Google OAuth Test Tokens Expire Weekly

I know I have a lot to learn about network security, acronyms like CORS and CSRF are just a start. Another name I’ve come across is OAuth, which looked very complicated. Some critics say its complexity was by design, cynically describing OAuth as a system designed by enterprise security consultants to sell more consulting services. I don’t know how true that is, but just from touching its edge I can confirm it is even more complicated than it looked.

My introduction was via Home Assistant, which was primarily designed to keep everything in my home and would have no need for OAuth. Pragmatically, though, it also makes effort to connect to cloud-based services, even though that is no longer keeping everything in my home. In order to connect to Google/Amazon/etc. there needs to be an internet-accessible entry point to a Home Assistant instance. It’s possible to do everything ourselves, but the easier way is to pay Nabu Casa for a Home Assistant Cloud account to bridge between public internet and private home network. Such payment also supports development of Home Assistant, which I’m happy to do.

My first test for Home Assistant Cloud was to connect to my Nest thermostat. Home Assistant has an integration for Google Nest, and it was implemented in a way to leave a lot of control in the user’s hands. Instead of something that suspiciously sucks up our Google credentials, we get instructions on how to use our own Google credentials to grant very specific and narrow access to Home Assistant Cloud. The upside is that Nabu Casa doesn’t get to say how that access is granted. The downside is that we have to deal with everything ourselves, and that meant dealing with OAuth.

Following instructions for integration setup means setting up a Google developer account and logging into our Google Cloud services console to set up a new project to communicate with Home Assistant. This is not very user-friendly but reflects the developer-oriented origins of Home Assistant. One of the steps told us to “Publish App” because if we don’t, the project status will stay “Testing”. “Make sure the status is not Testing, or you will get logged out every 7 days.

When I click “Publish App” I was told my app requires verification which requires:

  1. An official link to your app’s Privacy Policy
  2. A YouTube video showing how you plan to use the Google user data you get from scopes
  3. A written explanation telling Google why you need access to sensitive and/or restricted user data
  4. All your domains verified in Google Search Console

A privacy policy? A YouTube video? A written explanation for Google? I didn’t want to do all that just to access my Nest thermostat from Home Assistant! Google OAuth API Verification is a whole bag of worms, even their FAQ page is a long slog of a read.

So, I bailed.

But this meant my Home Assistant OAuth token expires after a week. (“A Google Cloud Platform project with an OAuth consent screen configured for an external user type and a publishing status of “Testing” is issued a refresh token expiring in 7 days.“) After that, I would have to manually renew it. This is far from ideal, and a poor first impression for working with OAuth. Maybe I’ll be less hostile to OAuth once I get some experience with it, but this first impression certainly doesn’t motivate me to do that anytime soon.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s