Replace deprecated Google OAuth OOB flow (#12602)

This replaces the deprecated OOB OAuth flow used in the Nest Binding and Google TTS add-ons. Instead they will now use https://www.google.com as redirect_uri. The instructions in the README and config descriptions have been updated for this change. See: https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html#disallowed-oob Fixes #12455 Signed-off-by: Wouter Born <github@maindrain.net>
2025-01-10 07:02:02 +01:00 · 2022-04-12 22:39:10 +02:00 · 2022-04-12 22:39:10 +02:00 · 68f9c13719
commit 68f9c13719
parent 765b98c203
9 changed files with 38 additions and 34 deletions
--- a/bundles/org.openhab.binding.nest/README.md
+++ b/bundles/org.openhab.binding.nest/README.md
@ -67,8 +67,9 @@ Now an OAuth 2.0 client is created and configured for using the SDM API by the b
 1. Create a new client on the "Credentials" page ([APIs & Services > Credentials](https://console.cloud.google.com/apis/credentials)):
    1. Click the "Create Credentials" button at the top of the page
    1. Choose "OAuth client ID"
-    1. As "Application type" choose "TVs and Limited Input devices"
+    1. As "Application type" choose "Web application"
    1. Give it a name so you can remember what it is used for (e.g. `Nest Binding SDM`)
    1. Add "https://www.google.com" to the "Authorized redirect URIs"
    1. Click "Create" to create the client
    1. Copy and save the generated **Client ID** (e.g. `1046297811237-3f5sj4ccfubit0fum027ral82jgffsd1.apps.googleusercontent.com`) and **Client Secret** (e.g. `726kcU-d1W4RXxEJA79oZ0oG`) somewhere
 1. Configure the SDM project to use the created client:
@ -88,19 +89,19 @@ Finally, an SDM Account Thing can be created to access the SDM project using the
 1. Create an authorization code for the binding:
    1. Replace the **Project ID** and **Client ID** in the URL below with your SDM Project ID and SDM OAuth 2.0 Client ID and open the URL in a new browser tab:
-       `https://nestservices.google.com/partnerconnections/<ProjectID>/auth?redirect_uri=urn:ietf:wg:oauth:2.0:oob&access_type=offline&prompt=consent&client_id=<ClientID>&response_type=code&scope=https://www.googleapis.com/auth/sdm.service`
+       `https://nestservices.google.com/partnerconnections/<ProjectID>/auth?scope=https://www.googleapis.com/auth/sdm.service&access_type=offline&include_granted_scopes=true&response_type=code&redirect_uri=https://www.google.com&client_id=<ClientID>`
       For the example values used so far this is:
-       `https://nestservices.google.com/partnerconnections/585de72e-968c-435c-b16a-31d1d3f76833/auth?redirect_uri=urn:ietf:wg:oauth:2.0:oob&access_type=offline&prompt=consent&client_id=1046297811237-3f5sj4ccfubit0fum027ral82jgffsd1.apps.googleusercontent.com&response_type=code&scope=https://www.googleapis.com/auth/sdm.service`
+       `https://nestservices.google.com/partnerconnections/585de72e-968c-435c-b16a-31d1d3f76833/auth?scope=https://www.googleapis.com/auth/sdm.service&access_type=offline&include_granted_scopes=true&response_type=code&redirect_uri=https://www.google.com&client_id=1046297811237-3f5sj4ccfubit0fum027ral82jgffsd1.apps.googleusercontent.com`
    1. Enable all the permissions you want to use with the binding and click "Next" to continue
    1. Login using your Google account when prompted
    1. On the "Google hasn't verified this app" page, click on "Advanced"
    1. Then click on "Go to ... (advanced)"
    1. Now "Allow" the SDM permissions and confirm your choices again by clicking "Allow"
-    1. Next the "Sign in" page will show the **Authorization Code**
+    1. After your browser has been redirected to https://www.google.com, the **Authorization Code** will be set in the browser URL as value of the "code" URL query parameter
    1. Copy/paste the **Authorization Code** to the SDM group parameter in the openHAB Nest SDM Account Thing configuration
-1. All required SDM Account Thing configuration parameters have now been entered so create it by clicking "Create Thing".
+1. All required SDM Account Thing configuration parameters have now been entered so create it by clicking "Create Thing"
 The SDM Account Thing should now be ONLINE and have as status description "Using periodic refresh".
 It should also be possible to use the configured account to discover your Nest devices via the Inbox.
