From: Robert Pluim <rpluim@gmail.com>
To: Xiyue Deng <manphiz@gmail.com>
Cc: 72358@debbugs.gnu.org
Subject: bug#72358: 29.4; oauth2.el improvements
Date: Tue, 30 Jul 2024 09:46:29 +0200 [thread overview]
Message-ID: <87frrr725m.fsf@gmail.com> (raw)
In-Reply-To: <87mslz8yzk.fsf@debian-hx90.lan> (Xiyue Deng's message of "Mon, 29 Jul 2024 14:25:01 -0700")
>>>>> On Mon, 29 Jul 2024 14:25:01 -0700, Xiyue Deng <manphiz@gmail.com> said:
Xiyue> Hi,
Xiyue> I have been trying out using oauth2.el to enable OAuth2-based
Xiyue> authentication for email service providers and had some success for
Xiyue> Gmail. During this process, I have made a few changes to oauth2.el that
Xiyue> enables it to use with Gmail OAuth2 as well as some usability and
Xiyue> debugging improvements, which I'm sharing below.
Thank you for this. This support is becoming more necessary as time
goes on. I even wonder if we should bring oauth2.el into emacs instead
of it being a package.
Xiyue> This is a series of five patches, which are attached.
Xiyue> The first patch shows the authentication URL in the minibuffer window
Xiyue> alongside the prompt accepting the authorization code. This helps when
Xiyue> a user has multiple accounts from the same provider but is logged into a
Xiyue> different account than the one that the user is trying to set up. If
Xiyue> the user use the link (or through `browse-url') it will use the active
Xiyue> account instead of the one intended. By showing the URL in the
Xiyue> minibuffer, the user can choose other ways to get the authorization code
Xiyue> (e.g. using another browser, using private/encognito mode, etc.)
OK. This fixes one of my irritations with oauth2.el 🙂
Xiyue> The second patch adds the parameters `access_type=offline' and
Xiyue> `prompt=consent' to the authorization URL, which is required for Gmail
Xiyue> OAuth2 to get the refresh token. Without these 2 parameters, Gmail
Xiyue> response will only contain the access token which expires in one hour.
Xiyue> They should also be compatible with other OAuth2 authentication process.
Xiyue> (Though I am currently having trouble to get outlook.com to work
Xiyue> regardless of these parameters, which I'll ask in a separate thread.)
Xiyue> Note that the second patch depends on the first patch as they modify the same
Xiyue> part of the code.
OK. Iʼm assuming oauth2.el can use the refresh token next time it
needs to authorize? (Iʼve been avoiding actually using oauth2.el in
anger, since app passwords still work)
Xiyue> The third patch encodes the parameters for requesting refreshing access
Xiyue> token, which is recommended because the client secret and other
Xiyue> parameters may contain characters that may break parameter parsing.
OK
Xiyue> The fourth patch may need a bit of background: oauth2.el (optionally)
Xiyue> uses plstore to save authentication data for future reuse, and the
Xiyue> plstore id for an account is computed using a combination of `auth-url',
Xiyue> `token-url', and `scope'. However, this combination of data doesn't
Xiyue> guarantee uniqueness for accounts for a same provider, e.g. for Gmail,
Xiyue> the three parameters are the same for different accounts, and hence
Xiyue> storing a second account information will override the first one.
Xiyue> This fourth patch adds `client-id' to the calculation of plstore id to
Xiyue> ensure its uniqueness. This may cause a few concerns:
Xiyue> - This will invalidate all existing entries and a user will have to redo
Xiyue> the authorization process again to get a new refresh token. However,
Xiyue> I think it's more important to ensure that oauth2.el works correctly
Xiyue> for multiple accounts of the same provider, or a user may suffer from
Xiyue> confusion when adding a new account invalidates a previous account.
I donʼt think thatʼs too big a concern. 'modern' authentication flows
regularly re-prompt, so this will not be too surprising (although
maybe call it out in the packageʼs NEWS or README).
Xiyue> - Adding `client-id' to the calculation of plstore id may provoke
Xiyue> suspicion of leaking it as the hash calculation uses md5. In most
Xiyue> cases, requesting a refresh token requires both `client-id' and
Xiyue> `client-secret', so without including the latter it should be safe.
Xiyue> There are cases when requesting only the access token may work with
Xiyue> `client-id' along. Still, I think this should not be a big concern as
Xiyue> the data is combined with `auth-url', `token-url', and `scope' which
Xiyue> provides sufficient salt. Alternatively, we can also choose to use a
Xiyue> more secure hash function, e.g. SHA2 or better, given that existing
Xiyue> entries will be invalidated anyway.
