From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Andrew Cohen <acohen@ust.hk>
Newsgroups: gmane.emacs.bugs
Subject: bug#72358: 29.4; oauth2.el improvements
Date: Thu, 01 Aug 2024 07:53:21 +0800
Message-ID: <87r0b915la.fsf@ust.hk>
References: <87mslz8yzk.fsf@debian-hx90.lan>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="863"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: Gnus/5.13 (Gnus v5.13)
To: 72358@debbugs.gnu.org
Cancel-Lock: sha1:LVdqEafXg8u1hnXrhHBhn6ipG9A=
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Thu Aug 01 01:54:15 2024
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1sZJ94-00006Z-M2
	for geb-bug-gnu-emacs@m.gmane-mx.org; Thu, 01 Aug 2024 01:54:14 +0200
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnu-emacs-bounces@gnu.org>)
	id 1sZJ8e-0006S2-MJ; Wed, 31 Jul 2024 19:53:48 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1sZJ8c-0006Rm-NB
 for bug-gnu-emacs@gnu.org; Wed, 31 Jul 2024 19:53:46 -0400
Original-Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1sZJ8c-0006q6-Ed
 for bug-gnu-emacs@gnu.org; Wed, 31 Jul 2024 19:53:46 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=debbugs.gnu.org; s=debbugs-gnu-org; 
 h=Mime-Version:References:Date:From:To:In-Reply-To:Subject;
 bh=PI9MhrCUZnZ7lLrbwJtDydCqtx9BsLHIAdcO+LbNino=; 
 b=IfTR2LBvdiaYG8xnfSbuFH+Z6uJg/AtAEVnIunBltf9sKg2SGoiQL9zY3rkkcGgTSZ0Dh8lyNNYSbgL8NUPxN2AfROeRqMmRAKGNITyOuJuIyM4XsImQKTzoaTzoaucHqZkUQO6CSsJaSggIkEoooKEE1X/S6IHGBkrj1ZXveGaPEvx+J9wk/Il/wcnuXYQJ3vmEwZuJ0/l3BADNlVmJVfZLQbO0AUGWo0FSSlX6IM/oezqZVlBx+ZW2QX6KEyJQBwgYgiWth6Zzs4N8xMQBtikm78irXSOeWjEri5QsQSzB5o80FEOd6/1FTjtVwTYptd5yhwJsUvcr5hLtzTO3pA==;
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1sZJ8s-0007r0-8T
 for bug-gnu-emacs@gnu.org; Wed, 31 Jul 2024 19:54:02 -0400
X-Loop: help-debbugs@gnu.org
In-Reply-To: <87mslz8yzk.fsf@debian-hx90.lan>
Resent-From: Andrew Cohen <acohen@ust.hk>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Wed, 31 Jul 2024 23:54:02 +0000
Resent-Message-ID: <handler.72358.B.172247003330167@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 72358
X-GNU-PR-Package: emacs
X-Debbugs-Original-To: bug-gnu-emacs@gnu.org
Original-Received: via spool by submit@debbugs.gnu.org id=B.172247003330167
 (code B ref -1); Wed, 31 Jul 2024 23:54:02 +0000
Original-Received: (at submit) by debbugs.gnu.org; 31 Jul 2024 23:53:53 +0000
Original-Received: from localhost ([127.0.0.1]:50434 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1sZJ8i-0007qU-OI
 for submit@debbugs.gnu.org; Wed, 31 Jul 2024 19:53:53 -0400
Original-Received: from lists.gnu.org ([209.51.188.17]:33692)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <geb-bug-gnu-emacs@m.gmane-mx.org>)
 id 1sZJ8h-0007qN-My
 for submit@debbugs.gnu.org; Wed, 31 Jul 2024 19:53:52 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <geb-bug-gnu-emacs@m.gmane-mx.org>)
 id 1sZJ8R-0006Pd-9O
 for bug-gnu-emacs@gnu.org; Wed, 31 Jul 2024 19:53:35 -0400
Original-Received: from ciao.gmane.io ([116.202.254.214])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <geb-bug-gnu-emacs@m.gmane-mx.org>)
 id 1sZJ8O-0006oY-QX
 for bug-gnu-emacs@gnu.org; Wed, 31 Jul 2024 19:53:35 -0400
Original-Received: from list by ciao.gmane.io with local (Exim 4.92)
 (envelope-from <geb-bug-gnu-emacs@m.gmane-mx.org>)
 id 1sZJ8L-000A0K-Pt
 for bug-gnu-emacs@gnu.org; Thu, 01 Aug 2024 01:53:29 +0200
X-Injected-Via-Gmane: http://gmane.org/
Received-SPF: pass client-ip=116.202.254.214;
 envelope-from=geb-bug-gnu-emacs@m.gmane-mx.org; helo=ciao.gmane.io
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9,
 HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.emacs.bugs:289593
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/289593>