@ -134,8 +135,9 @@ Next an OAuth 2.0 client is created which is used to create a Pub/Sub subscripti
 1. Open the "Credentials" page ([APIs & Services > Credentials](https://console.cloud.google.com/apis/credentials)):
 1. Click the "Create Credentials" button at the top of the page
 1. Choose "OAuth client ID"
-1. As "Application type" choose "TVs and Limited Input devices"
+1. As "Application type" choose "Web application"
 1. Give it a name so you can remember what it is used for (e.g. `Nest Binding Pub/Sub`)
 1. Add "https://www.google.com" to the "Authorized redirect URIs"
 1. Click "Create" to create the client
 1. Copy and save the generated **Client ID** (e.g. `1046297811237-lg27h26kln6r1nbg54jpg6nfjg6h4b3n.apps.googleusercontent.com`) and **Client Secret** (e.g. `1-k78-XcHhp_gdZF-I6JaIHp`) somewhere
@ -151,18 +153,18 @@ Finally, the existing SDM Account Thing can be updated so it can subscribe to SD
 1. Create an authorization code for the binding:
    1. Replace the **Client ID** in the URL below with your Pub/Sub OAuth 2.0 Client ID and open the URL in a new browser tab:
-       `https://accounts.google.com/o/oauth2/auth?client_id=<ClientID>&redirect_uri=urn:ietf:wg:oauth:2.0:oob&response_type=code&scope=https://www.googleapis.com/auth/pubsub`
+       `https://accounts.google.com/o/oauth2/v2/auth?scope=https://www.googleapis.com/auth/pubsub&access_type=offline&include_granted_scopes=true&response_type=code&redirect_uri=https://www.google.com&client_id=<ClientID>`
       For the example client this is:
-       `https://accounts.google.com/o/oauth2/auth?client_id=1046297811237-lg27h26kln6r1nbg54jpg6nfjg6h4b3n.apps.googleusercontent.com&redirect_uri=urn:ietf:wg:oauth:2.0:oob&response_type=code&scope=https://www.googleapis.com/auth/pubsub`
+       `https://accounts.google.com/o/oauth2/v2/auth?scope=https://www.googleapis.com/auth/pubsub&access_type=offline&include_granted_scopes=true&response_type=code&redirect_uri=https://www.google.com&client_id=1046297811237-lg27h26kln6r1nbg54jpg6nfjg6h4b3n.apps.googleusercontent.com`
    1. Login using your Google account when prompted
    1. On the "Google hasn't verified this app" page, click on "Advanced"
    1. Then click on "Go to ... (advanced)"
    1. Now "Allow" the Pub/Sub permissions and confirm your choices again by clicking "Allow"
-    1. Next the "Sign in" page will show the **Authorization Code**
+    1. After your browser has been redirected to https://www.google.com, the **Authorization Code** will be set in the browser URL as value of the "code" URL query parameter
    1. Copy/paste the **Authorization Code** to the Pub/Sub group parameter in the openHAB Nest SDM Account Thing configuration
-1. All required Pub/Sub Account Thing configuration parameters have now been entered so click "Save" to update the SDM Account Thing configuration.
+1. All required Pub/Sub Account Thing configuration parameters have now been entered so click "Save" to update the SDM Account Thing configuration
 The SDM Account Thing should now be ONLINE and have as status description "Using periodic refresh and Pub/Sub".