If the existing entries are going to become invalid anyway, you might
as well take the opportunity to move away from md5 at the same
time. git picked SHA-256, but that was a while ago, so maybe SHA-512?
Xiyue> The fifth patch adds debug messages when doing a URL query which records
Xiyue> the request URL, the request data, and the response data, and provide a
Xiyue> custom variable to enable this. This provides a way to help debugging
Xiyue> the requests, and I find it handy when testing oauth2 against different
Xiyue> providers.
OK (although perhaps make it a defvar rather than a defcustom, to
avoid people accidentally enabling it).
Robert
--
next prev parent reply other threads:[~2024-07-30 7:46 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-29 21:25 bug#72358: 29.4; oauth2.el improvements Xiyue Deng
2024-07-30 7:46 ` Robert Pluim [this message]
2024-07-30 14:05 ` Björn Bidar via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-07-30 19:37 ` Xiyue Deng
2024-07-31 8:54 ` Robert Pluim
2024-07-31 11:13 ` Xiyue Deng
2024-08-02 8:15 ` Xiyue Deng
2024-08-02 8:38 ` Robert Pluim
2024-08-03 0:04 ` Xiyue Deng
2024-08-03 5:52 ` Eli Zaretskii
2024-08-03 9:26 ` Xiyue Deng
2024-08-13 22:03 ` Xiyue Deng
2024-08-14 5:28 ` Eli Zaretskii
2024-08-14 8:23 ` Xiyue Deng
2024-08-14 8:40 ` Xiyue Deng
2024-08-14 9:13 ` Eli Zaretskii
2024-08-21 18:22 ` Xiyue Deng
2024-08-21 19:42 ` Philip Kaludercic
2024-08-21 22:11 ` Xiyue Deng
2024-08-29 6:58 ` Xiyue Deng
2024-08-29 14:14 ` Philip Kaludercic
2024-08-29 15:18 ` Robert Pluim
2024-08-29 23:54 ` Xiyue Deng
2024-08-30 7:09 ` Philip Kaludercic
2024-08-30 8:32 ` Xiyue Deng
2024-08-30 10:07 ` Philip Kaludercic
2024-08-30 21:13 ` Xiyue Deng
2024-09-03 18:08 ` Xiyue Deng
[not found] ` <66a8f323.170a0220.9172c.8e28SMTPIN_ADDED_BROKEN@mx.google.com>
2024-07-30 19:40 ` Xiyue Deng
2024-07-30 21:50 ` Björn Bidar via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-08-07 23:22 ` Xiyue Deng
2024-08-08 6:11 ` Björn Bidar via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-08-08 6:14 ` Björn Bidar via Bug reports for GNU Emacs, the Swiss army knife of text editors
[not found] ` <66b46180.170a0220.1fb02.1d6eSMTPIN_ADDED_BROKEN@mx.google.com>
2024-08-08 8:28 ` Xiyue Deng
2024-08-08 9:17 ` Björn Bidar via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-08-12 13:22 ` Thomas Fitzsimmons
2024-08-12 16:26 ` Björn Bidar via Bug reports for GNU Emacs, the Swiss army knife of text editors
[not found] ` <66b46251.170a0220.f2be9.afeeSMTPIN_ADDED_BROKEN@mx.google.com>
2024-08-08 8:29 ` Xiyue Deng
2024-08-08 9:31 ` Björn Bidar via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-07-30 14:08 ` Björn Bidar via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-07-30 14:39 ` Robert Pluim
2024-07-30 19:44 ` Xiyue Deng
2024-08-01 18:49 ` Thomas Fitzsimmons
2024-08-02 8:09 ` Xiyue Deng
2024-08-02 14:43 ` Björn Bidar via Bug reports for GNU Emacs, the Swiss army knife of text editors
[not found] ` <66a8f3d6.050a0220.8facb.d530SMTPIN_ADDED_BROKEN@mx.google.com>
2024-07-30 19:41 ` Xiyue Deng
2024-07-30 21:51 ` Björn Bidar via Bug reports for GNU Emacs, the Swiss army knife of text editors
[not found] ` <66a96079.170a0220.1522dd.3e68SMTPIN_ADDED_BROKEN@mx.google.com>
2024-07-31 7:43 ` Xiyue Deng
2024-07-31 23:53 ` Andrew Cohen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87frrr725m.fsf@gmail.com \
--to=rpluim@gmail.com \
--cc=72358@debbugs.gnu.org \
--cc=manphiz@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.