user-experience would be (for the time being): 
* User chossed to open/save to remote service
* LO asks to copy the login URL to browser
* User logs in to the service using their browser, granting LibreOffice the access privileges if not already done so in the past
* browser will return a code that has to be pasted back into the LibreOffice window
→ for the duration of the LO session, LO can then create access tokens and won't have to ask the user again.


To be fully clear: I know that this is not a great user-experience, so the copy-the-code-back to the LibreOffice window can be solved by having LibreOffice listen on a localhost address and setting the redirect URL to that localhost address, so that would eliminate the need for manually copy'n'paste.
But the bigger drawback is that currently LibreOffice doesn't store the refresh_token, so it will have to ask every time LO is started and the files are accessed. (typically they are valid for multiple weeks/months)
They should be securely stored locally, so the most natural way would be to use LibreOffice's password-store for that, so the user only would have to unlock it using the master password and not do the login-dance.
Comment 74 Colin 2021-02-05 11:16:09 UTC
(In reply to Christian Lohmaier from comment #73)
> (In reply to Colin from comment #70)

> 
> To be fully clear: I know that this is not a great user-experience, so the
> copy-the-code-back to the LibreOffice window can be solved by having
> LibreOffice listen on a localhost address and setting the redirect URL to
> that localhost address, so that would eliminate the need for manually
> copy'n'paste.

That's infinitely superior to Write LO Calc > Export to eXcel> Upload to GDrive> open with G.Sheets> Modify to mitigate the G.Sheet inadequacies> Work with G.Sheets until the next function change> Copy'n'Paste unformatted data to source LOCalc and then recycle. Still, I'm becoming a Wiz at version control;)).

Christian, thank you for taking the time to inform us. Much appreciated.

You advise it didn't make the cut to 7.1 - is there a guestimate as to when it might be available?
Comment 75 yogeshg 2021-03-01 04:34:27 UTC
Can we adjust the bug report to reflect a later version of LO instead of old unsupported versions? Currently, it's set to 5.2.0.4.
Comment 76 yogeshg 2021-03-01 04:36:55 UTC
(In reply to Christian Lohmaier from comment #73)
> But the bigger drawback is that currently LibreOffice doesn't store the
> refresh_token, so it will have to ask every time LO is started and the files
> are accessed. (typically they are valid for multiple weeks/months)
> They should be securely stored locally, so the most natural way would be to
> use LibreOffice's password-store for that, so the user only would have to
> unlock it using the master password and not do the login-dance.

Thanks, Christian. Do you know if there's a bug report for this? I want to follow its updates.
Comment 77 Aron Budea 2021-03-01 05:48:39 UTC
(In reply to yogeshg from comment #75)
> Can we adjust the bug report to reflect a later version of LO instead of old
> unsupported versions? Currently, it's set to 5.2.0.4.
As the label says, the version field is for the earliest (known) affected version, in general it's useful for narrowing down when a bug was introduced, to hint at whether it's a more recent regression/implementation error, or whether it was already in the first LO version.
Comment 78 Roman Kuznetsov 2021-04-25 09:48:32 UTC
*** Bug 103748 has been marked as a duplicate of this bug. ***
Comment 79 Roman Kuznetsov 2021-04-25 09:50:51 UTC
*** Bug 141787 has been marked as a duplicate of this bug. ***
Comment 80 Commit Notification 2021-07-27 23:52:04 UTC
Christian Lohmaier committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/commit/73041de9563c9a973d1b5394c6e5520a7d799980

tdf#101630 - gdrive support w/oAuth and Drive API v3

It will be available in 7.3.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 81 Commit Notification 2021-07-28 03:26:56 UTC
Christian Lohmaier committed a patch related to this issue.
It has been pushed to "libreoffice-7-2":

https://git.libreoffice.org/core/commit/b8b66a26f8f519a30b8e6b860a9247a8ffbb71cc

tdf#101630 - gdrive support w/oAuth and Drive API v3

It will be available in 7.2.0.2.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 82 Christian Lohmaier 2021-07-28 09:14:25 UTC
Some hints/remarks to the fix:

* the initial repository-add dialogs have not been adjusted yet, they still ask for username and password, however those are not used. The username field is for LO's own distinguishing between different instances, but not used in the authentication. You can leave the password empty, it is not used to authenticate.