--- a/bundles/org.openhab.binding.nest/src/main/java/org/openhab/binding/nest/internal/sdm/api/PubSubAPI.java
+++ b/bundles/org.openhab.binding.nest/src/main/java/org/openhab/binding/nest/internal/sdm/api/PubSubAPI.java
@ -86,13 +86,13 @@ public class PubSubAPI {
                if (pullResponse != null && pullResponse.receivedMessages != null) {
                    logger.debug("Subscription '{}' has {} new message(s)", subscriptionId,
                            pullResponse.receivedMessages.size());
-                    forEachListener((listener) -> pullResponse.receivedMessages
+                    forEachListener(listener -> pullResponse.receivedMessages
-                            .forEach((message) -> listener.onMessage(message.message)));
+                            .forEach(message -> listener.onMessage(message.message)));
                    List<String> ackIds = pullResponse.receivedMessages.stream().map(message -> message.ackId)
                            .collect(Collectors.toList());
                    acknowledgeSubscriptionMessages(subscriptionId, ackIds);
                } else {
-                    forEachListener((listener) -> listener.onNoNewMessages());
+                    forEachListener(PubSubSubscriptionListener::onNoNewMessages);
                }
                scheduler.submit(this);
@ -100,15 +100,15 @@ public class PubSubAPI {
                logger.debug("Expected exception while pulling message for '{}' subscription", subscriptionId, e);
                Throwable cause = e.getCause();
                if (!(cause instanceof InterruptedException)) {
-                    forEachListener((listener) -> listener.onError(e));
+                    forEachListener(listener -> listener.onError(e));
                    scheduler.schedule(this, RETRY_TIMEOUT.toNanos(), TimeUnit.NANOSECONDS);
                }
            } catch (InvalidPubSubAccessTokenException e) {
                logger.warn("Cannot pull messages for '{}' subscription (access token invalid)", subscriptionId, e);
-                forEachListener((listener) -> listener.onError(e));
+                forEachListener(listener -> listener.onError(e));
            } catch (Exception e) {
                logger.warn("Unexpected exception while pulling message for '{}' subscription", subscriptionId, e);
-                forEachListener((listener) -> listener.onError(e));
+                forEachListener(listener -> listener.onError(e));
                scheduler.schedule(this, RETRY_TIMEOUT.toNanos(), TimeUnit.NANOSECONDS);
            }
        }
@ -125,7 +125,7 @@ public class PubSubAPI {
    private static final String AUTH_URL = "https://accounts.google.com/o/oauth2/auth";
    private static final String TOKEN_URL = "https://accounts.google.com/o/oauth2/token";
-    private static final String REDIRECT_URI = "urn:ietf:wg:oauth:2.0:oob";
+    private static final String REDIRECT_URI = "https://www.google.com";
    private static final String PUBSUB_HANDLE_FORMAT = "%s.pubsub";
    private static final String PUBSUB_SCOPE = "https://www.googleapis.com/auth/pubsub";
@ -203,7 +203,7 @@ public class PubSubAPI {
                listeners.remove(listener);
                if (listeners.isEmpty()) {
                    subscriptionListeners.remove(subscriptionId);
-                    scheduler.getQueue().removeIf((runnable) -> runnable instanceof Subscriber
+                    scheduler.getQueue().removeIf(runnable -> runnable instanceof Subscriber
                            && ((Subscriber) runnable).subscriptionId.equals(subscriptionId));
                }
            }
--- a/bundles/org.openhab.binding.nest/src/main/java/org/openhab/binding/nest/internal/sdm/api/SDMAPI.java
+++ b/bundles/org.openhab.binding.nest/src/main/java/org/openhab/binding/nest/internal/sdm/api/SDMAPI.java
@ -68,7 +68,7 @@ public class SDMAPI {
    private static final String AUTH_URL = "https://accounts.google.com/o/oauth2/auth";
    private static final String TOKEN_URL = "https://accounts.google.com/o/oauth2/token";
-    private static final String REDIRECT_URI = "urn:ietf:wg:oauth:2.0:oob";
+    private static final String REDIRECT_URI = "https://www.google.com";
    private static final String SDM_HANDLE_FORMAT = "%s.sdm";
    private static final String SDM_SCOPE = "https://www.googleapis.com/auth/sdm.service";
@ -163,7 +163,7 @@ public class SDMAPI {
            ContentResponse contentResponse = request.send();
            logResponseErrors(contentResponse);
            logger.debug("Retrieved camera image from: {}", url);
-            requestListeners.forEach(listener -> listener.onSuccess());
+            requestListeners.forEach(SDMAPIRequestListener::onSuccess);
            return contentResponse.getContent();
        } catch (ExecutionException | InterruptedException | TimeoutException e) {
            logger.debug("Failed to get camera image", e);
@ -302,7 +302,7 @@ public class SDMAPI {
            logResponseErrors(contentResponse);
            String response = contentResponse.getContentAsString();
            logger.debug("Response: {}", response);
-            requestListeners.forEach(listener -> listener.onSuccess());
