Google auth plugin

rastaliev · October 23, 2019, 7:10am

Hi everybody,

We have two e-journals: https://jfs.today and https://galacticamedia.com

We would like to enable users to register on sites using Google accounts. Are there similar plugins for OJS 3.1?

Or is it forbidden?

Something like this, I could not find anywhere…

Thank you very much

ctgraham · October 24, 2019, 7:19pm

We started development in that direction in a Sprint some time ago, but we were thinking that OAuth would be needed for third-parties like ORCiD and Google and Microsoft, etc.

For authorization providers other than ORCiD, it turns out that OpenID is the better direction.

I’m not aware of an existing plugin, but it would probably look similar to the early development from that Sprint (GitHub - ulsdevteam/pkp-oauth: OAuth plugin for the Public Knowlege Project suite of products.), but would be built around OpenID rather than OAuth.

douglas_bruey · December 17, 2019, 3:01pm

Hello,

I am using Gmail with OJS 3 right now, but I received an email from Google with this title.

“Starting February 15, 2021, G Suite accounts will only allow access to apps using OAuth. Password-based access will no longer be supported.”

It looks like no new “Less Secure Apps” (LSA) connections will be allowed after June, 15th 2020, and existing LSA connections will be disabled February 15th, 2021. (Full text below.)

They say: “For any other LSA, ask the developer of the app you are using to start supporting OAuth.”

I see the OAuth plugin that was started in 2015, but I am wondering if there is a current solution for connecting to Gmail via OAuth.

Thanks!

Full text of message from Google…

Dear Administrator,

We’re constantly working to improve the security of your organization’s Google accounts. As part of this effort, and in consideration of the current threat landscape, we’ll be turning off access to less secure apps (LSA) — non-Google apps that can access your Google account with only a username and password, without requiring any additional verification steps. Access through only a username and password makes your account more vulnerable to hijacking attempts. Moving forward, only apps that support a more modern and secure access method called OAuth will be able to access your G Suite account.

Access to LSAs will be turned off in two stages:

June 15, 2020 - Users who try to connect to an LSA for the first time will no longer be able to do so. This includes third-party apps that allow password-only access to Google calendars, contacts, and email via protocols such as CalDAV, CardDAV and IMAP. Users who have connected to LSAs prior to this date will be able to continue using them until usage of all LSAs is turned off.

February 15, 2021 - Access to LSAs will be turned off for all G Suite accounts.

What do I need to do?
To continue using a specific app with your G Suite accounts, users in your organization must switch to a more secure type of access called OAuth. This connection method allows apps to access accounts with a digital key instead of requiring a user to reveal their username and password. We recommend that you share the user instructions (included below) with individuals in your organization to help them make the necessary changes. Alternatively, if your organization is using custom tools, you can ask the developer of the tool to update it to use OAuth. Developer instructions are also included below.

MDM configuration
If your organization uses a mobile device management (MDM) provider to configure CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) profiles, these services will be phased out according to the timeline below:

June 15, 2020 - MDM push of IMAP, CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) will no longer work for new users.

February 15, 2021 - MDM push of IMAP, CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) will no longer work for existing users. Admins will need to push a Google Account using their MDM provider, which will re-add their Google accounts to iOS devices using OAuth.

Other less secure apps
For any other LSA, ask the developer of the app you are using to start supporting OAuth.
If you use other apps on iOS or MacOS that access your G Suite account information through only a password, most access issues can be resolved by removing then re-adding your account. When you add it back, make sure to select Google as the account type to automatically use OAuth.

ctgraham · December 17, 2019, 3:19pm

There are two different contexts for OAuth here. The original purpose of this thread and the OAuth plugin was to use OAuth on behalf of the user for authentication.

The update by Google here describes using OAuth for connecting tooling on behalf of the administrator.

This message from Google should become an issue in GitHub, as we will need to plan for development on this. Can you post it there? If not, I can.

douglas_bruey · December 18, 2019, 11:52pm

Hello @ctgraham,

I have created a GitHub issue for this feature request.

github.com/pkp/pkp-lib

OAuth for Gmail Access

opened 11:50PM - 18 Dec 19 UTC

closed 07:08PM - 17 Feb 21 UTC

brueyd

Enhancement

**Describe the problem you would like to solve** Starting February 15, 2021, G …Suite accounts will only allow access to apps using OAuth. Password-based access will no longer be supported. **Describe the solution you'd like** An OAuth plugin for connecting to Gmail **Who is asking for this feature?** System administrators that currently use Gmail SMTP and connect OJS as a "Less Secure App" to Gmail accounts for sending email notifications. **Additional information** Here is the complete text from the G Suite notification email... Dear Administrator, We’re constantly working to improve the security of your organization’s Google accounts. As part of this effort, and in consideration of the current threat landscape, we’ll be turning off access to less secure apps (LSA) — non-Google apps that can access your Google account with only a username and password, without requiring any additional verification steps. Access through only a username and password makes your account more vulnerable to hijacking attempts. Moving forward, only apps that support a more modern and secure access method called OAuth will be able to access your G Suite account. Access to LSAs will be turned off in two stages: June 15, 2020 - Users who try to connect to an LSA for the first time will no longer be able to do so. This includes third-party apps that allow password-only access to Google calendars, contacts, and email via protocols such as CalDAV, CardDAV and IMAP. Users who have connected to LSAs prior to this date will be able to continue using them until usage of all LSAs is turned off. February 15, 2021 - Access to LSAs will be turned off for all G Suite accounts. What do I need to do? To continue using a specific app with your G Suite accounts, users in your organization must switch to a more secure type of access called OAuth. This connection method allows apps to access accounts with a digital key instead of requiring a user to reveal their username and password. We recommend that you share the user instructions (included below) with individuals in your organization to help them make the necessary changes. Alternatively, if your organization is using custom tools, you can ask the developer of the tool to update it to use OAuth. Developer instructions are also included below. MDM configuration If your organization uses a mobile device management (MDM) provider to configure CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) profiles, these services will be phased out according to the timeline below: June 15, 2020 - MDM push of IMAP, CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) will no longer work for new users. February 15, 2021 - MDM push of IMAP, CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) will no longer work for existing users. Admins will need to push a Google Account using their MDM provider, which will re-add their Google accounts to iOS devices using OAuth. Other less secure apps **For any other LSA, ask the developer of the app you are using to start supporting OAuth.** If you use other apps on iOS or MacOS that access your G Suite account information through only a password, most access issues can be resolved by removing then re-adding your account. When you add it back, make sure to select Google as the account type to automatically use OAuth.

Thanks,
Doug