Since enabling 2-factor authentication (aka. 2-step verification) on Google, my Google export scripts no longer work. The computer is verified and trusted, but somehow the scripts are not. In effect, every time the cron job is run I receive a new "Google verification code" and the script fails. I assume it should be a simple matter to authenticate such scripts once and for all with wget
or curl
, but I couldn't find any documentation for how to do it.
Google authentication schemes have gone through many iterations, and I can no longer seem to log in using curl
or mechanicalsoup
. I've tried using URLs like https://accounts.google.com/ServiceLogin?continue=https://calendar.google.com/calendar/exporticalzip&Email=username@gmail.com&Passwd=application-specific-password
, and I always get redirected to a login page, usually with the message "Please use your account password instead of an application-specific password."
Are you absolutely sure that you want to use 2-factor auth with the shell scripts? If so, you don't need to try to get your computer or script as "trusted". You just do the full 2-factor auth every time you run the script.
If the target is to skip the manual second factor auth, I'd suggest using application-specific password instead (as already suggested by other answers). Just pretend that you're not using 2-factor auth at all and use your real login name but set password to one generated at https://accounts.google.com/b/0/IssuedAuthSubTokens?hl=en (subpage of https://www.google.com/settings/security).
The intent is to set Application-specific password "Name" to a value that is meaningful to you. For example, I have passwords labeled "Pidgin at work", "My Android Phone", "Thunderbird Google Address Book Extension at Work" etc. You could have one for "Calendar and Reader Export Script". If you ever believe that this Application-specific password is compromised ("leaked"), just hit the "Revoke" link on the same page and then generate a new password for your script.
For the code, just use the last version that worked with Google single factor auth. Update: because the original question used URL https://accounts.google.com/ServiceLogin
for initiating the session login it's practically faking browser login. However, Google does not officially support this and as I'm writing this, it seems that using application specific password for normal login will end up with error message "Please use your account password instead of an application-specific password".
One thing to understand about the Google 2-factor auth and "trusted computer" is that the actual implementation just adds a permanent cookie with 30 days expiry time to your browser. Trusted computer does not mean your IP address were trusted or some other magical connection were created. Unless your scripts capture the "trusted computer" cookie from your browser of choice, it does not matter at all if you've ever marked your computer as trusted. (The Google form should not say "Remember this computer for 30 days" but "Trust this browser and user account combination for 30 days (save permanent cookie)". However, I guess that was considered too technical...)
Update: (copied from my comment below) The only officially supported method (Server to Server applications) is documented at https://developers.google.com/accounts/docs/OAuth2ServiceAccount. It requires OAuth/JWT encoding the request and using Service Account private key created at https://code.google.com/apis/console. As an alternative you could use ClientLogin authentication (already deprecated, best effort service until 2015).
If you decide to go with OAuth, you might want to look at http://blog.yjl.im/2010/05/bash-oauth.html and https://github.com/oxys-net/curl-oauth
My python scripts stopped sending e-mails, so I generated the application specific password, changed my script utility gmail account (e.g., myscriptutility@gmail.com) to that password and then successfully used that password (e.g. 'applicationpassw') through the following python script fragment (sorry, no complete example).
email = SMTPHandler(mailhost=('smtp.gmail.com',587),
fromaddr='anyaddress@mail.homeserver',
toaddrs=['whoiwanttomailto@gmail.com'],
subject= webSite + ' not working',
credentials=('myscriptutility@gmail.com','applicationpassw'),
secure=())
logger.addHandler(email)
So it appears, at least with python 3.6.5 on Windows 10, that all one needs to do is change to using the sixteen char application specific password on the account and in the application.
Generate an application-specific password. User documentation, developer documentation.
Making application specific passwords works for my scripts, all you do is create the password and then in your script where you have your google accounts password enter in the application specific password instead.
See here for more on application specific passwords:
Application Specific Passwords
Hope this helps !!