From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Tomas Hlavaty Newsgroups: gmane.emacs.devel Subject: Re: gmail+imap+smtp (oauth2) Date: Fri, 06 May 2022 18:38:36 +0200 Message-ID: <87a6bur4z7.fsf@logand.com> References: <871qxbdulc.fsf@mat.ucm.es> <87k0b2tkg1.fsf@mat.ucm.es> <87zgjx4qhs.fsf@gmail.com> <87bkwcgmr3.fsf@mat.ucm.es> <87levfzqj2.fsf@yale.edu> <871qx7scvi.fsf@gmail.com> <87v8ujqec5.fsf@logand.com> <87ee172fjz.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="17576"; mail-complaints-to="usenet@ciao.gmane.io" Cc: "Jorge A. Alfaro-Murillo" , emacs-devel@gnu.org To: Tim Cross Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Fri May 06 18:39:31 2022 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nn0zL-0004Ly-5Q for ged-emacs-devel@m.gmane-mx.org; Fri, 06 May 2022 18:39:31 +0200 Original-Received: from localhost ([::1]:52070 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nn0zJ-0007YL-PS for ged-emacs-devel@m.gmane-mx.org; Fri, 06 May 2022 12:39:29 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:42754) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nn0yX-0006mA-MJ for emacs-devel@gnu.org; Fri, 06 May 2022 12:38:42 -0400 Original-Received: from logand.com ([37.48.87.44]:58118) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nn0yV-0007OT-T3 for emacs-devel@gnu.org; Fri, 06 May 2022 12:38:41 -0400 Original-Received: by logand.com (Postfix, from userid 1001) id E7B8319FEB9; Fri, 6 May 2022 18:38:37 +0200 (CEST) X-Mailer: emacs 27.2 (via feedmail 11-beta-1 I) In-Reply-To: <87ee172fjz.fsf@gmail.com> Received-SPF: pass client-ip=37.48.87.44; envelope-from=tom@logand.com; helo=logand.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:289326 Archived-At: On Fri 06 May 2022 at 19:04, Tim Cross wrote: >> Is the application id created by google when the oauth2 is configured by >> a university? > > No. The application ID is provided by Google once the application has > been approved by them. does application id mean client_id? > The flow sort of goes=20 > > 1. Register wiht google as a developer. This gives you a developer ID > which yu can use as an application ID.=20 > 2. Develop your application which uses oath2 to connect to google.=20 > 3. Submit your application for approval by google. > 4. Once approved, Google gives you an application ID which is used by > your application. > 5. Release your application understand and where does the university, which uses goggle mail to which a student or teacher connects, fit in this? how does the university configure their mail? or has the university no say in this at all? > Problem is, Google T&C require that the application ID is kept secret. it seems to be oauth2 thing, not google: https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/ The client_id is a public identifier for apps. Even though it=E2=80=99s public, it=E2=80=99s best that it isn=E2=80=99t guessable by third parti= es, so many implementations use something like a 32-character hex string. If the client ID is guessable, it makes it slightly easier to craft phishing attacks against arbitrary applications. It must also be unique across all clients that the authorization server handles. For each registered application, you=E2=80=99ll need to store the public client_id and the private client_secret. Because these are essentially equivalent to a username and password oauth2 recommends keeping client_id (equivalent to username) secret even though they call it a public identifier > For open source, this is a problem because we cannot add the applicaiton > ID and keep it secret while making the code open source.=20 it seems to me that oauth2 protocol is not open at all it might be open in a sense that anybody can read the spec and implement it but not in a sense that anybody can read the spec, implement it and use it (unlike other protocols like smtp or imap) one of the features seems to be that there is a (usually extra) party with = special role having absolute authority about who to let through the gate