openclaw
diff --git a/‎CHANGELOG.md‎
Lines changed: 5 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 15 additions & 0 deletions b/‎README.md‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎docs/spec.md‎
Lines changed: 5 additions & 1 deletion b/‎docs/spec.md‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎internal/cmd/auth.go‎
Lines changed: 80 additions & 7 deletions b/‎internal/cmd/auth.go‎
Lines changed: 80 additions & 7 deletions
diff --git a/‎internal/cmd/auth_add_test.go‎
Lines changed: 174 additions & 0 deletions b/‎internal/cmd/auth_add_test.go‎
Lines changed: 174 additions & 0 deletions
@@ -6,6 +6,11 @@
 
 - Gmail: add `--exclude-labels` to `watch serve` (defaults: `SPAM,TRASH`). (#194) — thanks @salmonumbrella.
 - Drive: share files with an entire Workspace domain via `drive share --to domain`. (#192) — thanks @Danielkweber.
+
+### Fixed
+
+- Auth: improve remote/server-friendly manual OAuth flow (`auth add --remote`). (#187) — thanks @salmonumbrella.
+
 ## 0.9.0 - 2026-01-22
 
 ### Highlights
 
@@ -106,6 +106,21 @@ gog auth add you@gmail.com
 
 This will open a browser window for OAuth authorization. The refresh token is stored securely in your system keychain.
 
+Headless / remote server flow (no browser on the server):
+
+```bash
+# Step 1: print auth URL (open it locally in a browser)
+gog auth add you@gmail.com --services user --remote --step 1
+
+# Step 2: paste the full redirect URL from your browser address bar
+gog auth add you@gmail.com --services user --remote --step 2 --auth-url 'http://localhost:1/?code=...&state=...'
+```
+
+Notes:
+
+- The `state` is cached on disk for a short time (about 10 minutes). If it expires, rerun step 1.
+- Remote step 2 requires a redirect URL that includes `state` (state check mandatory).
+
 ### 4. Test Authentication
 
 ```bash
 
@@ -99,6 +99,9 @@ Implementation: `internal/secrets/store.go`.
 
 - Desktop OAuth 2.0 flow using local HTTP redirect on an ephemeral port.
 - Supports a browserless/manual flow (paste redirect URL) for headless environments.
+- Supports a remote/server-friendly 2-step manual flow:
+  - Step 1 prints an auth URL (`gog auth add ... --remote --step 1`)
+  - Step 2 exchanges the pasted redirect URL and requires `state` validation (`--remote --step 2 --auth-url ...`)
 - Refresh token issuance:
   - requests `access_type=offline`
   - supports `--force-consent` to force the consent prompt when Google doesn't return a refresh token
@@ -119,6 +122,7 @@ Scope selection note:
   - `credentials-<client>.json` (OAuth client id/secret; named clients)
 - State:
   - `state/gmail-watch/<account>.json` (Gmail watch state)
+  - `oauth-manual-state-<state>.json` (temporary manual OAuth state cache; expires quickly; no tokens)
 - Secrets:
   - refresh tokens in keyring
 
@@ -148,7 +152,7 @@ Flag aliases:
 - `gog auth credentials <credentials.json|->`
 - `gog auth credentials list`
 - `gog --client <name> auth credentials <credentials.json|->`
-- `gog auth add <email> [--services user|all|gmail,calendar,classroom,drive,docs,contacts,tasks,sheets,people,groups] [--readonly] [--drive-scope full|readonly|file] [--manual] [--force-consent]`
+- `gog auth add <email> [--services user|all|gmail,calendar,classroom,drive,docs,contacts,tasks,sheets,people,groups] [--readonly] [--drive-scope full|readonly|file] [--manual] [--remote] [--step 1|2] [--auth-url URL] [--timeout DURATION] [--force-consent]`
