From: David De La Harpe Golden <david@harpegolden.net>
To: Emacs developers <emacs-devel@gnu.org>
Subject: Re: Making GNUS continue to work with Gmail
Date: Thu, 13 Aug 2020 16:39:44 +0100 [thread overview]
Message-ID: <d0ab8a1d-68d8-4e03-f7a3-ff5445ddd0d0@harpegolden.net> (raw)
In-Reply-To: <m2h7t9i2mq.fsf@gmail.com>
On 11/08/2020 17:11, Robert Pluim wrote:
>
> The alternative is to register an 'Emacs' app, do the hoop jumping,
> and stick the various secret tokens in the Emacs sources, but as I
> understand it thatʼs expressly forbidden by Google's terms-of-use
> (correct me if Iʼm wrong, I haven't read them).
Just looked vaguely into this as a thunderbird and emacs user /
emacs-devel ghost. I was left seriously wondering how+why thunderbird
was still working with a gmail account (just a secondary email in my
case, fortunately), having seen this thread. Anyway, decided to write it
up and share it in case it's useful. Sorry for wall of text, tried to
structure it somewhat:
*1. Non-secret "client secrets".
*2. What Thunderbird does data point, and not just a google problem
*3. End-User supply of and/or override of client id and secret
*4. Technical implementation note, separation of implementation vs
official id concerns
*1. Non-secret "client secrets":
That assumption that people including google really think these
particular "secrets" are real secrets that are required to be be kept
secret may be false? Google do appear to recognise and accept such
desktop app hardcoded static client ids and "secrets" they issue aren't
actually secret in this case, just some bits anyone can easily snaffle e.g.
https://developers.google.com/identity/protocols/oauth2/native-app
"""
Note: incremental authorization with installed apps is not supported due
to the fact that the client cannot keep the client_secret confidential.
"""
Regarding "not supported" there - in context that doesn't mean authc and
non-incremental authz don't work, my point quoting the above was not
that aspect of it, just that you can see they appear to be well aware
the so-called client secret is not a secret in any meaningful sense in
the overall native-app-installed-on-client-desktops flow they are
talking about.
And let's see the rfc8252 google cite, note it says (quite amusingly):
https://tools.ietf.org/html/rfc8252#section-8.5
""""
Secrets that are statically included as part of an app distributed to
multiple users should not be treated as confidential secrets, as one
user may inspect their copy and learn the shared secret.
"""
And IIUC a near-mandatory protocol extension (pkce rfc7636,
https://oauth.net/2/pkce/ ) means core security properties are not or no
longer strongly linked to these particular "secrets" being secret.
=> I think they're not real secrets? Not to say a lot of attention to
the legal side wouldn't still be required if an official client id and
secret were sought.
Google further apparently doesn't support "dynamic client registration"
(I think unlike a lot of in-house corporate auth servers using oauth2 on
intranets as a "modern" kerberos replacement?), so such valid static app
client ids and secrets can only be obtained via their full web interface
for issuing and approval workflow, which would certainly still involve
agreeing to lots of incomprehensible legalese things.
https://stackoverflow.com/questions/36260097/is-openid-connect-dynamic-client-registration-possible-with-google
*2. What Thunderbird does data point, and not just a google problem:
Now, definitely no idea of legalities it happens under either, nor
advocating emacs should necessarily take the same approach, but as a
data point, it looks to me like Mozilla Thunderbird (MPL2.0 licensed) at
time of writing does appear to be simply openly embedding a bunch of
static oauth2 app client ids and client (non-)secrets for
Google, Yahoo, Mail.ru, Yandex, Aol and Microsoft
https://searchfox.org/comm-central/source/mailnews/base/src/OAuth2Providers.jsm#51
*** If nothing else, seems clear it is already becoming not just a
google problem.
Presumably someone from Mozilla applied for and got those ids and
secrets from each provider.
And of course, even if it's legally okay for someone acting for GNU to
similarly get some static client ids and (non-)secrets issued from
google (and the others) to similarly embed openly in the GNU Emacs
official sources, subject to their approval whims whatever they may be -
and seems like a "pray I do not alter the deal further" scenario, sigh,
can certainly imagine them just turning it off later. Or turning on
billing: given google, I'd also be vaguely suspicious about them not
using it super-maliciously, but being able to use it as a key (in a db
sense) for trying to charge an app developer instead of an end user,
*3. End-User supply of and/or override of client id and secret:
There is strong precedent there in that the chromium codebase itself
also supports env vars setting of arbitrary user-specified runtime
override api access client ids and secrets when it doesn't have its own
hardcoded embedded ones compiled in, or if a dev just wants to use
different ones:
https://www.chromium.org/developers/how-tos/api-keys
I believe e.g. debian doesn't or didn't build their chromium with them,
but still allows users to supply their own if they want by that mechanism.