--=-=-=
Content-Type: text/plain

I have been using the existing oauth2.el and auth-source.el to use both
gmail and outlook (through my university) with oauth2 for several years
now (I posted a bit about it some time ago on the devel list). I
didn't need to change much to get it to work so I thought as long as the
changes by Xiyue are being considered (all of which look good to me) I
would chime in. I'm happy to provide more info about my setup and usage
if anyone is interested.

Firstly, I note that I have gmail working fine without the change in
patchset 2 (although I see nothing wrong with the change, I wonder why
it isn't necessary for me but is for Xiyue).

Secondly, there is one other important change that I have been using
which should probably be added to oauth2.el (I communicated the change
to Julien a long time ago, but he said he is no longer actively
maintaining oauth2.el): in refreshing the token the access-response is
ignored (as is the response-error). The access-response contains
information about the token expiration so its needed in order to control
when to fetch a new token. The simple patch below stores the
access-response in the appropriate slot in the token:


--=-=-=
Content-Type: application/octet-stream
Content-Disposition: attachment; filename=diff
Content-Transfer-Encoding: base64
Content-Description: store access-response on refresh

ZGlmZiAtLWdpdCBhL29hdXRoMi5lbCBiL29hdXRoMi5lbAppbmRleCA3ZGE5NzAyLi5lNDYwYjAx
IDEwMDY0NAotLS0gYS9vYXV0aDIuZWwKKysrIGIvb2F1dGgyLmVsCkBAIC0xMTksMjggKzExOSwz
NSBAQCBSZXR1cm4gYW4gYG9hdXRoMi10b2tlbicgc3RydWN0dXJlLiIKIChkZWZ1biBvYXV0aDIt
cmVmcmVzaC1hY2Nlc3MgKHRva2VuKQogICAiUmVmcmVzaCBPQXV0aCBhY2Nlc3MgVE9LRU4uCiBU
T0tFTiBzaG91bGQgYmUgb2J0YWluZWQgd2l0aCBgb2F1dGgyLXJlcXVlc3QtYWNjZXNzJy4iCi0g
IChzZXRmIChvYXV0aDItdG9rZW4tYWNjZXNzLXRva2VuIHRva2VuKQotICAgICAgICAoY2RyIChh
c3NvYyAnYWNjZXNzX3Rva2VuCi0gICAgICAgICAgICAgICAgICAgIChvYXV0aDItbWFrZS1hY2Nl
c3MtcmVxdWVzdAotICAgICAgICAgICAgICAgICAgICAgKG9hdXRoMi10b2tlbi10b2tlbi11cmwg
dG9rZW4pCi0gICAgICAgICAgICAgICAgICAgICAoY29uY2F0ICJjbGllbnRfaWQ9IiAob2F1dGgy
LXRva2VuLWNsaWVudC1pZCB0b2tlbikKLQkJCSAgICAgKHdoZW4gKG9hdXRoMi10b2tlbi1jbGll
bnQtc2VjcmV0IHRva2VuKQotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIChjb25jYXQg
IiZjbGllbnRfc2VjcmV0PSIgKG9hdXRoMi10b2tlbi1jbGllbnQtc2VjcmV0IHRva2VuKSkpCi0g
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICImcmVmcmVzaF90b2tlbj0iIChvYXV0aDItdG9r
ZW4tcmVmcmVzaC10b2tlbiB0b2tlbikKLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiZn
cmFudF90eXBlPXJlZnJlc2hfdG9rZW4iKSkpKSkKLSAgOzsgSWYgdGhlIHRva2VuIGhhcyBhIHBs
c3RvcmUsIHVwZGF0ZSBpdAotICAobGV0ICgocGxzdG9yZSAob2F1dGgyLXRva2VuLXBsc3RvcmUg
dG9rZW4pKSkKLSAgICAod2hlbiBwbHN0b3JlCi0gICAgICAocGxzdG9yZS1wdXQgcGxzdG9yZSAo
b2F1dGgyLXRva2VuLXBsc3RvcmUtaWQgdG9rZW4pCi0gICAgICAgICAgICAgICAgICAgbmlsIGAo
OmFjY2Vzcy10b2tlbgotICAgICAgICAgICAgICAgICAgICAgICAgICwob2F1dGgyLXRva2VuLWFj
