From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Xiyue Deng Newsgroups: gmane.emacs.bugs Subject: bug#72992: 29.4; towards xoauth2 support in Emacs Date: Wed, 18 Sep 2024 12:43:39 -0700 Message-ID: <877cb8oihg.fsf@debian-hx90.lan> References: <87h6ayfo87.fsf_-_@debian-hx90.lan> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="1214"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Notmuch/0.38.3 (https://notmuchmail.org) Emacs/29.4 (x86_64-pc-linux-gnu) Cc: Ted Zlatanov , Philip Kaludercic To: Stefan Kangas , 72992@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Thu Sep 19 06:55:51 2024 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1sr9Cn-000AaW-6M for geb-bug-gnu-emacs@m.gmane-mx.org; Thu, 19 Sep 2024 06:55:49 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sr99A-0005uw-FA; Thu, 19 Sep 2024 00:52:06 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sr98s-0004jC-Pj for bug-gnu-emacs@gnu.org; Thu, 19 Sep 2024 00:51:47 -0400 Original-Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sr98s-00089q-90 for bug-gnu-emacs@gnu.org; Thu, 19 Sep 2024 00:51:46 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:References:In-Reply-To:From:To:Subject; bh=/rLh8Pf5l1+Hn3HAIMnFNS7UCCp1vlijgI128ljfVrs=; b=rQZxY+CeHMldhDOfegDrjQtbPdcvhKhU6OW0iRCplaVIqo8N1rCQMc8a03YjHvOszcHIs3BluveTiPuBZQAX7+RLUsja1LwcOHV8mxgNkxFkn0llA6wXiyADnTuy6BcEXSNjjoZ6dQKic3aI0Ln7VpxFMnmMQ3a4xmZYmAIWKudRWxjIQIQd/9TTQDkqdPNYghsnFpiWt/0c9dbEymbRoFMnyMjmm8cJzP8skag6GXz6lOBlIpCNBxn/MILFAZAjkAA0VucKFRnfMpi2Xek7M4g1ocoYcvEaFU61dJxNpPC/KkGEk4iPtGsHT4wRD1lItnIzM7s+dHAnFH3aXQ//lA==; Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1sr998-00043x-Th for bug-gnu-emacs@gnu.org; Thu, 19 Sep 2024 00:52:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Xiyue Deng Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Thu, 19 Sep 2024 04:52:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 72992 X-GNU-PR-Package: emacs Original-Received: via spool by 72992-submit@debbugs.gnu.org id=B72992.172672147915529 (code B ref 72992); Thu, 19 Sep 2024 04:52:02 +0000 Original-Received: (at 72992) by debbugs.gnu.org; 19 Sep 2024 04:51:19 +0000 Original-Received: from localhost ([127.0.0.1]:59586 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sr98P-00042M-Uv for submit@debbugs.gnu.org; Thu, 19 Sep 2024 00:51:19 -0400 Original-Received: from mail-pf1-f181.google.com ([209.85.210.181]:38386) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sr0bp-0008RP-Bx for 72992@debbugs.gnu.org; Wed, 18 Sep 2024 15:45:08 -0400 Original-Received: by mail-pf1-f181.google.com with SMTP id d2e1a72fcca58-71790698b22so7769b3a.1 for <72992@debbugs.gnu.org>; Wed, 18 Sep 2024 12:44:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1726688623; x=1727293423; darn=debbugs.gnu.org; h=mime-version:message-id:date:user-agent:references:in-reply-to :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=/rLh8Pf5l1+Hn3HAIMnFNS7UCCp1vlijgI128ljfVrs=; b=iSxj6WCf2s5mmERogCf7ffsJCmN35fDq0rVmMGrYnqD+LmfJ0pan9iPopKE4Mob4J3 A5dS5aBvw9s+LKlXkhfcostrjNArHP3ZbSgFJvwXnzthQlAyTlOErg2ewZvaQGpz6Hwx 30ONPXJnP6b2EtMY/BcZ3lj+FMhab3/XutACh/PUNgkOjOPY6c/drcXp19/cRqrCAYTm u6XqR44hdgjuLrAIr5a//QhCBeDxawPLKpLSN0vdI+hxlcI5Px254PykVKLw5HceBnbi Ba8k/0yntFYkA0vn7lO218VmWKZ5H350QyXLgulShOr80rPhIvheaOfxb+scLrM6l3VQ j4Gw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726688623; x=1727293423; h=mime-version:message-id:date:user-agent:references:in-reply-to :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=/rLh8Pf5l1+Hn3HAIMnFNS7UCCp1vlijgI128ljfVrs=; b=RMRZZFWj2RK9YDOF6bZStkAblW0wACRcOD3kJ1BKqlTwGPeUtZLj8w02IuhvsRxYRX cmzj4SDSZdGvPp+tN4e4kt2RWRoqcR9NN0mEJ3PSvlHrhwa7dmPcLBGmFhrCk/q8muT3 Khy3ArAaVuZtjQI8uWpW5JHIxr/4EyW6mL+8wCpUdnBdSG01aGr3GLkjLMEx71m7gwue g7ffuRMJA3Xn5AS7dyc/RjPd7AXvUvqtWHjwRPGlbAaINzvR4RAq+JxtCROi2v0LTV6e n5ufwVvfPLS8dmGmn3fDebFBLeWomHQkYeLmi/tEQjTl5iYrvSnngsSUFXy65LlK9U6m IzUw== X-Forwarded-Encrypted: i=1; AJvYcCVUU8YeFyXY6wGEEmcCXQpPvSt1cAwQeTXYVleN9IMXNak/3vcE3RzvxUGWBJU4Pf1uwgcLyQ==@debbugs.gnu.org X-Gm-Message-State: AOJu0YyqqWKK35ss9VAgS5LznwaVZ0qG7L0UocZQTUg9gGikPLofXZS7 e/+AkI9njOgMqIVcF4BjFs00qlzDC6Q1jAxK+9L4qCk7miNK9gd6 X-Google-Smtp-Source: AGHT+IG0uas703QUuE7keB72DldDSHb/t0uaDmYktlxNV7JiHZJnRfCgbqm9lr/hX4olVE/tZbNS4g== X-Received: by 2002:a17:902:e54e:b0:205:5fc8:9bda with SMTP id d9443c01a7336-2076e3360d3mr145740765ad.1.1726688622629; Wed, 18 Sep 2024 12:43:42 -0700 (PDT) Original-Received: from debian-hx90 (syn-076-094-249-045.res.spectrum.com. [76.94.249.45]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-20794730becsm68819115ad.267.2024.09.18.12.43.