 - `gog auth services [--markdown]`
 - `gog auth keep <email> --key <service-account.json>` (Google Keep; Workspace only)
 - `gog auth list`
 
@@ -26,6 +26,7 @@ var (
 	checkRefreshToken    = googleauth.CheckRefreshToken
 	ensureKeychainAccess = secrets.EnsureKeychainAccess
 	fetchAuthorizedEmail = googleauth.EmailForRefreshToken
+	manualAuthURL        = googleauth.ManualAuthURL
 )
 
 func ensureKeychainAccessIfNeeded() error {
@@ -479,12 +480,17 @@ func (c *AuthTokensImportCmd) Run(ctx context.Context) error {
 }
 
 type AuthAddCmd struct {
-	Email        string `arg:"" name:"email" help:"Email"`
-	Manual       bool   `name:"manual" help:"Browserless auth flow (paste redirect URL)"`
-	ForceConsent bool   `name:"force-consent" help:"Force consent screen to obtain a refresh token"`
-	ServicesCSV  string `name:"services" help:"Services to authorize: user|all or comma-separated ${auth_services} (Keep uses service account: gog auth service-account set)" default:"user"`
-	Readonly     bool   `name:"readonly" help:"Use read-only scopes where available (still includes OIDC identity scopes)"`
-	DriveScope   string `name:"drive-scope" help:"Drive scope mode: full|readonly|file" enum:"full,readonly,file" default:"full"`
+	Email        string        `arg:"" name:"email" help:"Email"`
+	Manual       bool          `name:"manual" help:"Browserless auth flow (paste redirect URL)"`
+	Remote       bool          `name:"remote" help:"Remote/server-friendly manual flow (print URL, then exchange code)"`
+	Step         int           `name:"step" help:"Remote auth step: 1=print URL, 2=exchange code"`
+	AuthURL      string        `name:"auth-url" help:"Redirect URL from browser (manual flow; required for --remote --step 2)"`
+	AuthCode     string        `name:"auth-code" hidden:"" help:"UNSAFE: Authorization code from browser (manual flow; skips state check; not valid with --remote)"`
+	Timeout      time.Duration `name:"timeout" help:"Authorization timeout (manual flows default to 5m)"`
+	ForceConsent bool          `name:"force-consent" help:"Force consent screen to obtain a refresh token"`
+	ServicesCSV  string        `name:"services" help:"Services to authorize: user|all or comma-separated ${auth_services} (Keep uses service account: gog auth service-account set)" default:"user"`
+	Readonly     bool          `name:"readonly" help:"Use read-only scopes where available (still includes OIDC identity scopes)"`
+	DriveScope   string        `name:"drive-scope" help:"Drive scope mode: full|readonly|file" enum:"full,readonly,file" default:"full"`
 }
 
 func (c *AuthAddCmd) Run(ctx context.Context) error {
@@ -515,6 +521,69 @@ func (c *AuthAddCmd) Run(ctx context.Context) error {
 		return err
 	}
 
+	authURL := strings.TrimSpace(c.AuthURL)
+	authCode := strings.TrimSpace(c.AuthCode)
+	if authURL != "" && authCode != "" {
+		return usage("cannot combine --auth-url with --auth-code")
+	}
+	if c.Step != 0 && c.Step != 1 && c.Step != 2 {
+		return usage("step must be 1 or 2")
+	}
+	if c.Step != 0 && !c.Remote {
+		return usage("--step requires --remote")
+	}
+
+	manual := c.Manual || c.Remote || authURL != "" || authCode != ""
+
+	if c.Remote {
+		step := c.Step
+		if step == 0 {
+			if authURL != "" || authCode != "" {
