From: Tim Cross <theophilusx@gmail.com>
To: Stefan Monnier <monnier@iro.umontreal.ca>
Cc: Tomas Hlavaty <tom@logand.com>,
"Jorge A. Alfaro-Murillo" <jorge@democraciareal.org>,
emacs-devel@gnu.org
Subject: Re: gmail+imap+smtp (oauth2)
Date: Fri, 06 May 2022 22:34:46 +1000 [thread overview]
Message-ID: <87h762esku.fsf@gmail.com> (raw)
In-Reply-To: <jwvczgqc2r5.fsf-monnier+emacs@gnu.org>
Stefan Monnier <monnier@iro.umontreal.ca> writes:
>> Problem is, Google T&C require that the application ID is kept secret.
>> For open source, this is a problem because we cannot add the applicaiton
>> ID and keep it secret while making the code open source.
>
> FWIW, it's also a problem for proprietary applications since the secret
> will necessarily be somewhere inside the executable as well. It's a bit
> harder to find, and can be obfuscated to some extent, but as long as you
> can run the code inside a debugger and you have enough time on your
> hands to reverse engineer the workings of that part of the code you can
> also extract the application ID.
>
Yes, that is a flaw. However, requiring the application ID to be kept
secret is really the error - it isn't necessary and doesn't improve the
security. From what I've read, it was never the intention of the
designers of oauth that this value be kept secret. It really exists
mainly as an auditing/debugging/troublshooting aid, not part of the
authn/authz process.
I think this is why some people are trying to get clarification from
Google as it is likely their reference to what must be kept secret only
includes the applicaiton ID by error/oversight. (I was told this
confusion originally occured because of ambiguity in the original oauth
documentation, which has subsequently been fixed/clarified). Problem is,
most users cannot get past the lower level helpdesk staff or get their
issue in front of someone who can actually look at it and do something
and even if you could, getting them to care enough to do something is
unlikely - the percentage of users impacted is likley just too small
compared to other issues they are also dealing with.
next prev parent reply other threads:[~2022-05-06 12:34 UTC|newest]
Thread overview: 150+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-03 5:59 gmail+imap+smtp (oauth2) Uwe Brauer
2022-05-03 6:27 ` Jostein Kjønigsen
2022-05-03 20:44 ` Uwe Brauer
2022-05-04 7:22 ` Robert Pluim
2022-05-04 8:43 ` Tim Cross
2022-05-05 12:57 ` Uwe Brauer
2022-05-05 13:48 ` Robert Pluim
2022-05-08 14:36 ` Uwe Brauer
2022-05-08 16:00 ` Robert Pluim
2022-05-08 16:40 ` Uwe Brauer
2022-05-09 8:38 ` Robert Pluim
2022-05-10 6:29 ` Uwe Brauer
2022-05-10 8:13 ` Robert Pluim
2022-06-02 15:15 ` [app password does not work (at the moment)] (was: gmail+imap+smtp (oauth2)) Uwe Brauer
2022-06-02 15:37 ` [SOLVED (magic?)] (was: [app password does not work (at the moment)]) Uwe Brauer
2022-06-03 14:04 ` [SOLVED (magic?)] Robert Pluim
2022-06-06 6:49 ` Uwe Brauer
2022-06-06 7:47 ` Robert Pluim
2022-06-06 18:55 ` [SOLVED (magic?)] (was: [app password does not work (at the moment)]) Tomas Hlavaty
2022-06-06 19:07 ` tomas
2022-06-06 19:37 ` Tomas Hlavaty
2022-06-07 4:35 ` tomas
2022-06-07 5:52 ` Tomas Hlavaty
2022-06-07 7:09 ` [Clarification] (was: [SOLVED (magic?)]) Uwe Brauer
2022-06-07 10:02 ` Yuri Khan
2022-06-07 16:24 ` [Clarification] Uwe Brauer
2022-06-07 7:15 ` [SOLVED (magic?)] (was: [app password does not work (at the moment)]) tomas
2022-06-09 22:30 ` Richard Stallman
2022-06-07 5:44 ` [SOLVED (magic?)] Byung-Hee HWANG
2022-06-07 6:04 ` Tomas Hlavaty
2022-06-07 7:14 ` tomas
2022-06-09 22:29 ` Richard Stallman
2022-06-10 7:43 ` Eli Zaretskii
2022-06-12 0:44 ` Richard Stallman
2022-06-12 5:02 ` tomas
2022-06-15 10:05 ` Richard Stallman
2022-06-09 22:30 ` Richard Stallman
2022-06-07 23:18 ` [SOLVED (magic?)] (was: [app password does not work (at the moment)]) Richard Stallman
2022-05-05 13:56 ` gmail+imap+smtp (oauth2) Tim Cross
2022-05-05 13:58 ` Filipp Gunbin
2022-05-05 20:13 ` Jorge A. Alfaro-Murillo
