From: Xiyue Deng <dengxiyue@gmail.com>
To: Stefan Kangas <stefankangas@gmail.com>, 72992@debbugs.gnu.org
Cc: Ted Zlatanov <tzz@lifelogs.com>, Philip Kaludercic <philipk@posteo.net>
Subject: bug#72992: 29.4; towards xoauth2 support in Emacs
Date: Wed, 18 Sep 2024 12:43:39 -0700 [thread overview]
Message-ID: <877cb8oihg.fsf@debian-hx90.lan> (raw)
In-Reply-To: <CADwFkmmMeFux=1bqYHg5r8ibp7-ZaV724dfMXneht9eYHMLkZg@mail.gmail.com>
Hi Stefan,
Stefan Kangas <stefankangas@gmail.com> writes:
> Xiyue Deng <manphiz@gmail.com> writes:
>
>> Now that bug#72358 is done, as promised, I'm posting my plugin for
>> auth-sources that enables oauth2 handling which you can find on
>> Gitlab[1] (also attached). As the current approach tries to override
>> some existing handling in auth-source, I would like to gather some
>> comments on how to properly integrate this handling, and see if there is
>> any benefit on providing this as a separate package for older Emacs
>> versions.
>>
>> In the comment section of the package I put notes on how xoauth2 is
>> enabled as well as existing restrictions in auth-source and how it
>> workarounds them. I'll briefly explain below.
>
> I think it would be good if you could add to your package some general
> explanation of what xoauth2 is, and what are its use cases both in a
> general sense, and specifically together with the auth-source
> package. Don't assume that people already know what xoauth2 is, how it
> is different from oauth2, which services use it, etc. Explain it. I
> would add such general information to the beginning of the "Commentary"
> section. Nothing long is needed, just a general introduction and perhaps
> links for where to read more.
>
Good suggestions. Added to the comments part.
> Some examples of when it would be used, preferably with example code for
> some use cases, would also go a long way.
>
I have added some examples on how to set it up and use it in Gnus and
smtpmail after sending the earlier version. Please check it out at [1]
(with the changes above.)
>> Currently, auth-source search requires that the result include `:secret'
>> most of the time, where when using xoauth2 it is actually the
>> access-token. Actually, auth-source has existing support for xoauth2
>> authentication, though it assumes that the password value actually
>> stores the access-token.
>
> Where can we find this "existing support"? Do you mean the
> 'auth-source-xoauth2' package on GNU ELPA?
>
The basic support is actually in the Emacs core already, e.g. for Gnus
nnimap[2] and smtpmail[3]. However, this assumes one to put the
access_token in place of `:secret' in the auth-source file as Emacs uses
password as the access_token in both places. However, access_token
expires quite frequently (e.g. about 1 hour for Gmail) and without
refreshing it automatically it is practically impossible to use
conveniently. Hence the propose hack and the following suggestion.
>> Because xoauth2 also makes use of
>> `secret'/`password', it makes it hard to determine whether to use
>> password-based or xoauth2-based authentication, which is why my plugin
>> asks users to set `auth' in auth-source to determine whether to use
>> xoauth2. Another complication from this is that auth-source search
>> requires the entry contains a `secret' most of the time, where it does
>> not need to be set when using xoauth2. Therefore I workaround this by
>> temporarily disables this check and try to retrieve access-token using
>> oauth2 and set the result as password.
>>
>> Given the inconveniences of reusing password for access-token, I wonder
>> whether we can add support for a separate `:access-token' key in the
>> auth-source entry and use that instead of password when authenticating
>> using xoauth2. This way, we can have both password and access-token in
>> an auth-source entry and nnimap and smtpmail can use either one. More
>> specifically:
>>
>> * When performing an auth-source search, if xoauth2 related fields are
>> set (see the list of fields in the comments of my plugin), it will
>> retrieve access-token using oauth2.
>>
>> * The search should change to check for either `secret'/`password' or
>> `access-token' is available.
>>
>> * For `nnimap-login' and `smtpmail-try-auth-method', pass in both
>> password and access-token, and for xoauth2 it should use access-token
>> instead of password.
>>
>> If this is an acceptable approach, I'll try to draft a patch to
>> implement this in Emacs. Otherwise, it may still worth implement the
>> current approach directly in Emacs so as to avoid using hack like
>> advice.
>
> I'm not very familiar with auth-source.el, but on a general level the
> above makes sense to me. I've also Cc:ed Ted Zlatanov, the author of
> auth-source.el
>
Thanks! Would also like to hear Ted's opinion on this and decide which
route to take.
>> Meanwhile, I wonder whether this may be worth release as a separate
>> package so that users of older versions can use xoauth2 as well. I'd
>> like to make it compatible with the agreed-upon approach to minimize any
>> incompatibilities.
>>
>> Thanks for reading, and any comments are appreciated.
>
> Are you proposing to include this in Emacs core, on GNU ELPA, or
> something else?
>
I'd like to contribute to Emacs core once a direction is decided. Maybe
also put this plugin in ELPA to support older emacs versions if both are
compatible.
> Thanks.
>
[1] https://gitlab.com/xiyueden/auth-source-xoauth2-plugin
[2] https://git.savannah.gnu.org/cgit/emacs.git/tree/lisp/gnus/nnimap.el#n616
[3] https://git.savannah.gnu.org/cgit/emacs.git/tree/lisp/mail/smtpmail.el#n640
--
Xiyue Deng
next prev parent reply other threads:[~2024-09-18 19:43 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-02 8:34 bug#72992: 29.4; towards xoauth2 support in Emacs Xiyue Deng
[not found] ` <handler.72992.B.172532159013230.ack@debbugs.gnu.org>
2024-09-11 0:27 ` Xiyue Deng
2024-09-17 17:33 ` Xiyue Deng
2024-09-17 19:12 ` Philip Kaludercic
2024-09-18 6:24 ` Xiyue Deng
2024-09-18 14:11 ` Philip Kaludercic
2024-09-17 21:33 ` Stefan Kangas
2024-09-18 19:43 ` Xiyue Deng [this message]
2024-09-19 5:13 ` Andrew Cohen
2024-09-19 8:22 ` Xiyue Deng
2024-09-19 9:06 ` Andrew Cohen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877cb8oihg.fsf@debian-hx90.lan \
--to=dengxiyue@gmail.com \
--cc=72992@debbugs.gnu.org \
--cc=philipk@posteo.net \
--cc=stefankangas@gmail.com \
--cc=tzz@lifelogs.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.