From: Andrew Cohen <acohen@ust.hk>
To: "Roland Winkler" <winkler@gnu.org>
Cc: emacs-devel@gnu.org
Subject: Re: oauth2 support for Emacs email clients
Date: Wed, 11 Aug 2021 08:43:21 +0800 [thread overview]
Message-ID: <87fsvgolp2.fsf@ust.hk> (raw)
In-Reply-To: <8735rhfjoi.fsf@gnu.org> (Roland Winkler's message of "Tue, 10 Aug 2021 09:39:25 -0500")
>>>>> "RW" == Roland Winkler <winkler@gnu.org> writes:
[...]
RW> I just want to confirm I have read your posts with great
RW> interest, thank you. I am still in the process of digesting
RW> them. These topics (including emacs tools like plstore /
RW> auth-store / auth-source) have not been my area of expertise.
RW> So I am still trying to understand better how to put these
RW> things together so that I get what I want / need.
I hope I can provide useful info. (I keep accidentally typing
"auth-store" instead of "auth-source" so I think that's one less topic to
worry about :))
RW> In the meanwhile one question:
RW> With your setup, what happens if you need to restart emacs? Are
RW> you storing the oauth2 tokens on disk so that you need not
RW> re-authenticate (as long as the tokens themselves remain valid,
RW> which is 30 days for my organizations)?
Yes, the oauth2 credentials are stored on disk. Everything works as
usual upon restarting emacs: gnus uses auth-source to retrieve the
appropriate credentials from the on-disk storage and the existing
refresh-token is used to automatically obtain a new access-token (a
password is requested to decrypt the on-disk storage if the cached value
has timed out, but otherwise no action by the user is needed).
auth-source is a great way to store and retrieve credentials for
accessing services (and other things too). It is used by gnus, smtpmail
(and I think rmail) and probably lots of other service-based things.
A typical entry includes host, user, port, secret (i.e. password) and
whatever other things you like. auth-source has several different
storage backends (netrc, plstore, json, secrets, and several more) and a
simple search mechanism that spans different backends to retrieve
appropriate authentication data.
For my oauth2 imap and smtp access I simply created appropriate entries
(each of which includes a token structure as defined in oauth2.el)
using the plstore backend (so the entry is stored on disk with the
sensitive parts encrypted).
Aside from the slightly funky structure of the auth-store entry
(including an ouath2 token) this works exactly as any other auth-store
entry to using imap or smtp---that was the reason for setting it up this
way, so it looked like any other SASL to the user and didn't require a
new package (just some minor tweaks to existing code).
Aside: I have another minor change to push to auth-source to make this
work. The plstore backend in auth-source only encrypts the :secret
entry, but I want to keep the client-secret and the oauth2 token
structure in the entry encrypted as well. This required some minor
tweaking to auth-source to allow specifying which parts of the entry
are encrypted and which are unencrypted. Patch below (which I will push
myself in awhile).
diff --git a/lisp/auth-source.el b/lisp/auth-source.el
index 6919738398..faddbdee1a 100644
--- a/lisp/auth-source.el
+++ b/lisp/auth-source.el
@@ -2120,11 +2120,17 @@ auth-source-plstore-create
(base-secret '(secret))
;; we know (because of an assertion in auth-source-search) that the
;; :create parameter is either t or a list (which includes nil)
- (create-extra (if (eq t create) nil create))
+ (create-secret-extra (plist-get create :encrypted))
