bug#72992: 29.4; towards xoauth2 support in Emacs

[Xiyue Deng <dengxiyue@gmail.com>]

Hi Stefan,

Stefan Kangas <stefankangas@gmail.com> writes:

> Xiyue Deng <manphiz@gmail.com> writes:
>
>> Now that bug#72358 is done, as promised, I'm posting my plugin for
>> auth-sources that enables oauth2 handling which you can find on
>> Gitlab[1] (also attached).  As the current approach tries to override
>> some existing handling in auth-source, I would like to gather some
>> comments on how to properly integrate this handling, and see if there is
>> any benefit on providing this as a separate package for older Emacs
>> versions.
>>
>> In the comment section of the package I put notes on how xoauth2 is
>> enabled as well as existing restrictions in auth-source and how it
>> workarounds them.  I'll briefly explain below.
>
> I think it would be good if you could add to your package some general
> explanation of what xoauth2 is, and what are its use cases both in a
> general sense, and specifically together with the auth-source
> package. Don't assume that people already know what xoauth2 is, how it
> is different from oauth2, which services use it, etc. Explain it. I
> would add such general information to the beginning of the "Commentary"
> section. Nothing long is needed, just a general introduction and perhaps
> links for where to read more.
>

Good suggestions.  Added to the comments part.

> Some examples of when it would be used, preferably with example code for
> some use cases, would also go a long way.
>

I have added some examples on how to set it up and use it in Gnus and
smtpmail after sending the earlier version.  Please check it out at [1]
(with the changes above.)

>> Currently, auth-source search requires that the result include `:secret'
>> most of the time, where when using xoauth2 it is actually the
>> access-token. Actually, auth-source has existing support for xoauth2
>> authentication, though it assumes that the password value actually
>> stores the access-token.
>
> Where can we find this "existing support"?  Do you mean the
> 'auth-source-xoauth2' package on GNU ELPA?
>

The basic support is actually in the Emacs core already, e.g. for Gnus
nnimap[2] and smtpmail[3].  However, this assumes one to put the
access_token in place of `:secret' in the auth-source file as Emacs uses
password as the access_token in both places.  However, access_token
expires quite frequently (e.g. about 1 hour for Gmail) and without
refreshing it automatically it is practically impossible to use
conveniently.  Hence the propose hack and the following suggestion.

>> Because xoauth2 also makes use of
>> `secret'/`password', it makes it hard to determine whether to use
>> password-based or xoauth2-based authentication, which is why my plugin
>> asks users to set `auth' in auth-source to determine whether to use
>> xoauth2.  Another complication from this is that auth-source search
>> requires the entry contains a `secret' most of the time, where it does
>> not need to be set when using xoauth2.  Therefore I workaround this by
>> temporarily disables this check and try to retrieve access-token using
>> oauth2 and set the result as password.
>>
>> Given the inconveniences of reusing password for access-token, I wonder
>> whether we can add support for a separate `:access-token' key in the
>> auth-source entry and use that instead of password when authenticating
>> using xoauth2.  This way, we can have both password and access-token in
>> an auth-source entry and nnimap and smtpmail can use either one.  More
>> specifically:
>>
>> * When performing an auth-source search, if xoauth2 related fields are
>>   set (see the list of fields in the comments of my plugin), it will
>>   retrieve access-token using oauth2.
>>
>> * The search should change to check for either `secret'/`password' or
>>   `access-token' is available.
>>
>> * For `nnimap-login' and `smtpmail-try-auth-method', pass in both
>>   password and access-token, and for xoauth2 it should use access-token
>>   instead of password.
>>
>> If this is an acceptable approach, I'll try to draft a patch to
>> implement this in Emacs.  Otherwise, it may still worth implement the
>> current approach directly in Emacs so as to avoid using hack like
>> advice.
>
> I'm not very familiar with auth-source.el, but on a general level the
> above makes sense to me.  I've also Cc:ed Ted Zlatanov, the author of
> auth-source.el
>

Thanks!  Would also like to hear Ted's opinion on this and decide which
route to take.

>> Meanwhile, I wonder whether this may be worth release as a separate
>> package so that users of older versions can use xoauth2 as well.  I'd
>> like to make it compatible with the agreed-upon approach to minimize any
>> incompatibilities.
>>
>> Thanks for reading, and any comments are appreciated.
>
> Are you proposing to include this in Emacs core, on GNU ELPA, or
> something else?
>

I'd like to contribute to Emacs core once a direction is decided.  Maybe
also put this plugin in ELPA to support older emacs versions if both are
compatible.

> Thanks.
>

[1] https://gitlab.com/xiyueden/auth-source-xoauth2-plugin
[2] https://git.savannah.gnu.org/cgit/emacs.git/tree/lisp/gnus/nnimap.el#n616
[3] https://git.savannah.gnu.org/cgit/emacs.git/tree/lisp/mail/smtpmail.el#n640

--
Xiyue Deng