totally a non issue, but not sure where else to ask about acd_cli HOT 70 CLOSED

No this is the right place and it's something on my mind as well. I'm sure once we know if AWS will grant us another key we will start making preparations but first we need another key. They might even ask to see our Auth code first which as of right now does not exist.

from acd_cli.

I could be wrong here, but my understanding is that there was an issue with appspot (the authentication) not acdcli itself. Shouldn't using your own security profile should resolve the issue?

EDIT:
Just had a read through this and the consensuses seems to be that you can't create your own security profile. This isn't accurate.

I'm making some instructions now.

from acd_cli.

1. Navigate to: https://developer.amazon.com/
2. Sign in.
3. Click 'Apps & Services' (at the top beside the 'dashboard' button)
4. 'Security Profiles' (at the top on the new menu that appears below 'Apps & Services')
5. Create new security profile.
6. Give it a name and description, this isn't important it only for your use.
7. Click on 'Login with Amazon' (at the top in the same menu as step 4)
8. Select your security profile from the drop down and click 'Confirm'
9. Fill out the information, this again doesn't matter as only you are using it. (http://localhost.com/index.html is what I used for this example)
10. Hover over the new profile and click the 'settings cog' to the far right and click 'Web Settings'
11. Enter your allowed origins and return URL (localhost for both).
12. ?????
13. Profit!

from acd_cli.

@hjone72 You can make a security profile sure, but you can't attach it to ACD because the API is closed. The appspot was from the original Repo owner who had an ACD API key, which has now been revoked.

from acd_cli.

@shadycuz, Mine is still currently working. Will it just eventually stop? or can new people not authorize it? I'm still not sure what the problem is?

from acd_cli.

@hjone72 You are still using acdcli? What happens when you run acdcli sync

from acd_cli.

it worked.

Getting changes......
Inserting nodes........

from acd_cli.

hmm, most likely your token just hasn't expired yet.

from acd_cli.

I just deleted my oauth_data and ran a sync. It then allowed me to reauth. It is still working.

from acd_cli.

@shadycuz, have you got your own security profile? At what point do you get an error and what is the error?

from acd_cli.

I created a security profile yes but was unable to attach it to anything as the ACD API is closed.

from acd_cli.

follow the steps above... it will link the missing step ;)

from acd_cli.

The API isn't closed, Amazon's new API is invite only. ACD_CLI is built using the older API.

from acd_cli.

hmm I am working on recreating your steps, will post back soon.

from acd_cli.

@hjone72 I get errors, invalid scope and unable to connect to remote host...

from acd_cli.

at which point?

from acd_cli.

when I run acd_cli sync and it opens a browser for me to login to amazon.

from acd_cli.

Yeah... Once you login it should display a url that looks like "http://localhost/?code=ANWsWiAXhKsRzxREZxWv&scope=clouddrive%3Aread_all+clouddrive%3Awrite"

from acd_cli.

It doesn't allow me to log in, I believe one issue is I'm on a headless server using Lync

from acd_cli.

Step 11 did you use localhost? or http://localhost

from acd_cli.

Yup in step 11 I used http://localhost for both.

Rather than logging in using that interface, quit it. The app will display a message A window will have opened at https://amazon.com/ap/oa?redirect_uri=http%3A%2F%2Flocalhost&client_id=amzn1.application-oa2-client.4137asdfaae37b46asdf9c894dca0031c8ac&scope=clouddrive%3Aread_all+clouddrive%3Awrite&response_type=code
Copy that URL into a browser on a computer with a web browser. After you login, you'll be redirected to "localhost somethign something" as stated above.

from acd_cli.

When I paste that in I get, redirected to http://localhost/?error_description=An+unknown+scope+was+requested&error=invalid_scope

from acd_cli.

yeah. Copy that url (the entire URL) and paste it into your terminal window which should say "Please log in or accept and enter the URL you have been redirected to:"

from acd_cli.