Y2Vzcy10b2tlbiB0b2tlbikKLSAgICAgICAgICAgICAgICAgICAgICAgICA6cmVmcmVzaC10b2tl
bgotICAgICAgICAgICAgICAgICAgICAgICAgICwob2F1dGgyLXRva2VuLXJlZnJlc2gtdG9rZW4g
dG9rZW4pCi0gICAgICAgICAgICAgICAgICAgICAgICAgOmFjY2Vzcy1yZXNwb25zZQotICAgICAg
ICAgICAgICAgICAgICAgICAgICwob2F1dGgyLXRva2VuLWFjY2Vzcy1yZXNwb25zZSB0b2tlbikK
LSAgICAgICAgICAgICAgICAgICAgICAgICApKQotICAgICAgKHBsc3RvcmUtc2F2ZSBwbHN0b3Jl
KSkpCi0gIHRva2VuKQorICAobGV0ICgocmVzcG9uc2UgKG9hdXRoMi1tYWtlLWFjY2Vzcy1yZXF1
ZXN0CisgICAgICAgICAgICAgICAgICAgIChvYXV0aDItdG9rZW4tdG9rZW4tdXJsIHRva2VuKQor
ICAgICAgICAgICAgICAgICAgICAoY29uY2F0ICJjbGllbnRfaWQ9IiAob2F1dGgyLXRva2VuLWNs
aWVudC1pZCB0b2tlbikKKwkJCSAgICAod2hlbiAob2F1dGgyLXRva2VuLWNsaWVudC1zZWNyZXQg
dG9rZW4pCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAoY29uY2F0ICImY2xpZW50X3Nl
Y3JldD0iIChvYXV0aDItdG9rZW4tY2xpZW50LXNlY3JldCB0b2tlbikpKQorICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICImcmVmcmVzaF90b2tlbj0iIChvYXV0aDItdG9rZW4tcmVmcmVzaC10
b2tlbiB0b2tlbikKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJmdyYW50X3R5cGU9cmVm
cmVzaF90b2tlbiIpKSkpCisgICAgKGlmLWxldCAoKHJlc3BvbnNlLWVycm9yIChjZHIgKGFzc29j
ICdlcnJvciByZXNwb25zZSkpKSkKKyAgICAgICAgKG1lc3NhZ2UgIm9hdXRoMiB0b2tlbiByZWZy
ZXNoIGVycm9yOiAlcyIgcmVzcG9uc2UtZXJyb3IpCisgICAgICAoc2V0ZiAob2F1dGgyLXRva2Vu
LWFjY2Vzcy10b2tlbiB0b2tlbikKKyAgICAgICAgICAgIChjZHIgKGFzc29jICdhY2Nlc3NfdG9r
ZW4gcmVzcG9uc2UpKSkKKyAgICAgICh3aGVuLWxldCAoKHJlZnJlc2hfdG9rZW4gKGNkciAoYXNz
b2MgJ3JlZnJlc2hfdG9rZW4gcmVzcG9uc2UpKSkpCisgICAgICAgIChzZXRmIChvYXV0aDItdG9r
ZW4tcmVmcmVzaC10b2tlbiB0b2tlbikgcmVmcmVzaF90b2tlbikpCisgICAgICAoc2V0ZiAob2F1
dGgyLXRva2VuLWFjY2Vzcy1yZXNwb25zZSB0b2tlbikKKyAgICAgICAgICAgIChhc3NvYy1kZWxl
dGUtYWxsICdyZWZyZXNoX3Rva2VuCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAoYXNz
b2MtZGVsZXRlLWFsbCAnYWNjZXNzX3Rva2VuIHJlc3BvbnNlKSkpCisgICAgICA7OyBJZiB0aGUg
dG9rZW4gaGFzIGEgcGxzdG9yZSwgdXBkYXRlIGl0CisgICAgICAobGV0ICgocGxzdG9yZSAob2F1
dGgyLXRva2VuLXBsc3RvcmUgdG9rZW4pKSkKKyAgICAgICAgKHdoZW4gcGxzdG9yZQorICAgICAg
ICAgIChwbHN0b3JlLXB1dCBwbHN0b3JlIChvYXV0aDItdG9rZW4tcGxzdG9yZS1pZCB0b2tlbikK
KyAgICAgICAgICAgICAgICAgICAgICAgbmlsIGAoOmFjY2Vzcy10b2tlbgorICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAsKG9hdXRoMi10b2tlbi1hY2Nlc3MtdG9rZW4gdG9rZW4pCisgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgIDpyZWZyZXNoLXRva2VuCisgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICwob2F1dGgyLXRva2VuLXJlZnJlc2gtdG9rZW4gdG9rZW4pCisgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgIDphY2Nlc3MtcmVzcG9uc2UKKyAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgLChvYXV0aDItdG9rZW4tYWNjZXNzLXJlc3BvbnNlIHRva2VuKQorICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICApKQorICAgICAgICAgIChwbHN0b3JlLXNhdmUgcGxzdG9y
ZSkpKSkKKyAgICB0b2tlbikpCiAKIDs7OyMjI2F1dG9sb2FkCiAoZGVmdW4gb2F1dGgyLWF1dGgg
KGF1dGgtdXJsIHRva2VuLXVybCBjbGllbnQtaWQgY2xpZW50LXNlY3JldCAmb3B0aW9uYWwgc2Nv
cGUgc3RhdGUgcmVkaXJlY3QtdXJpKQo=
--=-=-=
Content-Type: text/plain