* to allow storing of the refresh token, you should enable persistent storage of credentials in Tools|Options → LO → Security → [x] allow persistent storage and [x] protect with master password. With that LO can store the refresh-token to use for further requests, and you only have to provide the master password.

* With the persistent storage enabled, and trying to setup the connection for the first time, LO will ask for the masterpassword to look for an existing refresh token, on first setup there obviously won't be one so it will go to the login procedure: Copy'n'paste the link to your browser, grant LibreOffice the access to files → You will get an access token that you copy back to the LibreOffice dialog. LibreOffice will then ask once more for the masterpassword to store the refresh token obtained using the access-token.

Also important: LO is not verified to use restricted scopes yet, so it can only use drive.file scope, meaning when accessing GDrive from LO you'll only see the files that you created with LibreOffice, other files will not be accessible (you will however be able to see the files created with LO in e.g. in your gdrive in browser)
Comment 83 Mike Kaganski 2021-07-28 18:59:28 UTC
(In reply to Commit Notification from comment #80)
> The patch should be included in the daily builds available at
> https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours.
> ...
> Affected users are encouraged to test the fix and report feedback.

Please note that daily builds are created without necessary configurations parameters, so those builds do not include gdrive support: this means that they can't be used for testing of the patches mentioned in comments 80 and 81.

OTOH, 7.2.0 RC2 is going to be available soon. Please wait for the release candidate for testing.
Comment 84 Heiko Tietze 2021-08-09 09:10:56 UTC
(In reply to Commit Notification from comment #81)
> Christian Lohmaier committed a patch related to this issue.

Resolved fixed? Thanks for the detailed explanation.
Comment 85 Commit Notification 2021-08-18 19:11:14 UTC
Christian Lohmaier committed a patch related to this issue.
It has been pushed to "libreoffice-7-1":

https://git.libreoffice.org/core/commit/854c03ebc94aae205b85d0c9d342048baf93e9a9

tdf#101630 - gdrive support w/oAuth and Drive API v3

It will be available in 7.1.6.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 86 m_a_riosv 2021-09-13 13:51:31 UTC
*** Bug 144460 has been marked as a duplicate of this bug. ***
Comment 87 daniel 2021-11-11 00:05:48 UTC
This is not working in v7.2.2.2

The key is not being properly stored, and the UI leaves a LOT to be desired.

You may find that the way the tool rclone (rclone.org) handles this authentication is much more graceful than the current solution.

The dialog box is also misleading about what, when (at which step), and where to paste the key from the OAuth process.

There has to be a better way for users to be able to use this feature.
Comment 88 Xisco Faulí 2021-11-15 09:46:20 UTC
(In reply to daniel from comment #87)
> This is not working in v7.2.2.2
> 
> The key is not being properly stored, and the UI leaves a LOT to be desired.
> 
> You may find that the way the tool rclone (rclone.org) handles this
> authentication is much more graceful than the current solution.
> 
> The dialog box is also misleading about what, when (at which step), and
> where to paste the key from the OAuth process.
> 
> There has to be a better way for users to be able to use this feature.

hello,
Please read comment 82 to allow storing the key
Comment 89 daniel 2021-11-15 16:53:40 UTC
(In reply to Xisco Faulí from comment #88)
> (In reply to daniel from comment #87)
> > This is not working in v7.2.2.2
> > 
> > The key is not being properly stored, and the UI leaves a LOT to be desired.
> > 
> > You may find that the way the tool rclone (rclone.org) handles this
> > authentication is much more graceful than the current solution.
> > 
> > The dialog box is also misleading about what, when (at which step), and
> > where to paste the key from the OAuth process.
> > 
> > There has to be a better way for users to be able to use this feature.
> 
> hello,
> Please read comment 82 to allow storing the key

I have, but it is extremely user-unfriendly and unless you are looking up this bug report, you would never know how to do it.  Even then, the notes in comment #87 are not the complete instructions.