2022-05-05 21:44 ` Thomas Fitzsimmons
2022-05-06 0:43 ` Tim Cross
2022-05-06 8:01 ` Tomas Hlavaty
2022-05-06 9:04 ` Tim Cross
2022-05-06 11:38 ` Stefan Monnier
2022-05-06 12:02 ` tomas
2022-05-06 12:06 ` Lars Ingebrigtsen
2022-05-06 12:46 ` Stefan Monnier
2022-05-06 13:05 ` Tim Cross
2022-05-11 9:01 ` Richard Stallman
2022-05-11 9:01 ` gmail+imap+smtp (davmail) Richard Stallman
2022-05-11 9:43 ` Eric S Fraga
2022-05-13 15:08 ` Richard Stallman
2022-05-06 12:49 ` gmail+imap+smtp (oauth2) Tim Cross
2022-05-06 13:23 ` Eric S Fraga
2022-05-06 13:40 ` tomas
2022-05-06 12:34 ` Tim Cross [this message]
2022-05-06 16:49 ` Tomas Hlavaty
2022-05-06 12:34 ` Tim Cross
2022-05-06 16:41 ` Tomas Hlavaty
2022-05-06 16:38 ` Tomas Hlavaty
2022-05-06 18:55 ` Tim Cross
2022-05-06 19:57 ` Stefan Monnier
2022-05-08 23:36 ` Richard Stallman
2022-05-09 0:26 ` Tim Cross
2022-05-10 6:53 ` Tomas Hlavaty
2022-05-11 9:04 ` Richard Stallman
2022-05-11 23:38 ` Tomas Hlavaty
2022-05-12 9:16 ` Tomas Hlavaty
2022-05-12 16:51 ` Thomas Fitzsimmons
2022-05-15 23:37 ` Richard Stallman
2022-05-12 7:10 ` Tomas Hlavaty
2022-05-12 9:03 ` Tomas Hlavaty
2022-05-06 23:18 ` Richard Stallman
2022-05-06 10:30 ` Eric S Fraga
2022-05-08 23:37 ` Richard Stallman
2022-05-09 5:13 ` tomas
2022-05-09 12:25 ` Eric S Fraga
2022-05-09 23:20 ` Richard Stallman
2022-05-11 9:47 ` Eric S Fraga
2022-05-13 15:08 ` Richard Stallman
2022-05-12 10:36 ` Richard Stallman
2022-05-13 6:58 ` Eric S Fraga
2022-05-16 23:25 ` Richard Stallman
2022-05-12 14:12 ` Jorge A. Alfaro-Murillo
2022-05-13 8:57 ` Eric S Fraga
2022-05-13 18:49 ` Roland Winkler
2022-05-14 9:57 ` Eric S Fraga
2022-05-05 18:37 ` Richard Stallman
2022-05-05 19:13 ` Stefan Monnier
2022-05-05 19:52 ` Stefan Monnier
2022-05-05 20:10 ` Uwe Brauer
2022-05-06 0:32 ` Tim Cross
2022-05-06 23:18 ` Richard Stallman
2022-05-06 23:42 ` Brian Cully via Emacs development discussions.
2022-05-06 1:46 ` Ihor Radchenko
2022-05-06 23:18 ` Richard Stallman
2022-05-03 23:40 ` Richard Stallman
2022-05-04 2:05 ` Tim Cross
2022-05-04 5:13 ` tomas
2022-05-04 13:34 ` Thomas Fitzsimmons
2022-05-04 14:38 ` Stefan Monnier
2022-05-04 14:58 ` Robert Pluim
2022-05-04 14:48 ` Tim Cross
2022-05-04 15:41 ` Thomas Fitzsimmons
2022-05-05 18:37 ` Richard Stallman
2022-05-06 8:34 ` Tomas Hlavaty
2022-05-06 23:18 ` Richard Stallman
2022-05-07 3:22 ` Tim Cross
2022-05-08 23:35 ` Richard Stallman
2022-05-09 0:01 ` Tim Cross
2022-05-10 7:11 ` Tomas Hlavaty
2022-05-10 7:51 ` Tim Cross
2022-05-10 11:44 ` Tomas Hlavaty
2022-05-10 12:39 ` Tim Cross
2022-05-11 9:52 ` Eric S Fraga
2022-05-11 9:01 ` Richard Stallman
2022-05-11 9:01 ` Richard Stallman
2022-05-11 12:03 ` Tim Cross
2022-05-13 15:10 ` Richard Stallman
2022-05-11 9:01 ` Richard Stallman
2022-05-11 12:33 ` Tim Cross
2022-05-11 14:08 ` Tim Cross
2022-05-14 14:12 ` Richard Stallman
2022-05-13 15:10 ` Richard Stallman
2022-05-14 10:02 ` Eric S Fraga
2022-05-16 23:25 ` Richard Stallman
2022-05-14 21:43 ` chad
2022-05-15 5:04 ` tomas
2022-05-05 18:36 ` Richard Stallman
2022-05-06 0:37 ` Tim Cross
2022-05-04 15:35 ` Óscar Fuentes
2022-05-04 15:48 ` Robert Pluim
2022-05-04 16:01 ` Óscar Fuentes
2022-05-04 16:48 ` Tim Cross
2022-05-05 18:36 ` Richard Stallman
2022-05-05 21:34 ` Brian Cully via Emacs development discussions.
2022-05-05 22:13 ` Stefan Monnier
2022-05-06 23:18 ` Richard Stallman
2022-05-06 0:54 ` Tim Cross
2022-05-06 2:21 ` Brian Cully via Emacs development discussions.
2022-05-06 23:18 ` Richard Stallman
2022-05-06 23:19 ` Richard Stallman
2022-05-06 23:47 ` Brian Cully via Emacs development discussions.
2022-05-04 16:45 ` Tim Cross
2022-05-04 16:33 ` Tim Cross
2022-05-06 23:17 ` Richard Stallman
2022-05-04 17:01 ` Cesar Crusius
2022-05-05 1:57 ` Tim Cross
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87h762esku.fsf@gmail.com \
--to=theophilusx@gmail.com \
--cc=emacs-devel@gnu.org \
--cc=jorge@democraciareal.org \
--cc=monnier@iro.umontreal.ca \
--cc=tom@logand.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.