* Extending auth-source and plstore for more XOAUTH2 scenarios
@ 2023-05-11 20:22 Farblos
2023-05-11 21:04 ` Thomas Fitzsimmons
2023-05-18 0:04 ` Björn Bidar
0 siblings, 2 replies; 3+ messages in thread
From: Farblos @ 2023-05-11 20:22 UTC (permalink / raw)
To: emacs-devel
Hi,
I've made some extensions to package auth-source and plstore to cover
more XOAUTH2 scenarios. My employer uses MS Office 365 with a device
grant for the MUTT/Gnus/whatever outcasts, where you need additional URL
parameters to refresh an access token. Plus I store the access token
*and* its expiry date in a plstore to avoid token refresh cycles as much
as possible.
The changes comprise:
- A function `plstore-update' with signature similar to that of
`plstore-put', but which merges new properties with existing properties.
- An auth-source backend `auth-source-plstore-xoauth2' that allows for
an arbitrary function to be called to perform the actual token requests.
Plus auxiliary functions to do the dirty URL interfacing. (I could
deliver that part as a separate package on (M)ELPA, or wherever, BTW.)
Some more changes (not all of which I have implemented yet):
- Nullify the plstore data structure when `plstore-close' gets called to
avoid clear-text credentials lingering around.
- Make plstores a bit more edit-friendly. For example, keep the plstore
non-secret and secret data between some pre-defined markers, but keep
the rest of the text unchanged when reading and writing plstore data.
That would allow for local variables at the end of the plstore.
- Provide auto-closing plstores, probably also configurable with local
variables.
- Allow auth-source backends to specify credential expiry per backend.
For the `auth-source-plstore-xoauth2' backend, for example, auth-source
expiry and plstore expiry (if it gets implemented) and the access token
expiry should be all synchronized to avoid funny results.
So much for the bigger picture. What do you think? Would you accept
changes in that direction?
In parallel I'm trying to get the FSF copyright assignment done.
Thanks
Farblos
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Extending auth-source and plstore for more XOAUTH2 scenarios
2023-05-11 20:22 Extending auth-source and plstore for more XOAUTH2 scenarios Farblos
@ 2023-05-11 21:04 ` Thomas Fitzsimmons
2023-05-18 0:04 ` Björn Bidar
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Fitzsimmons @ 2023-05-11 21:04 UTC (permalink / raw)
To: Farblos; +Cc: emacs-devel
Hi Farblos,
Farblos <akfkqu.9df7rp@vodafonemail.de> writes:
> I've made some extensions to package auth-source and plstore to cover
> more XOAUTH2 scenarios. My employer uses MS Office 365 with a device
> grant for the MUTT/Gnus/whatever outcasts, where you need additional
> URL parameters to refresh an access token. Plus I store the access
> token *and* its expiry date in a plstore to avoid token refresh cycles
> as much as possible.
[...]
> So much for the bigger picture. What do you think?
It would indeed be nice to have in GNU ELPA a package that has
configuration logic for IMAP/SMTP/POP3 OAuth 2.0.
I currently use the https://github.com/harishkrupo/oauth2ms Python
script for IMAP and SMTP XOAUTH2. Have you seen it? It's got excellent
documentation and the script has been solid. However, I would prefer to
eliminate the external Python script and have a pure Elisp solution. It
sounds like that's what you'd like to contribute, in which case, great!
Also have a look at url-http-oauth, which I just released to GNU ELPA
this week. It provides OAuth 2.0 support for HTTP services, and uses
the auth-source netrc backend. See if you may be able to make use of
parts of it. I started with netrc support because that's what I use,
and because authinfo.gpg can be GPG-encrypted. There's not much
netrc-specific though, so it might be worth trying with the plstore
backend if that's what you prefer.
Thomas
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Extending auth-source and plstore for more XOAUTH2 scenarios
2023-05-11 20:22 Extending auth-source and plstore for more XOAUTH2 scenarios Farblos
2023-05-11 21:04 ` Thomas Fitzsimmons
@ 2023-05-18 0:04 ` Björn Bidar
1 sibling, 0 replies; 3+ messages in thread
From: Björn Bidar @ 2023-05-18 0:04 UTC (permalink / raw)
To: Farblos; +Cc: emacs-devel
Hello,
I'm not sure how exactly that relates to this issue. But sasl.el that
was taken from FLIM, FLIM supports XOAUTH2.
FLIM is used in Wanderlust for this kind of purpose I think it.
It would make sense to import sasl-xoauth2 and sasl-scram for
completeness into Emacs.
I worked with signon-plugin-oauth2 in the past to implement the
Microsoft OAuth2 Workflow.
I have a few pointers regarding that:
- Microsoft's way of doing OAuth2 with a clientid rather than a client
secret is ironically much friendlier to FOSS programs such as
Emacs. Emacs can simply write the clientid inside the sources after
registering an AppID at Microsoft. An example where this was already
done is KDE PIM/Akonadi.
No further intervention is needed on the user side besides pointing
the user to the webpage to give Emacs the permission to access all the
requested areas.
- I think it would make sense to see how Wanderlust implemented OAuth2
for Microsoft.
- Take pointers from other existing implementations that try to add Microsoft
Oauth to Gnus.
Br,
Björn Bidar
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-05-18 0:04 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-05-11 20:22 Extending auth-source and plstore for more XOAUTH2 scenarios Farblos
2023-05-11 21:04 ` Thomas Fitzsimmons
2023-05-18 0:04 ` Björn Bidar
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).