From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: =?UTF-8?Q?Bj=C3=B6rn?= Bidar via "Bug reports for GNU Emacs, the Swiss army knife of text editors" Newsgroups: gmane.emacs.bugs Subject: bug#72358: 29.4; oauth2.el improvements Date: Mon, 12 Aug 2024 19:26:06 +0300 Message-ID: <24668.4272353136$1723480072@news.gmane.org> References: <87mslz8yzk.fsf@debian-hx90.lan> <87frrr725m.fsf@gmail.com> <66a8f323.170a0220.9172c.8e28SMTPIN_ADDED_BROKEN@mx.google.com> <87a5hy8y8j.fsf@debian-hx90.lan> <87ed6zc40g.fsf@debian-hx90.lan> <66b46180.170a0220.1fb02.1d6eSMTPIN_ADDED_BROKEN@mx.google.com> <87a5hnbeps.fsf@debian-hx90.lan> Reply-To: =?UTF-8?Q?Bj=C3=B6rn?= Bidar Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="27726"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Cc: Robert Pluim , 72358@debbugs.gnu.org, Xiyue Deng To: Thomas Fitzsimmons Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Mon Aug 12 18:27:44 2024 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1sdXtX-00070c-Pe for geb-bug-gnu-emacs@m.gmane-mx.org; Mon, 12 Aug 2024 18:27:44 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sdXtM-0007nL-3a; Mon, 12 Aug 2024 12:27:32 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sdXtK-0007n8-G6 for bug-gnu-emacs@gnu.org; Mon, 12 Aug 2024 12:27:30 -0400 Original-Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sdXtK-00012o-62 for bug-gnu-emacs@gnu.org; Mon, 12 Aug 2024 12:27:30 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:References:In-Reply-To:From:To:Subject; bh=NoIjR2nZIRxnwwytcqY6phA2ZXQ7w1GJwMAIAmxW3kU=; b=bqm4n7kqLxY52iOtGtG+Y/1pa7YfRyWgIduGZL3hh0LDoB36YrJCepsFOdQ/+0x5eIUgN141qtqehpEHdOBNLkfC7bmEd0CU7dcGm6Mt0A9tXOmcfdyBH8SFyy/P3ssqq6KlYT1zvy/zq6H9GfYieH1A+Qyp2KN3TnP1iZWmqglDXQIJSigW26zGKXFqXxppRf4gcQZZTrYeZlNec7AXTbm/gLdzcWYZQ+i0rNckzW5yW4uDSaYp5YkAdAsZrxWJKfTL9IXm/ozW/6+qkPSbugiTEfcquYcH6eLtgFfCDfkJ5OnYttHUTbGxW2WEcq5KgbCYvZwJ5sFqW2SyntpCIg==; Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1sdXtp-0002pI-Ug for bug-gnu-emacs@gnu.org; Mon, 12 Aug 2024 12:28:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: =?UTF-8?Q?Bj=C3=B6rn?= Bidar Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 12 Aug 2024 16:28:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 72358 X-GNU-PR-Package: emacs Original-Received: via spool by 72358-submit@debbugs.gnu.org id=B72358.172348004410798 (code B ref 72358); Mon, 12 Aug 2024 16:28:01 +0000 Original-Received: (at 72358) by debbugs.gnu.org; 12 Aug 2024 16:27:24 +0000 Original-Received: from localhost ([127.0.0.1]:43685 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sdXtD-0002o6-LP for submit@debbugs.gnu.org; Mon, 12 Aug 2024 12:27:24 -0400 Original-Received: from thaodan.de ([185.216.177.71]:46240) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sdXtA-0002nm-4v for 72358@debbugs.gnu.org; Mon, 12 Aug 2024 12:27:21 -0400 Original-Received: from odin (dsl-trebng12-50dc75-154.dhcp.inet.fi [80.220.117.154]) by thaodan.de (Postfix) with