+            requestListeners.forEach(SDMAPIRequestListener::onSuccess);
            return response;
        } catch (ExecutionException | InterruptedException | IOException | TimeoutException e) {
            logger.debug("Failed to send JSON GET request", e);
@ -327,7 +327,7 @@ public class SDMAPI {
            logResponseErrors(contentResponse);
            String response = contentResponse.getContentAsString();
            logger.debug("Response: {}", response);
-            requestListeners.forEach(listener -> listener.onSuccess());
+            requestListeners.forEach(SDMAPIRequestListener::onSuccess);
            return response;
        } catch (ExecutionException | InterruptedException | IOException | TimeoutException e) {
            logger.debug("Failed to send JSON POST request", e);
--- a/bundles/org.openhab.binding.nest/src/main/resources/OH-INF/config/sdm-config.xml
+++ b/bundles/org.openhab.binding.nest/src/main/resources/OH-INF/config/sdm-config.xml
@ -29,7 +29,7 @@
 		</parameter>
 		<parameter name="sdmAuthorizationCode" type="text" groupName="sdm">
 			<label>Authorization Code</label>
-			<description><![CDATA[The one time authorization code used to retrieve the refresh and access token used with the SDM API. The code is obtained by following the instructions at the following URL in your browser:<br><br>https://nestservices.google.com/partnerconnections/{{ProjectID}}/auth?redirect_uri=urn:ietf:wg:oauth:2.0:oob&access_type=offline&prompt=consent&client_id={{ClientID}}&response_type=code&scope=https://www.googleapis.com/auth/sdm.service]]></description>
+			<description><![CDATA[The one time authorization code used to retrieve the refresh and access token used with the SDM API. The code is obtained by following the instructions at the following URL in your browser:<br><br>https://nestservices.google.com/partnerconnections/{{ProjectID}}/auth?scope=https://www.googleapis.com/auth/sdm.service&access_type=offline&include_granted_scopes=true&response_type=code&redirect_uri=https://www.google.com&client_id={{ClientID}}<br><br>After your browser has been redirected to https://www.google.com, the authorization code will be set in the browser URL as value of the "code" URL query parameter.]]></description>
 		</parameter>
 		<parameter name="pubsubProjectId" type="text" groupName="pubsub">
@ -51,7 +51,7 @@
 		</parameter>
 		<parameter name="pubsubAuthorizationCode" type="text" groupName="pubsub">
 			<label>Authorization Code</label>
-			<description><![CDATA[The one time authorization code used to retrieve the refresh and access token used with the Pub/Sub API. The code is obtained by following the instructions at the following URL in your browser:<br><br>https://accounts.google.com/o/oauth2/auth?client_id={{ClientID}}&redirect_uri=urn:ietf:wg:oauth:2.0:oob&response_type=code&scope=https://www.googleapis.com/auth/pubsub]]></description>
+			<description><![CDATA[The one time authorization code used to retrieve the refresh and access token used with the Pub/Sub API. The code is obtained by following the instructions at the following URL in your browser:<br><br>https://accounts.google.com/o/oauth2/v2/auth?scope=https://www.googleapis.com/auth/pubsub&access_type=offline&include_granted_scopes=true&response_type=code&redirect_uri=https://www.google.com&client_id={{ClientID}}<br><br>After your browser has been redirected to https://www.google.com, the authorization code will be set in the browser URL as value of the "code" URL query parameter.]]></description>
 		</parameter>
 	</config-description>
--- a/bundles/org.openhab.binding.nest/src/main/resources/OH-INF/i18n/nest.properties
+++ b/bundles/org.openhab.binding.nest/src/main/resources/OH-INF/i18n/nest.properties
@ -35,7 +35,7 @@ thing-type.config.nest.sdm_account.group.pubsub.description = The parameters use
 thing-type.config.nest.sdm_account.group.sdm.label = SDM
 thing-type.config.nest.sdm_account.group.sdm.description = The parameters used when communicating with the SDM API
 thing-type.config.nest.sdm_account.pubsubAuthorizationCode.label = Authorization Code
-thing-type.config.nest.sdm_account.pubsubAuthorizationCode.description = The one time authorization code used to retrieve the refresh and access token used with the Pub/Sub API. The code is obtained by following the instructions at the following URL in your browser:<br><br>https://accounts.google.com/o/oauth2/auth?client_id={{ClientID}}&redirect_uri=urn:ietf:wg:oauth:2.0:oob&response_type=code&scope=https://www.googleapis.com/auth/pubsub
+thing-type.config.nest.sdm_account.pubsubAuthorizationCode.description = The one time authorization code used to retrieve the refresh and access token used with the Pub/Sub API. The code is obtained by following the instructions at the following URL in your browser:<br><br>https://accounts.google.com/o/oauth2/v2/auth?scope=https://www.googleapis.com/auth/pubsub&access_type=offline&include_granted_scopes=true&response_type=code&redirect_uri=https://www.google.com&client_id={{ClientID}}<br><br>After your browser has been redirected to https://www.google.com, the authorization code will be set in the browser URL as value of the "code" URL query parameter.
