Bug 87938 - Google Drive via CMIS: two-factor authentication (2FA) is not possible
Summary: Google Drive via CMIS: two-factor authentication (2FA) is not possible
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: LibreOffice (show other bugs)
Version:
(earliest affected)
4.5.0.0.alpha0+ Master
Hardware: All All
: medium normal
Assignee: Szymon Kłos
QA Contact:
URL:
Whiteboard: target:5.2.0 target:5.3.0 target:5.2....
Keywords:
: 94410 (view as bug list)
Depends on:
Blocks: CMIS
  Show dependency treegraph
 
Reported: 2015-01-01 16:27 UTC by David Gerard
Modified: 2016-09-12 08:44 UTC (History)
8 users (show)

See Also:
Crash report or crash signature:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description David Gerard 2015-01-01 16:27:24 UTC
I have compiled master from source.

Logging into a Google Drive account with only a password works.

However, logging into a Google Drive account with 2FA is not possible - there is no way to enter the passcode.

(It is not clear if this is a mere UI matter, or if it requires deeper work on libcmis.)
Comment 1 raal 2015-02-26 15:32:55 UTC
Version: 4.5.0.0.alpha0+
Build ID: a2fa9e2468aa5c4fd4b610c5d0ebc8959e87a072
TinderBox: Linux-rpm_deb-x86_64@46-TDF, Branch:master, Time: 2015-02-23_02:34:05

Google drive is not listed as CMIS provider.
Comment 2 David Gerard 2015-02-26 15:51:29 UTC
Yes, per discussions on the dev list, you need to supply a client secret if you're compiling from source. The official TDF release builds include the TDF client secret, but the tinderboxes may not be doing that.

This message includes how to build a Google Drive-enabled LO using the TDF client secret:

http://lists.freedesktop.org/archives/libreoffice/2015-January/066036.html

So to confirm this, you'd need to either build it from source using that, or use a TDF release build.
Comment 3 Yousuf Philips (jay) 2015-03-20 20:09:20 UTC
So David are you able to login to your 2FA Google Drive with a TDF release build?
Comment 4 David Gerard 2015-03-21 07:30:05 UTC
Er, no, hence filing this bug. There is literally no way to enter the verification code.
Comment 5 Yousuf Philips (jay) 2015-03-21 11:16:14 UTC
Sorry, the discussion about compiling must have confused me. :D

So how do other apps show 2fa?
Comment 6 David Gerard 2015-03-21 13:56:01 UTC
They don't - apparently (per comments on http://user-prompt.com/libreoffice-design-session-cmis-improvement ) you have to set up app passwords on a Google website. https://support.google.com/accounts/answer/185833?hl=en

Though I tried this on today's 4.5 master and got "General input/output error", so it didn't in fact work. If there is a way to get even this to verifiably work, I'll edit the summary to say "from within the application."
Comment 7 David Gerard 2015-12-11 16:49:10 UTC
Just tried on today's master build (da419ab6b28f0a20a62ea7fa13ab97a8ae946899).

If I enter my password, I get a dialogue box that says: "The specified device is invalid." (This is what is actually happening - my copy of LO is not an authenticated "device" - but may confuse an end user.) This happens whether the password is correct or not.

If I enter the app password I just generated, I get the same error.

So it appears not to presently be possible, and this bug is still the case.
Comment 8 maroonmoon 2016-02-11 05:54:48 UTC
I can confirm the same behavior for LIbreoffice 5.1 under windows. Even after adding Libreoffice to app list under google, I cannot connect to google drive with 2FA active.
Comment 9 raal 2016-02-11 06:18:53 UTC
Version:
(earliest affected)
Comment 10 Jean-Baptiste Faure 2016-02-24 05:10:44 UTC
confirmed by comment #8 -> NEW

Best regards. JBF
Comment 11 Yousuf Philips (jay) 2016-03-02 19:54:46 UTC
*** Bug 94410 has been marked as a duplicate of this bug. ***
Comment 12 Yousuf Philips (jay) 2016-03-11 21:35:14 UTC
Szymon, Giuseppe: It would be a useful temporary fix to this issue to detect when two-factor authentication is required and show an error stating that the feature hasnt been implemented yet.

