From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Thomas Fitzsimmons Newsgroups: gmane.emacs.devel Subject: [GNU ELPA] New package: url-http-oauth Date: Sat, 06 May 2023 01:07:16 -0400 Message-ID: Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="15961"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sat May 06 07:08:21 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pvA9d-0003yx-6I for ged-emacs-devel@m.gmane-mx.org; Sat, 06 May 2023 07:08:21 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pvA8h-0003WB-QL; Sat, 06 May 2023 01:07:23 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pvA8f-0003Vh-Of for emacs-devel@gnu.org; Sat, 06 May 2023 01:07:21 -0400 Original-Received: from mail.fitzsim.org ([69.165.165.189]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pvA8d-0002nh-I1 for emacs-devel@gnu.org; Sat, 06 May 2023 01:07:21 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=fitzsim.org ; s=20220430; h=Content-Type:MIME-Version:Message-ID:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=eYbVgwUkcpNt+3M8z6UgIBCWPhEMh0e6MXq9g53wNbk=; b=hBA4uEzpWjjQG+JNPMQniYyqtp MKmIj3rVSzHr7sDxJoJfy39H0jjNVGziPHvjyskpc2/4V8KzZ0M4/g2uc8KAolx98CkRKyvkHtCi+ KAdiV99Q6lx+nKaklKDjyPvtVTBEBmLil3VwQhqUZKI7319WHdVjbHnBkZfVvxoT3PioMHlxbXG5e urnruhlegaqiUf5KAF92svqzukd1SDtY9mm7ZYq1ynHVHqoR48nwBW8aZoBK21xrJJWb5i3LWHwOu aLGubFqcKq/5pw642oXZFT6HzJJLrm+EZZj23pEC80QK+rgBakEyPy8omkqQk2D3rHoEkYSbsq/Hs PiRbhnHQ==; Original-Received: from [192.168.1.1] (helo=localhost.localdomain) by mail.fitzsim.org with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1pvA8a-0004iS-S0 for emacs-devel@gnu.org; Sat, 06 May 2023 01:07:17 -0400 Received-SPF: pass client-ip=69.165.165.189; envelope-from=fitzsim@fitzsim.org; helo=mail.fitzsim.org X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:305888 Archived-At: Hi, I would like to add one or two new packages to GNU ELPA. The main one is url-http-oauth, which adds OAuth 2.0 support to the URL library, via "url-auth" hooks, like url-http-basic, url-http-digest and url-http-ntlm. It provides auth-source integration for secrets, using the netrc backend. https://git.sr.ht/~fitzsim/url-http-oauth This package is unrelated to oauth2.el in GNU ELPA, which provides new oauth2-url-retrieve and oauth2-url-retrieve-synchronously functions, and has plstore instead of auth-source integration. For Excorporate, I needed something that would work with the built-in url-retrieve functions and I couldn't see how to do that with oauth2.el. I haven't tested, but I see no reason that the two packages would interfere with one another. For the next release of Excorporate I want to depend on url-http-oauth to fix the longstanding bug#50113, "Excorporate: Communicating with domain that requires SSO?". I have the changes ready; I am using them daily. The OAuth 2.0 standard encodes the use of a user-agent (i.e., web browser) for authorization steps which differ per OAuth 2.0 provider, and are not defined by the specification. I have provided support for package authors and users to write custom functions to automate these web browser interactions in arbitrary ways: AUTHORIZATION-CODE-FUNCTION is an elisp function that takes an authorization URL as a string argument, and returns, as a string, a full URL containing a code value in its query string. By default though, url-http-oauth will prompt the user to copy-n-paste URLs to and from the web browser. This is the most general default I could think of; for example, this allows performing authorization in a local web browser then pasting the result to an Emacs session running three SSH hops away, where `browse-url' may not do the right thing. Users and package authors can design automatic user-agent interactions, but those ways are so varied that I wanted to see how they would evolve. For example, I would like to see someone write an authorization-code-function for Sourcehut that would use EWW inline. For other OAuth 2.0 providers whose authorization steps require JavaScript, EWW would not work. I have published another, tiny package: https://git.sr.ht/~fitzsim/url-http-oauth-demo It demonstrates the use of url-http-oauth against the Emacs-friendliest OAuth 2.0 implementation I've found: Sourcehut. Sourcehut's implementation is entirely Free Software, and it does not require JavaScript in the authorization steps. Its client registration process does not have onerous terms of use. Any Sourcehut user should be able to get url-http-oauth-demo working. Maybe this package makes sense in GNU ELPA, or perhaps it could be part of url-http-oauth's documentation. I wrote these packages myself [1] and I have copyright assignment paperwork on file. Thomas 1. Except url-http-oauth--netrc-delete, which borrows lots of code from auth-source.el.