 thing-type.config.nest.sdm_account.pubsubClientId.label = Client ID
 thing-type.config.nest.sdm_account.pubsubClientId.description = Identifies the OAuth 2.0 client used for accessing the Pub/Sub subscription
 thing-type.config.nest.sdm_account.pubsubClientSecret.label = Client Secret
@ -45,7 +45,7 @@ thing-type.config.nest.sdm_account.pubsubProjectId.description = Identifies the
 thing-type.config.nest.sdm_account.pubsubSubscriptionId.label = Subscription ID
 thing-type.config.nest.sdm_account.pubsubSubscriptionId.description = Identifies the subscription that is created for subscribing to SDM Pub/Sub events
 thing-type.config.nest.sdm_account.sdmAuthorizationCode.label = Authorization Code
-thing-type.config.nest.sdm_account.sdmAuthorizationCode.description = The one time authorization code used to retrieve the refresh and access token used with the SDM API. The code is obtained by following the instructions at the following URL in your browser:<br><br>https://nestservices.google.com/partnerconnections/{{ProjectID}}/auth?redirect_uri=urn:ietf:wg:oauth:2.0:oob&access_type=offline&prompt=consent&client_id={{ClientID}}&response_type=code&scope=https://www.googleapis.com/auth/sdm.service
+thing-type.config.nest.sdm_account.sdmAuthorizationCode.description = The one time authorization code used to retrieve the refresh and access token used with the SDM API. The code is obtained by following the instructions at the following URL in your browser:<br><br>https://nestservices.google.com/partnerconnections/{{ProjectID}}/auth?scope=https://www.googleapis.com/auth/sdm.service&access_type=offline&include_granted_scopes=true&response_type=code&redirect_uri=https://www.google.com&client_id={{ClientID}}<br><br>After your browser has been redirected to https://www.google.com, the authorization code will be set in the browser URL as value of the "code" URL query parameter.
 thing-type.config.nest.sdm_account.sdmClientId.label = Client ID
 thing-type.config.nest.sdm_account.sdmClientId.description = Identifies the OAuth 2.0 client used for accessing the SDM project
 thing-type.config.nest.sdm_account.sdmClientSecret.label = Client Secret
--- a/bundles/org.openhab.voice.googletts/README.md
+++ b/bundles/org.openhab.voice.googletts/README.md
@ -26,8 +26,9 @@ Before you can integrate this service with your Google Cloud Text-to-Speech, you
 * Enable the Cloud Text-to-Speech API. [link](https://console.cloud.google.com/apis/dashboard)
 * Set up authentication:
  * Go to the "APIs & Services" -> "Credentials" page in the GCP Console and your project. [link](https://console.cloud.google.com/apis/credentials)
-  * From the "Create credentials" drop-down list, select "OAuth client ID.
+  * From the "Create credentials" drop-down list, select "OAuth client ID".
-  * Select application type "TV and Limited Input" and enter a name into the "Name" field.
+  * Select application type "Web application" and enter a name into the "Name" field.
  * Add "https://www.google.com" to the "Authorized redirect URIs".
  * Click Create. A pop-up appears, showing your "client ID" and "client secret".
 ## Service Configuration
@ -36,10 +37,11 @@ Using your favorite configuration UI to edit **Settings / Other Services - Googl
 * **Client Id** - Google Cloud Platform OAuth 2.0-Client Id.
 * **Client Secret** - Google Cloud Platform OAuth 2.0-Client Secret.
-* **Authorization Code** - The auth-code is a one-time code needed to retrieve the necessary access-codes from Google Cloud Platform.
+* **Authorization Code** - This code is used once for retrieving the Google Cloud Platform access and refresh tokens.
 **Please go to your browser ...**
-[https://accounts.google.com/o/oauth2/auth?client_id=<clientId>&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=https://www.googleapis.com/auth/cloud-platform&response_type=code](https://accounts.google.com/o/oauth2/auth?client_id=<clientId>&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=https://www.googleapis.com/auth/cloud-platform&response_type=code) (replace `<clientId>` by your Client Id)
+[https://accounts.google.com/o/oauth2/v2/auth?scope=https://www.googleapis.com/auth/cloud-platform&access_type=offline&include_granted_scopes=true&response_type=code&redirect_uri=https://www.google.com&client_id=<clientId>](https://accounts.google.com/o/oauth2/v2/auth?scope=https://www.googleapis.com/auth/cloud-platform&access_type=offline&include_granted_scopes=true&response_type=code&redirect_uri=https://www.google.com&client_id=<clientId>) (replace `<clientId>` by your Client Id)
-**... to generate an auth-code and paste it here**.
