From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Tim Cross Newsgroups: gmane.emacs.devel Subject: Re: oauth2 support for Emacs email clients Date: Mon, 09 Aug 2021 02:05:23 +1000 Message-ID: <87im0frj5r.fsf@gmail.com> References: <52589.36892.953561.24840@gargle.gargle.HOWL> <87pmuofpai.fsf@gnu.org> <87sfzk71xw.fsf@randomsample> <87k0kw6liw.fsf@randomsample> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="17364"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: mu4e 1.6.2; emacs 28.0.50 To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sun Aug 08 18:34:12 2021 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mClkZ-0004KY-J2 for ged-emacs-devel@m.gmane-mx.org; Sun, 08 Aug 2021 18:34:11 +0200 Original-Received: from localhost ([::1]:47432 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mClkY-00060F-Hi for ged-emacs-devel@m.gmane-mx.org; Sun, 08 Aug 2021 12:34:10 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:43482) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mCljd-0005Hv-G7 for emacs-devel@gnu.org; Sun, 08 Aug 2021 12:33:13 -0400 Original-Received: from mail-pl1-x62e.google.com ([2607:f8b0:4864:20::62e]:43936) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mCljb-0000jd-EY for emacs-devel@gnu.org; Sun, 08 Aug 2021 12:33:13 -0400 Original-Received: by mail-pl1-x62e.google.com with SMTP id e19so306198pla.10 for ; Sun, 08 Aug 2021 09:33:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=references:user-agent:from:to:subject:date:in-reply-to:message-id :mime-version; bh=a4ty+SFBafyxV/VJu19kf2n1RLNfGsZmolpSoHuU6K4=; b=TtXKnFkvrtjdpnDO4TzlYNJykfkAr19n/rye5jyJji3gzUJ3ws5tR4ZXvW1tsbMzHX L8BwGzQKZO6p4Tzu3gG1iqIdDVgvOojFsuEdiUsoaEAfmahHuqMuOsTl4ml5SPrhJ/qI hOvfSOZVWPA1vDGjH0RBFaMa/VA4MEhe8ghCv4VwTuRkkDVbmhxfqPjQjq7oL7dBZns1 zwRmclWaQm8eCvcRT/AwJv2CTUXDvUoaf5ByhVWxV9dIDTFXrVnYwc0M6VWD4+BUi9HY kdQL5jrmkRZtgIlmq1o7zFYLxSwRVw6bLPoxAr3JCZuN1OJuLM0JH91+DSMmBya+ZcHu cGSw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:references:user-agent:from:to:subject:date :in-reply-to:message-id:mime-version; bh=a4ty+SFBafyxV/VJu19kf2n1RLNfGsZmolpSoHuU6K4=; b=cr7i8BjpV5GsaJIMYsR15lS4BaJggfa181fWBBPyHsxXdp7WWEAJWHmYErwNRnH87r s2X9qCNqPJEz9q/mXIvpFOcIarxbtSmwxqysEUIt3ZTG/mqF5Z/4baJpAzltBGKZpuAX pgpFTNtwCus7Mu5qZmUHGzlQ8r4//BoOfX89HxeiHo1igNLMNbTqUQ5P/fmycxgYUlBg nDDZbywEpgePVmG9lV5LyB7DKwg2ml9mfSJw3oRftf4LLIKshgFiEEz57qrrgPOzR7md nHBzuIgsMyNuaW1pJLK/SLr/bIr7mMNMxO8grVyCRbYRIPADX6GBfxXSc81So823cTqg euQA== X-Gm-Message-State: AOAM532LCDv4CUHAqovukG9ZDmyXixPoDRkmmLr++wFGEgqAmthPQe4i ujC9jyENExWfHECGKuQH2MaNua/0JdM= X-Google-Smtp-Source: ABdhPJxvDEzvpXzho4dErMEFN+v+q85S99KyJ2Hs5M3oBx5ay2z9safJwSx55MIDYhMsdFNY/W62gQ== X-Received: by 2002:aa7:8116:0:b029:346:8678:ce26 with SMTP id b22-20020aa781160000b02903468678ce26mr14465964pfi.15.1628440388079; Sun, 08 Aug 2021 09:33:08 -0700 (PDT) Original-Received: from tim-desktop (220-235-5-199.dyn.iinet.net.au. [220.235.5.199]) by smtp.gmail.com with ESMTPSA id u13sm17498458pfn.94.2021.08.08.09.33.06 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 08 Aug 2021 09:33:07 -0700 (PDT) In-reply-to: Received-SPF: pass client-ip=2607:f8b0:4864:20::62e; envelope-from=theophilusx@gmail.com; helo=mail-pl1-x62e.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:272207 Archived-At: Thomas Fitzsimmons writes: > David Engster writes: > >>> David Engster writes: >>> >>>>> Others have mentioned "officially" registering Emacs as IMAP/SMTP >>>>> clients for Office365 (and possibly Gmail), similar to what seems >>>>> to be the case for Thunderbird. I am wondering how davmail is >>>>> doing this. >>>> >>>> Microsoft has actually recognized that it does not make sense for >>>> desktop applications to embed secrets into their code, so they >>>> distinguish between "public" and "confidential" client applications: >>>> >>>> https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-client-applications >>>> >>>> Public client applications do not have a client secret but only an ID >>>> which can simply