The last time i added my gmail account into Thunderbird, a window popped up and a google login webpage showed in it, which i have to log into as a means of verifying the username and password i had already given Thunderbird. I dont have 2fa enabled, but i'm assuming for those that do, this process would allow them to successfully add gmail to Thunderbird.

Was digging online for resources to assist whomever wants to take this on and found these ones.

https://en.wikipedia.org/wiki/Google_Authenticator
https://www.codementor.io/php/tutorial/google-two-step-authentication-otp-generation
Comment 13 Giuseppe Castagno (aka beppec56) 2016-05-13 07:57:06 UTC
Re-fixing bug 98416 I came across LO code areas where probably 2FA should be implemented.

In order to do that you probably need to implement part of the code in libcmis (the html page parser) and another part in LO (the user interacting dialog requesting the 2FA code).
Comment 14 Szymon Kłos 2016-05-13 21:37:08 UTC
Yousuf, Giuseppe: I've started implementing 2FA. I will probably commit is soon.
Comment 15 Commit Notification 2016-05-16 07:27:18 UTC
Szymon Kłos committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=511db54e95d02292417d7cd076e4bd6d50956d64

tdf#87938 libcmis: Google 2FA implementation

It will be available in 5.2.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 16 David Gerard 2016-05-20 18:41:13 UTC
Just tried with master as of a couple of hours ago, build b4c53a6eaeea4cb69244b294e68aa19d4324b0ec.

I enter my password, a box pops up for PIN, I get that on my phone, I enter it, and ...

"General input/output error."

So logging in doesn't work yet, but the interface is there :-)

(Lenovo X230 running Xubuntu 16.04, LO compiled from source.)
Comment 17 Szymon Kłos 2016-05-20 19:43:41 UTC
David Gerard: Did you receive PIN which looked like: G-XXXXXX ? You must enter only 6 digits without "G-". Maybe this is the cause.

I forgot about that. In next few days I will try to change this behaviour and both inputs "G-XXXXXX" and "XXXXXX" will be working.
Comment 18 David Gerard 2016-05-21 00:39:54 UTC
No, I know that one :-) I just entered the number.

Perhaps you could do it the way Google do it, displaying the G- before the input box.
Comment 19 David Gerard 2016-05-21 08:28:27 UTC
Note that this build also gives "General input/output error." when I deliberately enter the wrong PIN, instead of telling me the PIN was wrong.
Comment 20 Szymon Kłos 2016-05-22 17:54:43 UTC
Login with 2FA (over SMS) works for me on current master. I can't reproduce this error.
I can confirm that when I enter incorrect PIN I got "General input/output error.".

David Gerard: Logging into account without 2FA works for you?

Build ID: 56d2cab4704f079ca173d65619432665bc1a1c92
Linux 64 bit, openSUSE 42.1
Comment 21 David Gerard 2016-05-22 21:59:56 UTC
Yes, logging in on a different account that only has a password works fine.

However, using my work account which is 2FA, I still can't log in with the PIN.

The work account is a Google Apps for Business account, would that make any difference? Are you testing with a personal account or a Google Apps for Business one? I understand they behave differently in a number of respects.

(I don't want to post details of the work account publicly, but email me privately if you want me to test things with it, if there's useful debugging we can do, etc.)
Comment 22 David Gerard 2016-05-23 16:32:04 UTC
I just tried the 2FA account on today's build 00271c8eaf77c453a403a85f23233dca71d834f3 and it gave the "General input/output error." message - but I got an email from Google that my account had been used to authenticate. So something did actually work as far as authenticating successfully against Google.
Comment 23 Szymon Kłos 2016-05-23 16:51:15 UTC
Today I've got this error too and prepared fix. Probably will be available tomorrow. I hope this will help you :)
Comment 24 Yousuf Philips (jay) 2016-05-24 18:25:54 UTC
Suggestion for the improvement of the design: Have the 'PIN:' label on the same line as the field and shrink the field down to it down to fit 6 characters, as that is how many characters can be filled.
Comment 25 David Gerard 2016-05-25 11:56:25 UTC
Build ID: 163dcad72e03e214d842e74d1f71ed025cbdd870, master from last night.

