Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Google set to limit Chromium usage of Google APIs #110245

Closed
danielfullmer opened this issue Jan 21, 2021 · 6 comments · Fixed by #114977
Closed

Google set to limit Chromium usage of Google APIs #110245

danielfullmer opened this issue Jan 21, 2021 · 6 comments · Fixed by #114977
Labels
9.needs: maintainer feedback

Comments

@danielfullmer
Copy link
Contributor

danielfullmer commented Jan 21, 2021
edited
Loading

In this blog post [1], Google states that after March 15, 2021, they will be limiting access to various Google APIs that they are now describing as "private" and "only intended for Google's use". The most notable of this apparently includes "Chrome sync" which allows syncing bookmarks / browser history / etc. across multiple browsers logged-in to a given Google account.

Additionally, emails [2] have been sent out to chromium maintainers from other Linux distros stating that users of their chromium-based browser will no longer be able to sign in to their Google accounts. They recommend these chromium-based browsers remove google_default_client_id and google_default_client_secret from the build configuration, or alternatively, set --allow-browser-signin=false at startup.

@edolstra Did we get a similar email as the one shown in [2]?

[1] https://blog.chromium.org/2021/01/limiting-private-api-availability-in.html
[2] https://groups.google.com/a/chromium.org/g/chromium-packagers/c/SG6jnsP4pWM/m/HdoGEO0qCwAJ

CC @primeos @thefloweringash @bendlas
@danielfullmer danielfullmer added 0.kind: bug Something is broken 9.needs: maintainer feedback and removed 0.kind: bug Something is broken labels Jan 21, 2021
@samueldr
Copy link
Member

samueldr commented Jan 22, 2021
edited
Loading

Further discussion

With actual "answer"

edit looks like this was cross-posted across two lists... I was confused by the interface... the content was already in the previous link.

Basically, unless Google backtracks, the API key will become unusable for a distro-level deployment. We could continue providing the derivation, with bring-your-own API keys. This would be expensive to build for end-users.

I wonder if the keys are trivially replaceable in the resulting binary though. If they are, we could produce prebuilt unusable binaries, and let users "finish" the build with their own keys.

edit: The archlinux devs state that environment variables can be used for those.

Pinging @jonringer and @worldofpeace as we probably will have to apply the same resolution to 20.09.

@samueldr
Copy link
Member

Some will poo-poo the thought because "not FLOSS" and similar ideologies, let's think about end-users first here.

We're smaller than those distros, but if there's a common front to talk with Google about it, we should participate or approve of such a front.

This will end-up hurting a part of our end-users.

@jonringer
Copy link
Contributor

Personally, I don't use chrome. Google does, what google wants.

I don't think we have much of a choice, and will just provide what we can. I'm sure users will be aware that the limitation exists regardless of platform.

@danielfullmer
Copy link
Contributor Author

danielfullmer commented Jan 22, 2021
edited
Loading

Yes, we should be able to pass these API keys from the environment instead of baking them in. From https://www.chromium.org/developers/how-tos/api-keys

Providing Keys at Runtime

If you prefer, you can build a Chromium binary (or use a pre-built Chromium binary) without API keys baked in, and instead provide them at runtime. To do so, set the environment variables GOOGLE_API_KEY, GOOGLE_DEFAULT_CLIENT_ID and GOOGLE_DEFAULT_CLIENT_SECRET to your "API key", "Client ID" and "Client secret" values respectively.

(This of course doesn't change anything about our API keys becoming unusable after March 15, 2021)

@danielfullmer
Copy link
Contributor Author

Quoting a couple lines here from the email thread, since it was initially unclear to me exactly which keys we needed to remove:

The change we announced impacts the ability to "Sign into Chrome" and consequently first party features that depend on being signed into Chrome. This does not include Safe Browsing, which doesn't depend on being signed into Chrome, and is available to third parties for non-commercial use (cf https://developers.google.com/safe-browsing).

and

This is a (partial) list of APIs Chrome depends on, including APIs available to third parties. The changes we announced affect the OAuth 2.0 client id and secret which are used for signing into Chrome, not the API key.

So, we'll just need to remove google_default_client_id and google_default_client_secret, but not google_api_key from our builds.

primeos added a commit to primeos/nixpkgs that referenced this issue Mar 3, 2021
@primeos
chromium: Remove google_default_client_{id,secret}
dc9f2c5 
Reason: Google is limiting access to their private Chrome APIs starting
on March 15, 2021 [0]. Closes NixOS#110245.

From the mailing list thread [1]:
"The changes we announced affect the OAuth 2.0 client id and secret
which are used for signing into Chrome, not the API key."
"To avoid using that API, it's sufficient to either not set the OAuth
2.0 credentials, or disabling the Google signin integration" (e.g. by
passing the flag --allow-browser-signin=false)

[0]: https://blog.chromium.org/2021/01/limiting-private-api-availability-in.html
[1]: https://groups.google.com/a/chromium.org/g/chromium-packagers/c/SG6jnsP4pWM/
@primeos primeos mentioned this issue Mar 3, 2021
Merged
10 tasks
@primeos
Copy link
Member

primeos commented Mar 3, 2021

I drafted a PR: #114977. Feedback is welcome (I lost track of this for a bit).
Thanks for this issue btw :)

@primeos primeos mentioned this issue Mar 3, 2021
Closed
primeos added a commit to primeos/nixpkgs that referenced this issue Mar 6, 2021
@primeos
chromium: Remove google_default_client_{id,secret}
7895284 
Reason: Google is limiting access to their private Chrome APIs starting
on March 15, 2021 [0]. Closes NixOS#110245.

From the mailing list thread [1]:
"The changes we announced affect the OAuth 2.0 client id and secret
which are used for signing into Chrome, not the API key."
"To avoid using that API, it's sufficient to either not set the OAuth
2.0 credentials, or disabling the Google signin integration" (e.g. by
passing the flag --allow-browser-signin=false)

[0]: https://blog.chromium.org/2021/01/limiting-private-api-availability-in.html
[1]: https://groups.google.com/a/chromium.org/g/chromium-packagers/c/SG6jnsP4pWM/

(cherry picked from commit dc9f2c5)
@8573 8573 mentioned this issue Mar 16, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
9.needs: maintainer feedback
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chromium: Remove google_default_client_{id,secret} primeos/nixpkgs
4 participants
@samueldr @danielfullmer @primeos @jonringer