From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Lars Ingebrigtsen Newsgroups: gmane.emacs.devel Subject: Re: Making GNUS continue to work with Gmail Date: Fri, 14 Aug 2020 12:13:23 +0200 Message-ID: <87364pbkn0.fsf@gnus.org> References: <87v9ienz6c.fsf@gnus.org> <878sf9c69y.fsf@gnus.org> <871rkw62t3.fsf@gnus.org> <87bljki71n.fsf@mat.ucm.es> <87364wxlec.fsf@gnus.org> <87imdsgmlw.fsf@mat.ucm.es> <871rkfhkhc.fsf@mat.ucm.es> <875z9p5hnc.fsf@mat.ucm.es> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="25787"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) Cc: Emacs developers To: David De La Harpe Golden Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Fri Aug 14 12:21:22 2020 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1k6Wpt-0006cM-TE for ged-emacs-devel@m.gmane-mx.org; Fri, 14 Aug 2020 12:21:21 +0200 Original-Received: from localhost ([::1]:34196 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1k6Wps-00004s-TJ for ged-emacs-devel@m.gmane-mx.org; Fri, 14 Aug 2020 06:21:20 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:59824) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k6WiO-0002SZ-Nx for emacs-devel@gnu.org; Fri, 14 Aug 2020 06:13:36 -0400 Original-Received: from quimby.gnus.org ([2a01:4f9:2b:f0f::2]:57712) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k6WiM-000218-JF for emacs-devel@gnu.org; Fri, 14 Aug 2020 06:13:36 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org; s=20200322; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date: References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=sjp4yJHl4JSFvw6FVejTfA+7cpHMTPKj1eD47COv5U8=; b=DD3zFi4eqVQHuG205ip5pbRFP0 nj/o5ml3GDMYc32XVFwzarkemvSP1+/KjhNDR83wy6C+qY1J3h9Yg9ICUlDRxcfMQPkShyZPDY2MK avhM86bCP/Na2++Ho0XqLZPAZn6Zqww7mOoO4DTWgfW6x83xtZoQetfAMSy2f3U3zfbE=; Original-Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=xo) by quimby with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1k6WiD-0000dv-2e; Fri, 14 Aug 2020 12:13:31 +0200 In-Reply-To: (David De La Harpe Golden's message of "Thu, 13 Aug 2020 16:39:44 +0100") Received-SPF: pass client-ip=2a01:4f9:2b:f0f::2; envelope-from=larsi@gnus.org; helo=quimby.gnus.org X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know. X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:253758 Archived-At: David De La Harpe Golden writes: > Anyway, decided to write it up and share it in case it's useful. > Sorry for wall of text, tried to structure it somewhat: Thank you; it's the most cogent article I've read on this subject. :-) Just some short comments: > And IIUC a near-mandatory protocol extension (pkce rfc7636, > https://oauth.net/2/pkce/ ) means core security properties are not or > no longer strongly linked to these particular "secrets" being secret. Yeah, they're not secret secrets, but just a way to make a specific entity take responsibility for a class of API usage, which enables easier tracking (and later billing). > *2. What Thunderbird does data point, and not just a google problem: [...] > Google, Yahoo, Mail.ru, Yandex, Aol and Microsoft > > https://searchfox.org/comm-central/source/mailnews/base/src/OAuth2Providers.jsm#51 I guess it would be rude for Emacs to just use those credentials. :-) > *3. End-User supply of and/or override of client id and secret: [...] > https://www.chromium.org/developers/how-tos/api-keys > > I believe e.g. debian doesn't or didn't build their chromium with > them, but still allows users to supply their own if they want by that > mechanism. [...] > Also to note Julien Danjou appears to have already written an emacs > oauth2 package: > > https://elpa.gnu.org/packages/oauth2.html Yeah, we could just use that and tell the users to "just" register their own developer accounts at Google and then put the keys somewhere. It's a really really horrid experience to go through, though, and Google will sic an API compliancy review at the users at random. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no