Lastly, a brief description of how to get things to work with
auth-source and existing code (subject to the change I mentioned above):

auth-source entries using the plstore backend allow the secret to be a
function (which is passed the whole entry plist as an argument). All
that is needed then is a function that returns the access token (which
is then used in gnus and smtpmail, both of which already work properly
with an oauth2 access-token). A simple function to check the expiration
time and fetch a new access-token if necessary (and update the new token
and expiration information) and then return the access-token is what I
use. 

So I used auth-source to create  plstore entries for  gmail and
outlook containing the oauth2 tokens, and set the secret to the
following function

(defun gnus-refresh-access (plist)
  "Return an oauth2 access-token for PLIST.
If the current token has expired, fetch, save, and return a new one."
  (cl-destructuring-bind
      (&key user host port token last-update
            (expires_in (alist-get 'expires_in
                                   (oauth2-token-access-response token)))
            (create-args
             (list :type 'plstore :create
                   '(:encrypted (token client-secret-sav)
                                :unencrypted (auth-url scope redirect-uri last-update smtp-auth))))
            &allow-other-keys) plist
    (unless (and (numberp expires_in) (numberp last-update)
                 (< (float-time) (+ last-update expires_in)))
      (message "Getting new token for %s at %s:%s" user host port)
      (setq plist (plist-put plist :secret 'gnus-refresh-access))
      (setq plist (plist-put plist :last-update (truncate (float-time))))
      ;; get a new token and update the plist
      (setq plist (plist-put plist :token (oauth2-refresh-access token)))
      ;; update auth-source---if something in the plist has changed
      ;; then no entry will be found during the search, and the
      ;; create flag will be honored.
      (apply #'auth-source-search (append plist create-args)))
    ;; return the access token
    (oauth2-token-access-token (plist-get plist :token))))

By the way, I let auth-source handle the plstore rather than
oauth2.el. It seemed simpler to have only one of them managing the store
rather than both. 

By the by the way, there are some important bugs in auth-source.el that
I have fixed in my personal tree (and a few that I haven't). I'll post
about them in a separate bug report at some point.

Best,
Andy
-- 
Andrew Cohen

--=-=-=--