*4. Technical implementation note, separation of implementation vs
official id concerns:
Also to note Julien Danjou appears to have already written an emacs
oauth2 package:
https://elpa.gnu.org/packages/oauth2.html
(defun oauth2-auth-and-store (auth-url token-url scope client-id
client-secret &optional redirect-uri state)
(and with the likes of elnode, I guess the open a transient localhost
port redirect uri flow is viable to streamline token acquisition)
Presumably any emacs implementation for imap access use could easily
allow for end-user customizable override of either a prepopulated table,
or an empty table of the required provider, static client id, client
secret, mappings.
=> the technical side looks doable (especially since a lot of it looks
already done by Julien) and is not actually google specific (and may be
useful for both other public providers and private in-house ones in
companies etc.), it does look to me like the decision of whether to
implement the facility at all (that may still be playing into their
hands in a sense of course) could be made independently of whether to
actually apply for and embed an official static client ids and secrets
for the various public providers who apparently want one, including, but
not limited to, google in particular?
next prev parent reply other threads:[~2020-08-13 15:39 UTC|newest]
Thread overview: 120+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <m38shor86n.fsf@fitzsim.org>
[not found] ` <E1jbFn6-000436-BO@fencepost.gnu.org>
[not found] ` <m3eereog5f.fsf@fitzsim.org>
[not found] ` <E1jbcAz-0007XM-DE@fencepost.gnu.org>
[not found] ` <m3k115mkbk.fsf@fitzsim.org>
[not found] ` <E1jby42-0007jM-Ov@fencepost.gnu.org>
[not found] ` <m31rnamz1t.fsf@fitzsim.org>
[not found] ` <E1jySVw-0002Qc-Qv@fencepost.gnu.org>
[not found] ` <87v9ienz6c.fsf@gnus.org>
[not found] ` <E1jyoSh-0000o6-N0@fencepost.gnu.org>
[not found] ` <878sf9c69y.fsf@gnus.org>
[not found] ` <E1jzBBX-0007nJ-0s@fencepost.gnu.org>
[not found] ` <871rkw62t3.fsf@gnus.org>
2020-08-06 3:45 ` Making GNUS continue to work with Gmail Richard Stallman
2020-08-06 5:51 ` 황병희
2020-08-06 17:08 ` Cesar Crusius
2020-08-06 17:32 ` Robert Pluim
2020-08-06 18:09 ` Cesar Crusius
2020-08-11 13:43 ` Colin Baxter
2020-08-11 13:55 ` Colin Baxter
2020-08-11 15:19 ` Uwe Brauer
2020-08-11 15:22 ` Uwe Brauer
2020-08-11 16:02 ` Colin Baxter
2020-08-12 2:29 ` Richard Stallman
2020-08-12 5:29 ` Colin Baxter
2020-08-07 2:56 ` Richard Stallman
2020-08-07 17:02 ` Cesar Crusius
2020-08-07 18:37 ` Michael Anckaert
2020-08-08 0:01 ` Cesar Crusius
2020-08-08 0:53 ` T.V Raman
2020-08-08 3:53 ` Richard Stallman
2020-08-08 3:53 ` Richard Stallman
2020-08-08 3:54 ` Richard Stallman
2020-08-09 7:59 ` Uwe Brauer
2020-08-09 8:40 ` Lars Ingebrigtsen
2020-08-09 10:02 ` Uwe Brauer
2020-08-10 3:23 ` Richard Stallman
2020-08-10 6:43 ` Uwe Brauer
2020-08-10 9:03 ` Robert Pluim
2020-08-10 11:36 ` Uwe Brauer
2020-08-11 3:30 ` Richard Stallman
2020-08-09 10:06 ` Uwe Brauer
2020-08-09 10:36 ` Lars Ingebrigtsen
2020-08-09 10:57 ` Robert Pluim
2020-08-09 11:03 ` Robert Pluim
2020-08-09 13:06 ` 황병희
2020-08-09 16:04 ` Uwe Brauer
2020-08-09 13:01 ` 황병희
2020-08-09 16:06 ` Uwe Brauer
2020-08-10 1:03 ` 황병희
2020-08-10 15:54 ` T.V Raman
2020-08-11 2:40 ` 황병희