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 18 Sep 2024 12:43:41 -0700 (PDT) X-Google-Original-From: Xiyue Deng In-Reply-To: X-Mailman-Approved-At: Thu, 19 Sep 2024 00:51:16 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:292025 Archived-At: Hi Stefan, Stefan Kangas writes: > Xiyue Deng writes: > >> Now that bug#72358 is done, as promised, I'm posting my plugin for >> auth-sources that enables oauth2 handling which you can find on >> Gitlab[1] (also attached). As the current approach tries to override >> some existing handling in auth-source, I would like to gather some >> comments on how to properly integrate this handling, and see if there is >> any benefit on providing this as a separate package for older Emacs >> versions. >> >> In the comment section of the package I put notes on how xoauth2 is >> enabled as well as existing restrictions in auth-source and how it >> workarounds them. I'll briefly explain below. > > I think it would be good if you could add to your package some general > explanation of what xoauth2 is, and what are its use cases both in a > general sense, and specifically together with the auth-source > package. Don't assume that people already know what xoauth2 is, how it > is different from oauth2, which services use it, etc. Explain it. I > would add such general information to the beginning of the "Commentary" > section. Nothing long is needed, just a general introduction and perhaps > links for where to read more. > Good suggestions. Added to the comments part. > Some examples of when it would be used, preferably with example code for > some use cases, would also go a long way. > I have added some examples on how to set it up and use it in Gnus and smtpmail after sending the earlier version. Please check it out at [1] (with the changes above.) >> Currently, auth-source search requires that the result include `:secret' >> most of the time, where when using xoauth2 it is actually the >> access-token. Actually, auth-source has existing support for xoauth2 >> authentication, though it assumes that the password value actually >> stores the access-token. > > Where can we find this "existing support"? Do you mean the > 'auth-source-xoauth2' package on GNU ELPA? > The basic support is actually in the Emacs core already, e.g. for Gnus nnimap[2] and smtpmail[3]. However, this assumes one to put the access_token in place of `:secret' in the auth-source file as Emacs uses password as the access_token in both places. However, access_token expires quite frequently (e.g. about 1 hour for Gmail) and without refreshing it automatically it is practically impossible to use conveniently. Hence the propose hack and the following suggestion. >> Because xoauth2 also makes use of >> `secret'/`password', it makes it hard to determine whether to use >> password-based or xoauth2-based authentication, which is why my plugin >> asks users to set `auth' in auth-source to determine whether to use >> xoauth2. Another complication from this is that auth-source search >> requires the entry contains a `secret' most of the time, where it does >> not need to be set when using xoauth2. Therefore I workaround this by >> temporarily disables this check and try to retrieve access-token using >> oauth2 and set the result as password. >> >> Given the inconveniences of reusing password for access-token, I wonder >> whether we can add support for a separate `:access-token' key in the >> auth-source entry and use that instead of password when authenticating >> using xoauth2. This way, we can have both password and access-token in >> an auth-source entry and nnimap and smtpmail can use either one. More >> specifically: >> >> * When performing an auth-source search, if xoauth2 related fields are >> set (see the list of fields in the comments of my plugin), it will >> retrieve access-token using oauth2. >> >> * The search should change to check for either `secret'/`password' or >> `access-token' is available. >> >> * For `nnimap-login' and `smtpmail-try-auth-method', pass in both >> password and access-token, and for xoauth2 it should use access-token >> instead of password. >> >> If this is an acceptable approach, I'll try to draft a patch to >> implement this in Emacs. Otherwise, it may still worth implement the >> current approach directly in Emacs so as to avoid using hack like >> advice. > > I'm not very familiar with auth-source.el, but on a general level the > above makes sense to me. I've also Cc:ed Ted Zlatanov, the author of > auth-source.el > Thanks! Would also like to hear Ted's opinion on this and decide which route to take. >> Meanwhile, I wonder whether this may be worth release as a separate >> package so that users of older versions can use xoauth2 as well. I'd >> like to make it compatible with the agreed-upon approach to minimize any >> incompatibilities. >> >> Thanks for reading, and any comments are appreciated. > > Are you proposing to include this in Emacs core, on GNU ELPA, or > something else? > I'd like to contribute to Emacs core once a direction is decided. Maybe also put this plugin in ELPA to support older emacs versions if both are compatible. > Thanks. > [1] https://gitlab.com/xiyueden/auth-source-xoauth2-plugin [2] https://git.savannah.gnu.org/cgit/emacs.git/tree/lisp/gnus/nnimap.el#n616 [3] https://git.savannah.gnu.org/cgit/emacs.git/tree/lisp/mail/smtpmail.el#n640 -- Xiyue Deng