Did the acdcli GitHub just get removed?

from acd_cli.

no its up for me

from acd_cli.

invalid_scope is not a valid redirect url

from acd_cli.

I tried changing:

scope=clouddrive%3Aread_all+clouddrive%3Awrite&response_type=code

to

scope=clouddrive%3Aread_all%20clouddrive%3Awrite&response_type=code

per previous threads. still not getting redirected to my code. just getting a connection refused at this point.

from acd_cli.

It's back. It was 403ing.

from acd_cli.

@hjone72

My link looked like this https://amazon.com/ap/oa?scope=clouddrive%3Aread_all+clouddrive%3Awrite&client_id=amzn1.application-oa2-client.xxxxxxxxxxxxxxxxxx&response_type=code&redirect_uri=http%3A%2F%2Flocalhost

after taking out the redirect part I still get error

from acd_cli.

I'm a little confused. @hjone72 after step 11, do I need to download the security profile somehow and save it where my oauth file is? If so, how do I download it?

from acd_cli.

@hjone72

redid it and this exactly what ACD gave me...

A window will have opened at https://amazon.com/ap/oa?response_type=code&scope=clouddrive%3Aread_all+clouddrive%3Awrite&client_id=amzn1.application-oa2-client.xxxxxxxxxxxxxxxxxxxxx&redirect_uri=http%3A%2F%2Flocalhost

from acd_cli.

@hjone72 Error page i get.

from acd_cli.

I'm just trying to recreate your issue. One moment please

from acd_cli.

@hjone72

If I keep the redirect it redirects me to http://localhost/?error_description=An+unknown+scope+was+requested&error=invalid_scope

from acd_cli.

@hjone72

and

and

thanks for helping me with this.

from acd_cli.

I'm having the same exact issue as @shadycuz

from acd_cli.

This could be the sticking point. You need to whitelist your application, and I don't think you can do that without invite anymore. If you already have a whitelisted security profile you're in the clear. If you don't you are out of luck. Sorry guys.

from acd_cli.

@hjone72 That was what I was trying to tell you earlier, that its not open to the public anymore

from acd_cli.

how can you tell if your app is whitelisted?

from acd_cli.

You would know, because you would have set it up a while ago.

from acd_cli.

I did. Sept 2016. But is there a way to confirm?

from acd_cli.

follow the steps on this thread and here https://acd-cli.readthedocs.io/en/latest/authorization.html

from acd_cli.

Yeah, sorry I miss understood where you were having the issue. Still we may be able to get it going using an already whitelisted profile... ?

from acd_cli.

Yes, you could get the acd_cli auth code, fix it and then host your own tensile.appspot for everyone else to replace the broken one yadayayaya had hosted.

@bgemmill

from acd_cli.

Really the auth code should be changed to not use an intermediate server at all..... I don't think rclone uses one.... A client should be the only one talking to ACD to get a token.

from acd_cli.

@calisro the rclone implementation is not perfect either. It might be better but such things have yet to be looked at. It makes a good point.

See https://forums.developer.amazon.com/questions/22091/client-secret-in-open-source-apps.html#answer-22097

from acd_cli.

Yes I know. But from a client perspective it is not secure in that there isn't a third party which could intercept tokens. Having an intermediate isn't good.

from acd_cli.

But this third party was/is the application owner, if you are not comfortable with his auth service are you not comfortable with his app being installed on your computer?

from acd_cli.

It is different. I can compile and read the source. I know exactly what it is doing. Only I can access my data. Once an intermediate is used, tokens can be mishandled or leaked or worse. If the auth is on my own client it cannot be leaked and my data be exposed which is exactly what had happened here.

Why would I have to trust the app owner in an open source setting?

from acd_cli.

Right... which is why I proposed if we bring it back up online, we opensource the auth portion as well.

yadayada#562 (comment)

from acd_cli.

