How to use Google application-specific password in script?

l0b0 picture l0b0 · Apr 21, 2012 · Viewed 8.2k times · Source

Since enabling 2-factor authentication (aka. 2-step verification) on Google, my Google export scripts no longer work. The computer is verified and trusted, but somehow the scripts are not. In effect, every time the cron job is run I receive a new "Google verification code" and the script fails. I assume it should be a simple matter to authenticate such scripts once and for all with wget or curl, but I couldn't find any documentation for how to do it.


Google authentication schemes have gone through many iterations, and I can no longer seem to log in using curl or mechanicalsoup. I've tried using URLs like https://accounts.google.com/ServiceLogin?continue=https://calendar.google.com/calendar/exporticalzip&[email protected]&Passwd=application-specific-password, and I always get redirected to a login page, usually with the message "Please use your account password instead of an application-specific password."

Answer

Mikko Rantalainen picture Mikko Rantalainen · Jul 9, 2012

Are you absolutely sure that you want to use 2-factor auth with the shell scripts? If so, you don't need to try to get your computer or script as "trusted". You just do the full 2-factor auth every time you run the script.

If the target is to skip the manual second factor auth, I'd suggest using application-specific password instead (as already suggested by other answers). Just pretend that you're not using 2-factor auth at all and use your real login name but set password to one generated at https://accounts.google.com/b/0/IssuedAuthSubTokens?hl=en (subpage of https://www.google.com/settings/security).

The intent is to set Application-specific password "Name" to a value that is meaningful to you. For example, I have passwords labeled "Pidgin at work", "My Android Phone", "Thunderbird Google Address Book Extension at Work" etc. You could have one for "Calendar and Reader Export Script". If you ever believe that this Application-specific password is compromised ("leaked"), just hit the "Revoke" link on the same page and then generate a new password for your script.

For the code, just use the last version that worked with Google single factor auth. Update: because the original question used URL https://accounts.google.com/ServiceLogin for initiating the session login it's practically faking browser login. However, Google does not officially support this and as I'm writing this, it seems that using application specific password for normal login will end up with error message "Please use your account password instead of an application-specific password".

One thing to understand about the Google 2-factor auth and "trusted computer" is that the actual implementation just adds a permanent cookie with 30 days expiry time to your browser. Trusted computer does not mean your IP address were trusted or some other magical connection were created. Unless your scripts capture the "trusted computer" cookie from your browser of choice, it does not matter at all if you've ever marked your computer as trusted. (The Google form should not say "Remember this computer for 30 days" but "Trust this browser and user account combination for 30 days (save permanent cookie)". However, I guess that was considered too technical...)

Update: (copied from my comment below) The only officially supported method (Server to Server applications) is documented at https://developers.google.com/accounts/docs/OAuth2ServiceAccount. It requires OAuth/JWT encoding the request and using Service Account private key created at https://code.google.com/apis/console. As an alternative you could use ClientLogin authentication (already deprecated, best effort service until 2015).

If you decide to go with OAuth, you might want to look at http://blog.yjl.im/2010/05/bash-oauth.html and https://github.com/oxys-net/curl-oauth