From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: "Roland Winkler" Newsgroups: gmane.emacs.devel Subject: Re: oauth2 support for Emacs email clients Date: Sun, 08 Aug 2021 01:01:25 -0500 Message-ID: <87pmuofpai.fsf@gnu.org> References: <52589.36892.953561.24840@gargle.gargle.HOWL> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="16899"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) Cc: emacs-devel@gnu.org To: Richard Stallman Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sun Aug 08 08:02:12 2021 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mCbsx-0004EL-W1 for ged-emacs-devel@m.gmane-mx.org; Sun, 08 Aug 2021 08:02:11 +0200 Original-Received: from localhost ([::1]:42118 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mCbsv-000103-RV for ged-emacs-devel@m.gmane-mx.org; Sun, 08 Aug 2021 02:02:09 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:50266) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mCbsQ-0000Km-F3 for emacs-devel@gnu.org; Sun, 08 Aug 2021 02:01:38 -0400 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]:54668) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mCbsQ-0005sf-7U for emacs-devel@gnu.org; Sun, 08 Aug 2021 02:01:38 -0400 Original-Received: from [2600:1700:5650:f790::42] (port=34894 helo=regnitz) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mCbsE-0003X6-Qa; Sun, 08 Aug 2021 02:01:26 -0400 In-Reply-To: (Richard Stallman's message of "Tue, 03 Aug 2021 19:38:26 -0400") X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:272190 Archived-At: > > Now, using oauth2.el from GNU Elpa, I have got the basics > > (authentication and authorization) working. This required some ugly > > configuration within MS Azure. But I am still some distance away > > from a smooth workflow, say, using Gnus. > > Can you tell us more details of > (1) what you did to make this work, and My starting point was oauth2.el in GNU elpa. Its main entry point is oauth2-auth that requires several arguments auth-url: URL for authentication token-url: URL for requesting authorization client-id client-secret redirect-uri: I got these from MS Azure by registering my "personnal app" for communicating with Office365 > (2) what problems remain? - The first problem has been documentation: both the Office365 machinery and oauth2.el assume that users know what they need to do. I spent a good amount of time trying to figure out - how the OAuth2 protocol works in general - how the OAuth2 protocal relates to the particalur problem I needed to address - what functionality is provided by oauth2.el (it "implements the OAuth 2.0 draft") - how the general functionality provided by oauth2.el relates to the particalur problem I needed to address - what remaining steps were not (yet) implemented in relevant emacs packages (imap and smtpmail) - Others in this thread have mentioned davmail. This is a project (published under GPL 2) that works as a local proxy server that allows IMAP and SMTP clients to connect to Office365. So its main purpose of existence are essentially the issues we are discussing here. I have tried davmail and it seems to work. I am mentioning it here because some discussions on its mailing list gave me the impression that the entire topic is a hairy one which does not permit a "one size fits all" solutions because, say, institutions that use Office365 (i.e., institutions like the one I am working for and that's forcing me to go through this pain), they have some freedom to configure what OAuth2 means for their users (say: multi-factor authentication), and they can also configure to what extent their users can configure MS Azure as mentioned above. So whatever I am writing here may be more or less irrelvant for others, even if they likewise have to use Office365 (not to mention Gmail). Others have mentioned "officially" registering Emacs as IMAP/SMTP clients for Office365 (and possibly Gmail), similar to what seems to be the case for Thunderbird. I am wondering how davmail is doing this. - It is my understanding of the internals of its code that oauth2.el effectively delegates authentication to a browser that receives the authentication token as a redirect uri. The last line of code in oauth2-request-authorization is: (read-string "Enter the code your browser displayed: ")) This step is awkward, even if it is only rarely needed. > > More importantly, email clients need to regularly refresh the oauth2 > > access token. I believe Emacs is not yet suited for this. > > Can you tell us any more about what "regularly" concretely means? > For instance, is this based on elapsed time? Actions carried out? > It doesn't sound like something that will be difficult. The OAuth2 protocol uses an access token and a refresh token. The access token is used to access the server, but it has a shorter lifetime. When the access token has expired, it can be refreshed during a running session. Others reported in this thread that oauth2.el supports this (for them), so I stand corrected. >From the code base of oauth2.el I haven't been able to figure out what happens when the refresh tokens expires. With my institution, this happens after 30 days. So this may be a less pressing issue. Still it is probably good (and not too difficult) to handle this gracefully. Also, I have not yet been able to figure out what happens when a new emacs session is started. oauth2.el uses plstore. Does this work across multiple emacs sessions, or is it then necessary to go again through the (more tedious) multi-factor authentication? Depending on a user's work flow with emacs and also depending on what authentication means for this user, that may be an issue or not. Maybe others can comment here. And yes, I believe that earlier this week both imap.el and smtpmail.el have been updated in trunk to support oauth2. It may make sense to promote oauth2.el from GNU Elpa to emacs core.