+				step = 2
+			} else {
+				step = 1
+			}
+		}
+		switch step {
+		case 1:
+			if authURL != "" || authCode != "" {
+				return usage("remote step 1 does not accept --auth-url or --auth-code")
+			}
+			result, manualErr := manualAuthURL(ctx, googleauth.AuthorizeOptions{
+				Services:     services,
+				Scopes:       scopes,
+				Manual:       true,
+				ForceConsent: c.ForceConsent,
+				Client:       client,
+			})
+			if manualErr != nil {
+				return manualErr
+			}
+			if outfmt.IsJSON(ctx) {
+				return outfmt.WriteJSON(os.Stdout, map[string]any{
+					"auth_url":     result.URL,
+					"state_reused": result.StateReused,
+				})
+			}
+			u.Out().Printf("auth_url\t%s", result.URL)
+			u.Out().Printf("state_reused\t%t", result.StateReused)
+			u.Err().Println("Run again with --remote --step 2 --auth-url <redirect-url>")
+			return nil
+		case 2:
+			if authCode != "" {
+				return usage("--auth-code is not valid with --remote (state check is mandatory)")
+			}
+			if authURL == "" {
+				return usage("remote step 2 requires --auth-url")
+			}
+		}
+	}
+
+	timeout := c.Timeout
+	if timeout == 0 && manual {
+		timeout = 5 * time.Minute
+	}
+
 	// Pre-flight: ensure keychain is accessible before starting OAuth
 	if keychainErr := ensureKeychainAccessIfNeeded(); keychainErr != nil {
 		return fmt.Errorf("keychain access: %w", keychainErr)
@@ -523,9 +592,13 @@ func (c *AuthAddCmd) Run(ctx context.Context) error {
 	refreshToken, err := authorizeGoogle(ctx, googleauth.AuthorizeOptions{
 		Services:     services,
 		Scopes:       scopes,
-		Manual:       c.Manual,
+		Manual:       manual,
 		ForceConsent: c.ForceConsent,
+		Timeout:      timeout,
 		Client:       client,
+		AuthURL:      authURL,
+		AuthCode:     authCode,
+		RequireState: c.Remote,
 	})
 	if err != nil {
 		return err
 
@@ -473,6 +473,180 @@ func TestAuthAddCmd_SheetsDriveScopeFile(t *testing.T) {
 	}
 }
 
+func TestAuthAddCmd_RemoteStep1_PrintsAuthURL(t *testing.T) {
+	origManualURL := manualAuthURL
+	origAuth := authorizeGoogle
+	origKeychain := ensureKeychainAccess
+	t.Cleanup(func() {
+		manualAuthURL = origManualURL
+		authorizeGoogle = origAuth
+		ensureKeychainAccess = origKeychain
+	})
+
+	manualCalled := false
+	manualAuthURL = func(context.Context, googleauth.AuthorizeOptions) (googleauth.ManualAuthURLResult, error) {
+		manualCalled = true
+		return googleauth.ManualAuthURLResult{
+			URL:         "https://example.com/auth",
+			StateReused: true,
+		}, nil
+	}
+	authorizeGoogle = func(context.Context, googleauth.AuthorizeOptions) (string, error) {
+		t.Fatal("authorizeGoogle should not be called in remote step 1")
+		return "", nil
+	}
+	ensureKeychainAccess = func() error {
+		t.Fatal("keychain access should not be checked in remote step 1")
+		return nil
+	}
+
+	out := captureStdout(t, func() {
+		_ = captureStderr(t, func() {
+			if err := Execute([]string{
+				"auth",
+				"add",
+				"user@example.com",
+				"--services",
+				"gmail",
+				"--remote",
+				"--step",
+				"1",
+			}); err != nil {
+				t.Fatalf("Execute: %v", err)
+			}
+		})
+	})
+
+	if !manualCalled {
+		t.Fatalf("expected manualAuthURL to be called")
+	}
+	if !strings.Contains(out, "auth_url\thttps://example.com/auth") {
+		t.Fatalf("unexpected output: %q", out)
+	}
+	if !strings.Contains(out, "state_reused\ttrue") {