I get a different error now on 2FA: "The specified device is invalid."

The passworded account still connects fine.
Comment 26 David Gerard 2016-06-02 09:57:41 UTC
At this point I'm flummoxed. Are there TDF daily builds (presumably if I pick a particular tinderbox) that have the Google Drive bits compiled in, that I can test with? I *really* want this functionality to be working in 5.2 to the point where I can point coworkers to it and say "this will definitely work for you!"
Comment 27 Commit Notification 2016-06-09 07:57:23 UTC
Szymon Kłos committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=aea4fdb65ace539970e468e77792a377071108b8

tdf#87938 google 2FA fix, new pin code page

It will be available in 5.3.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 28 David Gerard 2016-06-09 23:06:47 UTC
Success! I can get into my work 2FA with Build ID: d6a6f587a852ba5c993c658b6b6432a65207f5b7 Version: 5.3.0.0.alpha0+ today's master!
Comment 29 Commit Notification 2016-06-10 07:51:02 UTC
Szymon Kłos committed a patch related to this issue.
It has been pushed to "libreoffice-5-2":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=90674312290bb8436a3e7b2ea99ada8ca1e73721&h=libreoffice-5-2

tdf#87938 google 2FA fix, new pin code page

It will be available in 5.2.0.1.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 30 Susan Cragin 2016-06-22 16:22:42 UTC
Cannot access remote files on 5.1.4.1
1:5.1.4~rc1-1
Don't know if it's this bug or bug 96174.
Comment 31 Giuseppe Castagno (aka beppec56) 2016-06-25 07:35:23 UTC
(In reply to Susan Cragin from comment #30)
> Cannot access remote files on 5.1.4.1
> 1:5.1.4~rc1-1
> Don't know if it's this bug or bug 96174.

works using 2FA with:

Version: 5.2.0.1
Build ID: fcbcb4963bda8633ba72bd2108ca1e802aad557d
CPU Threads: 8; OS Version: Linux 3.13; UI Render: default; 
Locale: en-US (en_US.UTF-8)
Comment 32 Giuseppe Castagno (aka beppec56) 2016-06-25 07:43:18 UTC
Found fixed in 5.2.0.1
Comment 33 Josh Rose 2016-08-03 23:11:15 UTC
I just updated to 5.2 on Windows 10, and while the Remote Files interface accepts my correct Google password, when the Pin windows pops up and I enter the correct pin code from my authentication app, it then gives me the old "invalid" error.  At this point, how can there be so many of us having issues, while it works for others?  Is it a firewall issue?!  This has yet to ever once work for me, and I REALLY want Google Drive file access in Libreoffice for a more streamlined work flow.

Should the status be changed from "resolved" or am I lone case of error here?
Comment 34 Caolán McNamara 2016-08-04 07:07:08 UTC
ah, reopening is a terrible idea. Its not clear that your problem is related to the original problem which is reported as fixed by many. Please open a new bug specific to your problem.
Comment 35 Commit Notification 2016-08-18 09:09:04 UTC
Yousuf Philips committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=32d160300e7bd51c0f273275a3d8872e55af9ad3

tdf#87938 Add descriptive instructions to 2fa dialog

It will be available in 5.3.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 36 Alberto Gaburro 2016-09-12 08:44:16 UTC
Same problem on Libreoffice 5.2.1.2 x64 on Windows 10.

After entering the PIN, I get the error "The specified device is invalid".
So I can't even browse my contents on Google Drive.