From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: =?UTF-8?Q?Bj=C3=B6rn?= Bidar via "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs@gnu.org>
Newsgroups: gmane.emacs.bugs
Subject: bug#41386: 28.0.50; Gnus nnimap OAuth 2.0 support
Date: Sat, 29 Oct 2022 18:36:41 +0300
Message-ID: <87czaawsag.fsf@thaodan.de>
References: <m38shor86n.fsf@fitzsim.org>
Reply-To: =?UTF-8?Q?Bj=C3=B6rn?= Bidar <bjorn.bidar@thaodan.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="19930"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: Gnus/5.13 (Gnus v5.13)
Cc: 41386@debbugs.gnu.org
To: Thomas Fitzsimmons <fitzsim@fitzsim.org>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sat Oct 29 17:43:25 2022
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1oonzU-0004su-Cv
	for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 29 Oct 2022 17:43:24 +0200
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnu-emacs-bounces@gnu.org>)
	id 1oonzI-0008LB-Dk; Sat, 29 Oct 2022 11:43:08 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1oonzD-0008Ig-Kd
 for bug-gnu-emacs@gnu.org; Sat, 29 Oct 2022 11:43:05 -0400
Original-Received: from debbugs.gnu.org ([209.51.188.43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1oonzD-0002RC-DC
 for bug-gnu-emacs@gnu.org; Sat, 29 Oct 2022 11:43:03 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1oonzC-0004Sz-7x
 for bug-gnu-emacs@gnu.org; Sat, 29 Oct 2022 11:43:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: =?UTF-8?Q?Bj=C3=B6rn?= Bidar <bjorn.bidar@thaodan.de>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Sat, 29 Oct 2022 15:43:02 +0000
Resent-Message-ID: <handler.41386.B41386.166705812817108@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 41386
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: wontfix
Original-Received: via spool by 41386-submit@debbugs.gnu.org id=B41386.166705812817108
 (code B ref 41386); Sat, 29 Oct 2022 15:43:02 +0000
Original-Received: (at 41386) by debbugs.gnu.org; 29 Oct 2022 15:42:08 +0000
Original-Received: from localhost ([127.0.0.1]:36394 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1oonyK-0004Rr-1M
 for submit@debbugs.gnu.org; Sat, 29 Oct 2022 11:42:08 -0400
Original-Received: from thaodan.de ([185.216.177.71]:47210)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <bjorn.bidar@thaodan.de>) id 1oonyH-0004R4-Rb
 for 41386@debbugs.gnu.org; Sat, 29 Oct 2022 11:42:06 -0400
Original-Received: from odin (dsl-trebng12-b04885-76.dhcp.inet.fi [176.72.133.76])
 by thaodan.de (Postfix) with ESMTPSA id DF7E4D08D6B;
 Sat, 29 Oct 2022 18:41:59 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=thaodan.de; s=mail;
 t=1667058120; bh=rpiwsBN1Vx8+K0Gqs0E/+NFTHqi8C1brgH6sEYUxuC8=;
 h=From:To:Cc:Subject:In-Reply-To:Date:References;
 b=nkyG5N/1HX+Nzu10JS5SmjS1x99tc/atc1dEEfRdYFuVmPbbLLmJzdBSCAJnig/PM
 bwFet5dS0lgfxES4SmnTTE8LDxHKmd+7vMX1NXEI9V1X5ZYzU8jvlOZ9rG0gzGW0KK
 zNpX1u9UIQg10iNhF65ZXZW91ZRxl952lJKsbMEVmUvEp58ZIbbO7tZv8r988X3EHq
 6PMayxSyeL7rHUKNuXVfQ+R/BslNdQOGIh2KqGYRxLL+kklPeix2pwhDBtAjcMO9gN
 TlbcxR3Ya5DhEH13gPirgUrKrj6C44ELNoB8QTWFBTYgiugtgawpys4zdKiIPeSEaS
 RJbuIzFcQtoKonkROZ7XjJn9bBEHTi2EF3YlATk17VttNrjviY9BGxWCUN2l0xoSf0
 KXDcKRmAhve83DBK9+iAve7TILZWptK6MrUXc+bC/DnfU9xdNcl+UXxMHg0c2IUvVX
 Vk7Rb+2yh5s9HAi8DHxsKVIzFtKTBSUWBcumH9VtGbARK0hgqtn4Aew1z3urUvdWD9
 iFp+pODPGAvRY4ZASpetiias4pLbDre4i/50YcPTdLYpPNsGMG6PF7nbmi5jwz43me
 Obq5gC64qlim0tqt9QVx2/M5B6hFnG/D4+qPfmcsq05Nrr/whRxNJSQo0LfeU9bjVD
 oskXdJL2GUhW/3XsGbwkUTYk=
In-Reply-To: <m38shor86n.fsf@fitzsim.org> (Thomas Fitzsimmons's message of
 "Mon, 18 May 2020 22:05:04 -0400")
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Original-Sender: "bug-gnu-emacs" <bug-gnu-emacs-bounces@gnu.org>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.emacs.bugs:246543
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/246543>


I know this bug is marked as wontfix however more and more providers are
moving to Oauth2, even those that use plain standards like
imap/{cal,card}dav/smpt, thous increasing the importance of Oauth2
support in Gnus.

The main advantage I see is that oauth allows for two factor
authentication and the invalidation of the "password" that the app
stores. The password or token that the app has usually only lasts for a
duration of time and can be invalidated if needed. Like if the person no
loner works for the employer or the device has been stolen.

Some providers like Microsoft require it next year and the employer
can already enforce the use of Oauth2 [1].
The argument "just use another email provider" doesn't really work in
such cases.

SailfishOS recently addeded oauth2 support for Microsoft Oauth and
KDE also does support it[2].
In the case of Microsoft there are no "secrets" that can be stored publicly=
 just the
application id[3].

Without proper OAuth2 support there is no use for Gnus for such users,
except to try third party solutions that can help.

On Elpa there's oauth2.el which provides Oauth2 support for Emacs. There
are externals who implemented oauth for Gmail[4] and Microsoft 365[5]
through the use of oauth2.el.

However these don't handle the oauth workflow of acquiring the token.
It is possible to try to do that inside emacs or use an external browser
and then catch the response or make the user copy the response address
into Emacs.

The main issue to implement this I think is to have an official "appid"
for Emacs and add the Oauth2 workflow.
I don't know about google right now but for Microsoft 365 this seams
feasible as there's just an appid that can be stored publicly.=20


Br,

Bj=C3=B6rn Bidar

---

[1] https://techcommunity.microsoft.com/t5/exchange-team-blog/improving-sec=
urity-together/ba-p/805892
[2] https://invent.kde.org/pim/kdepim-runtime/-/tree/master/resources/ews/e=
wsclient/auth
[3] https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oau=
th2-auth-code-flow
[4] https://github.com/ggervasio/gnus-gmail-oauth/
[5] https://gitlab.com/Binary-Eater/gnus-o365-oauth2/-/tree/master