Pokemon-Go-Rocket-API icon indicating copy to clipboard operation
Pokemon-Go-Rocket-API copied to clipboard
verified publisher icon FeroxRev

Two-Factor Authentication on Custom Domain

Open RunBoris opened this issue 9 years ago • 3 comments

The folks over at Necrobot suggested forwarding this to you...

On custom domains (work, university, etc) that use Google, if the account has two-factor enabled the login error loops. This does not happen on regular Gmail accounts.

Typing the Google account password results in the two-factor error message. Typing an incorrect app-specific password results in an incorrect password error. Typing the correct app-specific password just loops an error.

error

RunBoris avatar Aug 02 '16 21:08 RunBoris

I dont know the version of the API who use Necrobot. But I'm sure they use version where the double Auth is not implemented :

Login.cs l31 _client.AuthToken = GoogleLoginGPSOAuth.DoLogin(username, password);

GoogleLoginGPSOAuth.cs l24 `//Todo: captcha/2fa implementation

if(!response.ContainsKey("Auth")) throw new GoogleOfflineException();`

Maybe try to uncomment the previus auth in Login.cs l39

Megurine avatar Aug 03 '16 07:08 Megurine

When the GPSOAuthClient tries to PerformMasterLogin() it receives the following response(in my case there is a link to the Single Sign on webpage of my university):

{[Error, NeedsBrowser]}, {[Url, https://glogin.ku.edu.tr/sso/?SAMLRequest]}, {[ErrorDetail, To access your account, you must sign in on the web. Touch Next to start browser sign-in.]}

So under normal circumstances, i.e. you wanna login to your gmail, after you enter your credentials to the gmail sign-in page, it forwards you to that given page with some specific parameters I believe, called a "SAMLRequest", this request is created by the gmail sign-in system. Here is an example request:

SAMLRequest=fVJNTxsxEL1X6n+wfN+vIFXUyi5KQaiRgK7IwqE3451kndiercdO2n9fZwMCDnB98/w+xjO/+GsN24Mnja7mVV5yBk5hr92m5g/ddXbOL5qvX+YkrRnFIobB3cOfCBRYeulITIOaR+8EStIknLRAIiixWtzeiFleitFjQIWGs+VVzY3djfJJWr0b3HY3rEelAe2wRelGjb0CqzFNtpw9vsSaHWMtiSIsHQXpQoLK6ltWnmflWVd+F1UlZme/OWufnX5od2rwWaynE4nEz65rs/bXqpsE9roHf5fYNd8gbgzkCu3RvpVEep/gtTQEnC2IwIcU8BIdRQt+BX6vFTzc39R8CGEkURSHwyF/lSlksYs59DEPvpCKeDMtVkzd/JuNfp5cvjjz5lV7XryRap4/7NhjedWi0eofWxiDh0sPMqQSwcfU4Rq9leFjtyqvJkT32XqiiuhoBKXXGnrOiubk+v4y0r38Bw==&RelayState=https://accounts.google.com/CheckCookie?continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&osid=1&service=mail&ss=1&ltmpl=default HTTP/1.1

With that request you reach to your own institution's sign-in system, and after you post the form on that page, it redirects you to another page, in my case it was "index2.php", that page has a long hidden content called "SAMLResponse" with a good many key values in itself and it automatically forwards itself to another google sided webpage, again in my case "https://www.google.com/a/ku.edu.tr/acs", after a few more forwards from different locations, you reach to the URL that you have given in the last parameter of your SAMLRequest.

Basically, this is how this google sso stuff works as far as I've traced. If I get to find some more spare time I am planning to get into more detailys of this Google SSO login system but no promises...

bigahega avatar Aug 03 '16 11:08 bigahega

In my particular case I own my own domain and have Google Apps for it. I do not have a separate/proprietary sign on process.

I have various other devices (such as my router and DynDNS) using app-specific passwords successfully.

Sent from my iPhone

On Aug 3, 2016, at 7:52 AM, Berkin GÜLER [email protected] wrote:

When the GPSOAuthClient tries to PerformMasterLogin() it receives the following response(in my case there is a link to the Single Sign on webpage of my university):

{[Error, NeedsBrowser]}, {[Url, https://glogin.ku.edu.tr/sso/?SAMLRequest]}, {[ErrorDetail, To access your account, you must sign in on the web. Touch Next to start browser sign-in.]}

So under normal circumstances, i.e. you wanna login to your gmail, after you enter your credentials to the gmail sign-in page, it forwards you to that given page with some specific parameters I believe, called a "SAMLRequest", this request is created by the gmail sign-in system. Here is an example request:

SAMLRequest=fVJNTxsxEL1X6n+wfN+vIFXUyi5KQaiRgK7IwqE3451kndiercdO2n9fZwMCDnB98/w+xjO/+GsN24Mnja7mVV5yBk5hr92m5g/ddXbOL5qvX+YkrRnFIobB3cOfCBRYeulITIOaR+8EStIknLRAIiixWtzeiFleitFjQIWGs+VVzY3djfJJWr0b3HY3rEelAe2wRelGjb0CqzFNtpw9vsSaHWMtiSIsHQXpQoLK6ltWnmflWVd+F1UlZme/OWufnX5od2rwWaynE4nEz65rs/bXqpsE9roHf5fYNd8gbgzkCu3RvpVEep/gtTQEnC2IwIcU8BIdRQt+BX6vFTzc39R8CGEkURSHwyF/lSlksYs59DEPvpCKeDMtVkzd/JuNfp5cvjjz5lV7XryRap4/7NhjedWi0eofWxiDh0sPMqQSwcfU4Rq9leFjtyqvJkT32XqiiuhoBKXXGnrOiubk+v4y0r38Bw==&RelayState= https://accounts.google.com/CheckCookie?continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&osid=1&service=mail&ss=1&ltmpl=default HTTP/1.1

With that request you reach to your own institution's sign-in system, and after you post the form on that page, it redirects you to another page, in my case it was "index2.php", that page has a long hidden content called "SAMLResponse" with a good many key values in itself and it automatically forwards itself to another google sided webpage, again in my case " https://www.google.com/a/ku.edu.tr/acs", after a few more forwards from different locations, you reach to the URL that you have given in the last parameter of your SAMLRequest.

Basically, this is how this google sso stuff works as far as I've traced. If I get to find some more spare time I am planning to make a workaround for this Google SSO login system but no promises...

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/FeroxRev/Pokemon-Go-Rocket-API/issues/104#issuecomment-237209828, or mute the thread https://github.com/notifications/unsubscribe-auth/AT1rt1kyBR8yorR7fOAoLXGoztpgDTH3ks5qcHlzgaJpZM4JbDlW .

RunBoris avatar Aug 03 '16 12:08 RunBoris