+ (create-extra (if (eq t create) nil
+ (or
+ (append
+ (plist-get create :unencrypted) create-secret-extra)
+ create)))
(current-data (car (auth-source-search :max 1
:host host
:port port)))
(required (append base-required create-extra))
+ (required-secret (append base-secret create-secret-extra))
;; `valist' is an alist
valist
;; `artificial' will be returned if no creation is needed
Best,
Andy
--
Andrew Cohen
Director, HKUST Jockey Club Institute for Advanced Study
Lam Woo Foundation Professor and Chair Professor of Physics
The Hong Kong University of Science and Technology
next prev parent reply other threads:[~2021-08-11 0:43 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-03 5:00 oauth2 support for Emacs email clients Roland Winkler
2021-08-03 6:32 ` Uwe Brauer
2021-08-03 8:21 ` Andrew Cohen
2021-08-03 19:38 ` Roland Winkler
2021-08-04 0:56 ` Andrew Cohen
2021-08-04 7:27 ` Andrew Cohen
2021-08-04 7:41 ` Andreas Schwab
2021-08-04 23:12 ` Andrew Cohen
2021-08-04 7:03 ` Lars Ingebrigtsen
2021-08-04 7:21 ` Andrew Cohen
2021-08-05 10:34 ` Lars Ingebrigtsen
2021-08-03 9:00 ` Gregory Heytings
2021-08-03 19:27 ` Roland Winkler
2021-08-03 22:02 ` Gregory Heytings
2021-08-05 0:21 ` Andrew Cohen
2021-08-10 14:39 ` Roland Winkler
2021-08-11 0:43 ` Andrew Cohen [this message]
2021-08-11 0:54 ` Andrew Cohen
2021-08-12 2:16 ` Richard Stallman
2021-08-12 2:33 ` Andrew Cohen
2021-08-03 20:21 ` Arthur Miller
2021-08-03 20:40 ` Gregory Heytings
2021-08-03 21:14 ` Eric Abrahamsen
2021-08-03 21:19 ` Gregory Heytings
2021-08-14 10:46 ` Richard Stallman
2021-08-14 11:12 ` Gregory Heytings
2021-08-14 11:47 ` Ulrich Mueller
2021-08-15 3:04 ` Richard Stallman
2021-08-15 3:04 ` Making your own application credentials as a user Richard Stallman
2021-08-15 4:10 ` Tim Cross
2021-08-03 9:20 ` oauth2 support for Emacs email clients Eric S Fraga
2021-08-03 11:17 ` Tim Cross
2021-08-03 12:55 ` Gregory Heytings
2021-08-03 13:14 ` tomas
2021-08-05 14:15 ` Richard Stallman
2021-08-03 15:04 ` Eric S Fraga
2021-08-03 19:45 ` Roland Winkler
2021-08-04 6:58 ` Eric S Fraga
2021-08-03 19:41 ` Roland Winkler
2021-08-04 6:59 ` Eric S Fraga
2021-08-04 14:45 ` Thomas Fitzsimmons
2021-08-04 22:45 ` Tim Cross
2021-08-04 23:29 ` Thomas Fitzsimmons
2021-08-05 7:45 ` Ulrich Mueller
2021-08-08 3:58 ` Richard Stallman
2021-08-09 8:30 ` Eric S Fraga
2021-08-12 2:15 ` Richard Stallman
2021-08-12 18:59 ` Roland Winkler
2021-08-03 23:38 ` Richard Stallman
2021-08-08 6:01 ` Roland Winkler
2021-08-08 6:30 ` Andreas Schwab
2021-08-08 23:48 ` Roland Winkler
2021-08-09 0:01 ` Andrew Cohen
2021-08-08 8:52 ` David Engster
2021-08-08 14:22 ` Thomas Fitzsimmons
2021-08-08 14:47 ` David Engster
2021-08-08 15:30 ` Thomas Fitzsimmons
2021-08-08 16:00 ` David Engster
2021-08-08 23:31 ` Roland Winkler
2021-08-10 2:01 ` Thomas Fitzsimmons
2021-08-10 9:07 ` David Engster
2021-08-10 14:41 ` Thomas Fitzsimmons
2021-08-10 15:56 ` David Engster
2021-08-11 6:37 ` Alexandre Garreau
2021-08-11 3:00 ` Richard Stallman
2021-08-11 9:57 ` David Engster
2021-08-13 3:10 ` Richard Stallman
2021-08-11 2:55 ` Richard Stallman
2021-08-14 15:00 ` Thomas Fitzsimmons
2021-08-14 15:26 ` Gregory Heytings
2021-08-08 16:05 ` Tim Cross
2021-08-09 8:39 ` Eric S Fraga
2021-08-10 3:29 ` Richard Stallman
2021-08-10 6:08 ` Tim Cross
2021-08-10 14:18 ` Roland Winkler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87fsvgolp2.fsf@ust.hk \
--to=acohen@ust.hk \
--cc=emacs-devel@gnu.org \
--cc=winkler@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).