ESMTPSA id 15D71D00039; Mon, 12 Aug 2024 19:26:08 +0300 (EEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=thaodan.de; s=mail; t=1723479968; bh=U7FeplYIjikb+WAqHMb3Kg2HtEontYd/9PAXO/NF4v4=; h=From:To:Cc:Subject:In-Reply-To:References:Date; b=P7r5p+eOAFiOSohT1YsO7IRILgCvo41WFNeTpgLia5CRTtrTWG145cp3v9eZHoNiL sh2qyXS0SNpOjPfTYVoPxlQL8jgiaABe2DoCtny6Rzt+1U8UClHpgy4QaIwSuxeeg2 0F1s9a/5PwqnqPZfTt4/XVPJGHf3W3Tn4H3e2E/y4kwoqxUa9Ts6xzL9DaOeQWVzgZ C6ZUjdNEMohv6ZIuT7AAwHpZqWeT+sPK5rwhO9rwukjrwDYWnA8G0xahqL9q0zulU/ 7bcRR3XDdPa3gV8FtGyG/LNlkxVDjmDi1NsV8Tr1VsOOt/L7uPjzwj2QZRd9rNZucZ 3JwJxqVnM5/jqyAeiJv6ZkNJ+jhYBtByAUsbNaHCGfLQl/rdp+WUrKIsf1qaz/G+2R 75l250YSEX+u6s6yQW8gyGmymX4BPkOls3rsyCleFGgnU07pGStBAZtaIXsrvuYFAR tap3PCuLU+tWxIBGh17iTSdax+NQRDWKK1292heuK7kwyYCGjMhM+D0ZetzH2yVBPL n/p/miTtFNKN0pvfNnfkB7hfnnxbR6ZUfF4OZcAeyW2u5ucWZhOXvKTPz3+6KnzbS7 q1iPxpfYOdfbflOmtV65rJyF4eYv36Hc8v3B27F/ZCElUKriBb0zsYD5XlIEWgfY4X Ck9aVF1JUNi6zBaoM4RVCQzo= In-Reply-To: (Thomas Fitzsimmons's message of "Mon, 12 Aug 2024 09:22:07 -0400") Autocrypt: addr=bjorn.bidar@thaodan.de; prefer-encrypt=nopreference; keydata= mDMEZNfpPhYJKwYBBAHaRw8BAQdACBEmr+0xwIIHZfIDlZmm7sa+lHHSb0g9FZrN6qE6ru60JUJq w7ZybiBCaWRhciA8Ympvcm4uYmlkYXJAdGhhb2Rhbi5kZT6IlgQTFgoAPgIbAwULCQgHAgIiAgYV CgkICwIEFgIDAQIeBwIXgBYhBFHxdut1RzAepymoq1wbdKFlHF9oBQJk1/YmAhkBAAoJEFwbdKFl HF9oB9cBAJoIIGQKXm4cpap+Flxc/EGnYl0123lcEyzuduqvlDT0AQC3OlFKm/OiqJ8IMTrzJRZ8 phFssTkSrrFXnM2jm5PYDoiTBBMWCgA7FiEEUfF263VHMB6nKairXBt0oWUcX2gFAmTX6T4CGwMF CwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQXBt0oWUcX2hbCQEAtru7kvM8hi8zo6z9ux2h K+B5xViKuo7Z8K3IXuK5ugwA+wUfKzomzdBPhfxDsqLcEziGRxoyx0Q3ld9aermBUccHtBxCasO2 cm4gQmlkYXIgPG1lQHRoYW9kYW4uZGU+iJMEExYKADsCGwMFCwkIBwICIgIGFQoJCAsCBBYCAwEC HgcCF4AWIQRR8XbrdUcwHqcpqKtcG3ShZRxfaAUCZNf2FQAKCRBcG3ShZRxfaCzSAP4hZ7cSp0YN XYpcjHdsySh2MuBhhoPeLGXs+2kSiqBiOwD/TP8AgPEg/R+SI9GI9on7fBJJ0mp2IT8kZ2rhDOjg gA6IkwQTFgoAOxYhBFHxdut1RzAepymoq1wbdKFlH X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:290052 Archived-At: Thomas Fitzsimmons writes: > Xiyue Deng writes: > >> Bj=C3=B6rn Bidar writes: >> >>> Xiyue Deng writes: >>> >>>> Xiyue Deng writes: >>>> >>>>> Bj=C3=B6rn Bidar writes: >>>>> >>>>>> Robert Pluim writes: >>>>>> >>>>>>> Xiyue> - This will invalidate all existing entries and a user w= ill have to redo >>>>>>> Xiyue> the authorization process again to get a new refresh t= oken. However, >>>>>>> Xiyue> I think it's more important to ensure that oauth2.el w= orks correctly >>>>>>> Xiyue> for multiple accounts of the same provider, or a user = may suffer from >>>>>>> Xiyue> confusion when adding a new account invalidates a prev= ious account. >>>>>>> >>>>>>> I don=CA=BCt think that=CA=BCs too big a concern. 