+		t.Fatalf("expected state_reused output, got: %q", out)
+	}
+}
+
+func TestAuthAddCmd_RemoteStep2_RejectsAuthCode(t *testing.T) {
+	err := Execute([]string{
+		"auth",
+		"add",
+		"user@example.com",
+		"--services",
+		"gmail",
+		"--remote",
+		"--step",
+		"2",
+		"--auth-code",
+		"abc123",
+	})
+	if err == nil {
+		t.Fatalf("expected error")
+	}
+	var ee *ExitError
+	if !errors.As(err, &ee) || ee.Code != 2 {
+		t.Fatalf("expected exit code 2, got %T %#v", err, err)
+	}
+	if !strings.Contains(err.Error(), "--auth-code is not valid with --remote") {
+		t.Fatalf("unexpected error: %v", err)
+	}
+}
+
+func TestAuthAddCmd_RemoteStep2_PassesAuthURL(t *testing.T) {
+	origAuth := authorizeGoogle
+	origOpen := openSecretsStore
+	origKeychain := ensureKeychainAccess
+	origFetch := fetchAuthorizedEmail
+	t.Cleanup(func() {
+		authorizeGoogle = origAuth
+		openSecretsStore = origOpen
+		ensureKeychainAccess = origKeychain
+		fetchAuthorizedEmail = origFetch
+	})
+
+	ensureKeychainAccess = func() error { return nil }
+	openSecretsStore = func() (secrets.Store, error) { return newMemSecretsStore(), nil }
+
+	var gotOpts googleauth.AuthorizeOptions
+	authorizeGoogle = func(ctx context.Context, opts googleauth.AuthorizeOptions) (string, error) {
+		gotOpts = opts
+		return "rt", nil
+	}
+	fetchAuthorizedEmail = func(context.Context, string, string, []string, time.Duration) (string, error) {
+		return "user@example.com", nil
+	}
+
+	if err := Execute([]string{
+		"auth",
+		"add",
+		"user@example.com",
+		"--services",
+		"gmail",
+		"--remote",
+		"--step",
+		"2",
+		"--auth-url",
+		"http://localhost:1/?code=abc&state=state123",
+	}); err != nil {
+		t.Fatalf("Execute: %v", err)
+	}
+
+	if !gotOpts.Manual {
+		t.Fatalf("expected manual auth in remote step 2")
+	}
+	if !gotOpts.RequireState {
+		t.Fatalf("expected require state in remote step 2")
+	}
+	if gotOpts.AuthURL == "" {
+		t.Fatalf("expected auth URL to be passed through")
+	}
+}
+
+func TestAuthAddCmd_AuthCode_PassesThrough(t *testing.T) {
+	origAuth := authorizeGoogle
+	origOpen := openSecretsStore
+	origKeychain := ensureKeychainAccess
+	origFetch := fetchAuthorizedEmail
+	t.Cleanup(func() {
+		authorizeGoogle = origAuth
+		openSecretsStore = origOpen
+		ensureKeychainAccess = origKeychain
+		fetchAuthorizedEmail = origFetch
+	})
+
+	ensureKeychainAccess = func() error { return nil }
+	openSecretsStore = func() (secrets.Store, error) { return newMemSecretsStore(), nil }
+
+	var gotOpts googleauth.AuthorizeOptions
+	authorizeGoogle = func(ctx context.Context, opts googleauth.AuthorizeOptions) (string, error) {
+		gotOpts = opts
+		return "rt", nil
+	}
+	fetchAuthorizedEmail = func(context.Context, string, string, []string, time.Duration) (string, error) {
+		return "user@example.com", nil
+	}
+
+	if err := Execute([]string{
+		"auth",
+		"add",
+		"user@example.com",
+		"--services",
+		"gmail",
+		"--auth-code",
+		"abc123",
+	}); err != nil {
+		t.Fatalf("Execute: %v", err)
+	}
+
+	if !gotOpts.Manual {
+		t.Fatalf("expected manual auth when auth-code is provided")
+	}
+	if gotOpts.AuthCode != "abc123" {
+		t.Fatalf("expected auth-code to be passed through, got %q", gotOpts.AuthCode)
+	}
+}
+
 func containsStringInSlice(items []string, want string) bool {
 	for _, it := range items {
 		if it == want {