Basically, this method is a dirty workaround of a patch job that needs to be truly fixed in both the backend and the UI. The method used to get and capture the key is not graceful, and the UI is plain incorrect.

I would fix it myself if it was something that had the skill to do (I love open source software for that!), but I do not feel comfortable in my skill level making those modifications.  Instead, I have pointed this very skilled and talented community to another piece of open-source software that has done a very good job at tackling this issue for not only Google Drive, but also for numerous other cloud storage vendors.  Their code base is mature, and the capabilities of that tool complement what users of this project need.

In reality, the project might even look at integrating that tool's functionality into this one, similar to how other modules have become standard within the software. Spell checking is one function that comes to mind.

I see this as an opportunity to potentially have one community help another, giving them both a way to learn from the other's work and experience. Isn't that one of the main benefits of being open source?
Comment 90 Will G 2021-12-30 04:50:26 UTC
Reproduced error message "specified device is invalid" from (remote file->manage services->add service->google drive->user->pass) sequence of events.  Much like everyone else BUT no two factor authentication in this case.


Ubuntu 20.04.3 LTS
Version: 7.1.8.1 / LibreOffice Community
Build ID: e1f30c802c3269a1d052614453f260e49458c82c
CPU threads: 8; OS: Linux 5.11; UI render: default; VCL: gtk3
Locale: en-US (en_US.UTF-8); UI: en-US
Calc: threaded
Comment 91 doomsdayrs 2022-02-28 02:43:48 UTC
Can confirm that 2FA does not work. Even the GNOME Settings application has this feature.

---

Version: 7.2.5.2.0+
Build ID: 20(Build:2)
CPU threads: 24; OS: Linux 5.16; UI render: default; VCL: gtk3
Locale: en-US (en_US.UTF-8); UI: en-US
Calc: threaded
Comment 92 Mike Kaganski 2022-03-20 15:32:56 UTC
@cloph: could we possibly use some Python library ( https://oauth.net/code/python/ ), like we use smtplib in our scripting/source/pyprov/mailmerge.py, which implements com::sun::star::mail::XMailServiceProvider etc?
Comment 93 Mike Kaganski 2022-04-07 15:06:35 UTC
(In reply to Mike Kaganski from comment #92)

FYI: https://github.com/google/gmail-oauth2-tools/wiki/OAuth2DotPyRunThrough
Comment 95 prrvchr 2022-11-11 16:05:03 UTC
@Christian Lohmaier

The OAuth2OOo extension https://github.com/prrvchr/OAuth2OOo has approvals from Google for the scope: https://www.googleapis.com/auth/drive

After the user has approved the use of this scope this extension is able to deliver OAuth2OOo tokens...

I'm ready to try an integration.
Comment 96 Buovjaga 2023-02-23 08:18:02 UTC
*** Bug 151415 has been marked as a duplicate of this bug. ***
Comment 97 Alex Thurgood 2023-04-04 15:21:59 UTC
*** Bug 154605 has been marked as a duplicate of this bug. ***
Comment 98 Stéphane Guillou (stragu) 2023-04-12 05:53:48 UTC
Cloph, you were assigned by Heiko since 2021. I've reset that to the default, as prrvchr said they were interested in working on it in comment 95.

prrvchr, are you still interested in submitting patches? If so, please go ahead and assign yourself.
Comment 99 Dieter 2023-09-03 19:16:47 UTC
*** Bug 149444 has been marked as a duplicate of this bug. ***
Comment 100 V Stuart Foote 2023-10-22 12:39:37 UTC
*** Bug 157883 has been marked as a duplicate of this bug. ***
Comment 101 Julien Nabet 2024-07-27 10:04:11 UTC
*** Bug 162100 has been marked as a duplicate of this bug. ***