+**... to generate an authorization code and paste it here**.
 After your browser has been redirected to https://www.google.com, the authorization code will be set in the browser URL as value of the "code" URL query parameter.
 After initial authorization, this code is not needed anymore.
 It is recommended to clear this configuration parameter afterwards.
 * **Pitch** - The pitch of selected voice, up to 20 semitones.
--- a/bundles/org.openhab.voice.googletts/src/main/java/org/openhab/voice/googletts/internal/GoogleCloudAPI.java
+++ b/bundles/org.openhab.voice.googletts/src/main/java/org/openhab/voice/googletts/internal/GoogleCloudAPI.java
@ -75,7 +75,7 @@ class GoogleCloudAPI {
    private static final String GCP_AUTH_URI = "https://accounts.google.com/o/oauth2/auth";
    private static final String GCP_TOKEN_URI = "https://accounts.google.com/o/oauth2/token";
-    private static final String GCP_REDIRECT_URI = "urn:ietf:wg:oauth:2.0:oob";
+    private static final String GCP_REDIRECT_URI = "https://www.google.com";
    /**
     * Google Cloud Platform authorization scope
     */
--- a/bundles/org.openhab.voice.googletts/src/main/resources/OH-INF/config/config.xml
+++ b/bundles/org.openhab.voice.googletts/src/main/resources/OH-INF/config/config.xml
@ -26,7 +26,7 @@
 		</parameter>
 		<parameter name="authcode" type="text" groupName="authentication">
 			<label>Authorization Code</label>
-			<description><![CDATA[The auth-code is a one-time code needed to retrieve the necessary access-codes from Google Cloud Platform. <b>Please go to your browser ...</b> https://accounts.google.com/o/oauth2/auth?client_id={{clientId}}&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=https://www.googleapis.com/auth/cloud-platform&response_type=code <b>... to generate an auth-code and paste it here</b>.]]></description>
+			<description><![CDATA[This code is used once for retrieving the Google Cloud Platform access and refresh tokens. Open the following URL in your browser to generate an authorization code:<br><br>https://accounts.google.com/o/oauth2/v2/auth?scope=https://www.googleapis.com/auth/cloud-platform&access_type=offline&include_granted_scopes=true&response_type=code&redirect_uri=https://www.google.com&client_id={{clientId}}<br><br>After your browser has been redirected to https://www.google.com, the authorization code will be set in the browser URL as value of the "code" URL query parameter.]]></description>
 		</parameter>
 		<parameter name="pitch" type="decimal" min="-20" max="20" step="0.1" groupName="tts">
 			<label>Pitch</label>
--- a/bundles/org.openhab.voice.googletts/src/main/resources/OH-INF/i18n/googletts.properties
+++ b/bundles/org.openhab.voice.googletts/src/main/resources/OH-INF/i18n/googletts.properties
@ -1,5 +1,5 @@
 voice.config.googletts.authcode.label = Authorization Code
-voice.config.googletts.authcode.description = The auth-code is a one-time code needed to retrieve the necessary access-codes from Google Cloud Platform. <b>Please go to your browser ...</b> https://accounts.google.com/o/oauth2/auth?client_id={{clientId}}&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=https://www.googleapis.com/auth/cloud-platform&response_type=code <b>... to generate an auth-code and paste it here</b>.
+voice.config.googletts.authcode.description = This code is used once for retrieving the Google Cloud Platform access and refresh tokens. Open the following URL in your browser to generate an authorization code:<br><br>https://accounts.google.com/o/oauth2/v2/auth?scope=https://www.googleapis.com/auth/cloud-platform&access_type=offline&include_granted_scopes=true&response_type=code&redirect_uri=https://www.google.com&client_id={{clientId}}<br><br>After your browser has been redirected to https://www.google.com, the authorization code will be set in the browser URL as value of the "code" URL query parameter.
 voice.config.googletts.clientId.label = Client Id
 voice.config.googletts.clientId.description = Google Cloud Platform OAuth 2.0-Client Id.
 voice.config.googletts.clientSecret.label = Client Secret