2020-08-11 9:59 ` Robert Pluim
2020-08-11 12:54 ` 황병희
2020-08-11 15:25 ` Uwe Brauer
2020-08-11 16:11 ` Robert Pluim
2020-08-11 18:05 ` João Távora
2020-08-11 18:17 ` Robert Pluim
2020-08-12 2:27 ` Richard Stallman
2020-08-12 4:27 ` 황병희
2020-08-12 3:41 ` arthur miller
2020-08-12 6:42 ` tomas
2020-08-12 12:11 ` Arthur Miller
2020-08-12 15:55 ` Stefan Monnier
2020-08-12 16:00 ` tomas
2020-08-12 6:54 ` Uwe Brauer
2020-08-12 7:53 ` tomas
2020-08-12 12:40 ` Uwe Brauer
2020-08-13 2:09 ` 황병희
2020-08-13 2:51 ` Stefan Monnier
2020-08-13 6:48 ` Uwe Brauer
2020-08-12 11:30 ` Eric S Fraga
2020-08-12 12:40 ` Arthur Miller
2020-08-12 13:02 ` Eric S Fraga
2020-08-12 17:13 ` Eric Abrahamsen
2020-08-13 15:39 ` David De La Harpe Golden [this message]
2020-08-13 17:40 ` David Engster
2020-08-13 17:53 ` Stefan Monnier
2020-08-14 10:06 ` Lars Ingebrigtsen
2020-08-15 4:35 ` Richard Stallman
2020-08-14 10:13 ` Lars Ingebrigtsen
2020-08-14 14:49 ` Uwe Brauer
2020-08-14 14:56 ` Lars Ingebrigtsen
2020-08-14 17:24 ` Uwe Brauer
2020-08-14 17:39 ` Cesar Crusius
2020-08-15 4:44 ` Richard Stallman
2020-08-15 9:45 ` Gregory Heytings via Emacs development discussions.
2020-08-17 6:00 ` 范凯
2020-08-17 8:23 ` tomas
2020-08-17 12:30 ` Gregory Heytings via Emacs development discussions.
2020-08-17 15:09 ` tomas
2020-08-17 13:03 ` David De La Harpe Golden
2020-08-15 11:09 ` Robert Pluim
2020-08-16 4:13 ` Richard Stallman
2020-08-16 8:17 ` Gregory Heytings via Emacs development discussions.
2020-08-17 3:23 ` Richard Stallman
2020-08-17 7:51 ` Gregory Heytings via Emacs development discussions.
2020-08-17 16:05 ` David De La Harpe Golden
2020-08-18 4:08 ` Richard Stallman
2020-08-18 9:15 ` Gregory Heytings via Emacs development discussions.
2020-08-21 3:38 ` Richard Stallman
2020-08-21 17:16 ` Gregory Heytings via Emacs development discussions.
2020-08-22 7:24 ` Arthur Miller
2020-08-22 9:44 ` Gregory Heytings via Emacs development discussions.
2020-08-23 4:46 ` Richard Stallman
2020-08-17 15:02 ` Uwe Brauer
2020-08-17 16:44 ` Gregory Heytings via Emacs development discussions.
2020-08-17 19:34 ` Uwe Brauer
2020-08-17 21:47 ` Gregory Heytings via Emacs development discussions.
2020-08-18 4:10 ` Richard Stallman
2020-08-18 4:11 ` Richard Stallman
2020-08-26 14:44 ` Eric S Fraga
2020-08-26 20:22 ` Pierre Téchoueyres
2020-08-27 11:25 ` Eric S Fraga
2020-08-27 2:50 ` Richard Stallman
2020-08-27 11:28 ` Eric S Fraga
2020-08-27 12:03 ` tomas
2020-08-27 12:26 ` Making GNUS continue to work with Gail Eric S Fraga
2020-08-27 12:30 ` Making GNUS continue to work with Gmail Andrew Cohen
2020-08-27 12:52 ` Eric S Fraga
2020-08-28 3:49 ` Richard Stallman
2020-08-28 5:35 ` Andrew Cohen
2020-08-29 4:10 ` Richard Stallman
2020-08-28 3:50 ` Richard Stallman
2020-09-01 16:23 ` Uwe Brauer
2020-09-02 9:57 ` Pankaj Jangid
2020-08-15 19:39 ` Cesar Crusius
2020-08-16 17:23 ` David De La Harpe Golden
2020-08-16 11:54 ` Uwe Brauer
2020-08-16 14:27 ` David De La Harpe Golden
2020-08-11 16:09 ` Mingde (Matthew) Zeng
2020-08-12 2:28 ` Richard Stallman
2020-08-12 6:47 ` tomas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d0ab8a1d-68d8-4e03-f7a3-ff5445ddd0d0@harpegolden.net \
--to=david@harpegolden.net \
--cc=emacs-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).