'modern' authenti= cation flows >>>>>>> regularly re-prompt, so this will not be too surprising (although >>>>>>> maybe call it out in the package=CA=BCs NEWS or README). >>>>>> >>>>>> In many cases the refreshing of tokens is transparent to the user th= ere >>>>>> doesn't have to be a re-prompt to refresh the token if the OAuth >>>>>> provider support it. >>>>>> Micrsofts OAuth workflow is quite good in this regard as there's a >>>>>> non-standard error to indicate when the user has to re-authorize the >>>>>> application. >>>>>> >>>>> >>>>> Actually I am currently having trouble for a few weeks to get my >>>>> outlook.com email work with MS OAuth2. To avoid some repeated typing= , I >>>>> have documented the issues and steps I have tried in this stackoverfl= ow >>>>> question[1]. I would great appreciated it if you can shed some lights >>>>> there >>>>> >>>>>> I assume all implementation of OAuth have their quirks. >>>>> >>>>> Indeed. >>>>> >>>>> >>>>> [1] >>>>> https://stackoverflow.com/questions/78787763/getting-aadsts65001-erro= r-invalid-grant-when-trying-to-refresh-access-token-fo >>>> >>>> Just want to report back that after confirming with an MS representati= ve >>>> through online chat, outlook.com has actually disabled refreshing >>>> access_token through the token endpoint, and users are asked to migrate >>>> to Outlook app or compatibles apps (Thunderbird still works). >>> >>> Thank you for notifying me on this I will forward this to my employer. >>> >>>> I'm not sure whether this is also the case for organization emails, wh= ich may >>>> also be disabled by default (or soonish if not already) but can be >>>> enabled separately by an org admin. >>> >>> It does depend some domains use whitelist e.g. Tampere University of >>> Applies sciences. Without a specific Emacs GNUs/Caldav/whatever AppID >>> inside Microsoft OAuth2 it will be hard to pass that. >>> >>> >>>> Anyway, I'd suggest people stop >>>> wasting your time here and use Gmail (or maybe Yahoo mail) which has >>>> decent 3rd party OAuth2 support. >>> >>> I don't think that's an option for most user that complain about working >>> OAuth2 support, in most cases it's a work or some other organization >>> account. >>> >>> Another thing I think is very important is to support Nextcloud as it's >>> a FOSS app supporting OAuth2 which quite many users and organizations >>> adopted. >>> >>> >> >> Nextcloud sounds interesting. Do you know where I can check for the >> OAuth2 credentials like client_id and client_secret? > > sourcehut [1] provides a Free Software OAuth2 flow, and it has the > benefit of not requiring JavaScript (even FOSS JavaScript) anywhere in > the process. I wrote url-http-oauth-demo.el [2] as a complete "worked" > example demonstrating its use with url-http-oauth.el. Would that provide OAuth2 for providers that require a login through their webinterface, such as Nextcloud Login, without a browser? Most platforms such as Android, KDE or Sailfish OS use a browser for OAuth2 login to login, authorize and then forward the token to the OS/app. > Thomas > > 1. https://sourcehut.org/ > 2. https://git.savannah.gnu.org/cgit/emacs/elpa.git/tree/url-http-oauth-d= emo.el?h=3Dexternals/url-http-oauth