There is no way to verify the code being published is the code being used and there is no way for a client to know that server wasnt breached. That's why an intermediate server is a bad idea (again). I realize that is the quickest way to get up and running and maybe short term but the auth really needs to be moved to the client.

from acd_cli.

You are more than welcome to open a new issue, proposing that we bring authentication to the client side, or do it yourself and submit a PR. But were pulling the cart before the horse, in fact the horse has yet to be born.

from acd_cli.

@shadycuz I get that.

from acd_cli.

Sent this.

Hi.

We seemed to have located and fixed the problematic code, and with regard to the missing project owner, the community would like to fork the project and host the authenticator proxy (not using the current appspot proxy).

We would like to grant access to the ACD API so that we can do it. Thanks.

from acd_cli.

@hjone72 Looks like getting acdcli back up is going to take someone volunteering a good security id and secret. Plugging that into acdcli in a proxy-less way seems very straightforward, with the caveat that the actual owner of that key will now be the front person for all interactions with amazon in relation to that key.

from acd_cli.

from acd_cli.

@bgemmill, Happy to help however I can. If I were to give someone my security profile, i'd prefer it not be publicly knowledge though.

from acd_cli.

@hjone72 It's not publicly identifying if that's the concern, it's more that Amazon would know it was yours. Understandable if you want to keep it private; I'm pretty sure that's how we ended up with a proxy in the first place.

I wouldn't mind being the front person since I'm a maintainer, but my security profile isn't white-listed.

@shadycuz until the problem is fixed, it's not fixed :-)

from acd_cli.

@bgemmill, I've actually got 3 whitelisted profiles. Happy to help out with this 😄

from acd_cli.

@hjone72 that would be really great. We all would really appreciate it.

Very off topic, but noticed you own PlexAuth repo...awesome app.

from acd_cli.

@joebeem,
Thanks! 😄

I've been in contact with @bgemmill and support his decision with how the keys should be handled moving forward.

from acd_cli.

I saw someone mention extracting tokens from the desktop apps in one of the various issues/pr/threads and thought it sounded like a fun project.

This gist is a proof of concept of decrypting the refresh-token the Amazon Drive app saves to disk and using it to request a bearer token.

I've only tested it on OS X but I assume the other versions would work the same - why use Xamarin if it's not going to at least be the same?

I haven't modified acd_cli to accept this token (assuming the token even works without additional hoops to jump through) but thought I'd stick it up here in case anyone else wants to play with it.

from acd_cli.

@cs2dsb great way to get your account banned. Good luck!

from acd_cli.

@calisro because it's against some T&C or just a guess?

from acd_cli.

@cs2dsb extracting and using someone else's tokens? Just an educated guess that Amazon might not appreciate that.

from acd_cli.

@calisro could well be. But the token is issued to me to upload my files to my account and that's all I can do with them, it makes no appreciable difference to them as long as I'm not sharing the tokens around and uploading petabytes of trash - and if I wanted to do that there's nothing to stop me installing their app a bunch of times in different places. It's obviously a grey area and I'm willing to take the risk because without acd_cli my backup will never finish and the data I've got in there will be trash :). I might test the water by trying to publish an app through their store that just keeps an oauth token current on your machine for uploading files via curl or whatever.
Edit: I didn't realise app submissions were currently closed to new developers. Oh well :(

from acd_cli.

You won't be using Rclones method of auth... https://twitter.com/njcw/status/865846847264497664

He has to switch to an auth service just like acd_cli uses.

from acd_cli.

For those still following this ticket, I have an auth proxy server up and running. Before that goes live I'm checking with @yadayada to see if he's going to do a more official one. We don't want to fragment into two auth systems.

from acd_cli.

I'm still having strange issues, but I will be able to tell whether my profiles work on Google's Compute Engine by tomorrow.

from acd_cli.

Yadayada's version is back, and I'm working on property recovery before this fork goes live again.

from acd_cli.