be embedded into the application, which is how DavMail >>>> does it. Public client applications are only allowed to access web APIs >>>> on behalf of the user, but this is usually enough. >>> >>> Interesting, but are public client applications allowed to use >>> IMAP/SMTP? Or must public client applications use WebDAV to communicate >>> with Microsoft servers, like DavMail does? >> >> As I've written: Public client applications are only allowed to access >> web APIs, so no IMAP/SMTP. > > OK; I wasn't sure if by "web APIs" you meant only "OAuth-related web > APIs". Thanks for confirming. > > I wonder why Microsoft does not allow public client applications to use > IMAP/SMTP. > MS doesn't like people using IMAP/SMTP mainly because email is really only just a part of their 'environment'. Office 365 and Exchange are not mail servers - they are a 'unified communication stack', which includes email, calendaring, chat, document sharing, etc. The other reason they don't want direct access to IMAP and even SMTP is because they are also adding lots of other 'enterprise' and security features - for example, not allowing attachments which have not got the right policy classification, preventing 'sensitive' data being sent to external parties and adding features like read receipts, ability to recall messages and even have emails which 'auto destruct' or timeout. They cannot add these features to IMAP or SMTP and if they allow these protocols, then all these other 'features' can be bypassed. MS will advise organisations not to enable IMAP or external direct SMTP access and the C level execs will follow that advice because if they don't and something goes wrong (even if unrelated), they will be blamed. Things will still go wrong, but at least they can say they were following the 'experts' advice and 'best practice'. I wouldn't be at all surprised if MS didn't remove IMAP support altogether at some point in the future. There is even a growing resistance to Email in the corporate sector and try talking to young people about Email - most of them only deal with it under sufferance. My plumber actually told me last week that they no longer send invoices via email - instead, they send an SMS with a link to the invoice on a server. If they weren't such good and reliable plumbers, I would consider changing companies. >> I usually use DavMail to get my mail downloaded to a locally running >> IMAP server. >> >> So yes, simply registering Gnus as a public client is not enough, one >> would also need a new backend specifically for Exchange. > > Hmm, yeah. I'd prefer to keep using IMAP/SMTP, standards designed for > email. Excorporate does some email operations via EWS, but it seems > strange to extend Excorporate (and make a Gnus backend for it) to handle > all of email just to avoid application registration issues with a new > IMAP/SMTP authentication method. > > IMAP/SMTP are already implemented and work fine for other email > services, and they can authenticate via OAuth (assuming registration is > sorted out). > >>> It seems like Thunderbird could act as a public client application, >>> however I believe it is currently acting as a confidential client >>> application. I wonder why. >> >> Because they want to use IMAP/SMTP. > > Maybe the FSF could request that Emacs be registered as a public client > application and also be allowed to use IMAP/SMTP. That would solve the > "embedding a secret in Free Software" part of the OAuth registration > issue, at least for Microsoft servers. > I think this is unlikely due to the reason outlined above. MS isn't really that interested in either the 'individual' or simply providing email. They are selling a much bigger picture with a focus on the 'enterprise' and selling snake oil to those C level executives who are worried about security and PR who think the solution is to manage and restrict what users can do. It is likely that if you have to use Office 365/Outlook, then davmail may be the best solution. At least it is GPL'd software.