From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: npostavs@users.sourceforge.net Newsgroups: gmane.emacs.bugs Subject: bug#23281: 24.5; oauth2 lacks "Authorization: Bearer" Date: Mon, 11 Jul 2016 20:43:08 -0400 Message-ID: <87r3azfzz7.fsf@users.sourceforge.net> References: <570E3400.8020708@acm.org> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Trace: ger.gmane.org 1468284268 2881 80.91.229.3 (12 Jul 2016 00:44:28 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 12 Jul 2016 00:44:28 +0000 (UTC) Cc: 23281@debbugs.gnu.org To: Jon =?UTF-8?Q?K=C3=A5re?= Hellan Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Tue Jul 12 02:44:17 2016 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1bMlo7-0003VP-Qm for geb-bug-gnu-emacs@m.gmane.org; Tue, 12 Jul 2016 02:44:15 +0200 Original-Received: from localhost ([::1]:36768 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bMlo6-0003xv-HG for geb-bug-gnu-emacs@m.gmane.org; Mon, 11 Jul 2016 20:44:14 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:49062) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bMlnx-0003we-Se for bug-gnu-emacs@gnu.org; Mon, 11 Jul 2016 20:44:06 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bMlnu-00020H-Km for bug-gnu-emacs@gnu.org; Mon, 11 Jul 2016 20:44:05 -0400 Original-Received: from debbugs.gnu.org ([208.118.235.43]:35029) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bMlnu-000203-Hj for bug-gnu-emacs@gnu.org; Mon, 11 Jul 2016 20:44:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1bMlnu-0002f5-5n for bug-gnu-emacs@gnu.org; Mon, 11 Jul 2016 20:44:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: npostavs@users.sourceforge.net Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 12 Jul 2016 00:44:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 23281 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 23281-submit@debbugs.gnu.org id=B23281.146828419810159 (code B ref 23281); Tue, 12 Jul 2016 00:44:02 +0000 Original-Received: (at 23281) by debbugs.gnu.org; 12 Jul 2016 00:43:18 +0000 Original-Received: from localhost ([127.0.0.1]:47366 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bMlnB-0002di-Vh for submit@debbugs.gnu.org; Mon, 11 Jul 2016 20:43:18 -0400 Original-Received: from mail-io0-f180.google.com ([209.85.223.180]:36287) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bMlnA-0002dO-Pj; Mon, 11 Jul 2016 20:43:17 -0400 Original-Received: by mail-io0-f180.google.com with SMTP id b62so2963215iod.3; Mon, 11 Jul 2016 17:43:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-transfer-encoding; bh=ZhSrWwSnzJ6dUPblT2s1M9pETKwQYmRJOnldSNJix/o=; b=oy3eynSx5SmPSMWapdNrdWXzI/6vemeBJ92cWaI+xB4bHFVMSKDaCvIgVlgtX7CjZS +bRcFZU3P5WThAn2KQBX1I2dARFuLG5GaWp/Vrzw5H1ndbuNX0mcoV/jxftGvTiXUJKy orik5BAKWyl9DW6XkQEMb4teinE8CvjxFmBJFgHhrOBj0aD7EOFLKYnZp79XaFVSBQWk eBP++nzCyghtoVXEtbC+AO9L9eWMW0V+AHGruo58fqlNc6mLRUN7VBnerjiXapAKD7Mi VO/kzm7uAFhi+tRwK9iNXD2z8XGoVkri7npQwBj6YhGSgZHTbP4a2u5yTBmeXUrVnX2d dP3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:from:to:cc:subject:references:date :in-reply-to:message-id:user-agent:mime-version :content-transfer-encoding; bh=ZhSrWwSnzJ6dUPblT2s1M9pETKwQYmRJOnldSNJix/o=; b=hFhliJSNa3j69vLFX9aTTwnaKwHDdZgmajbepGEpRJfU4mNQBPq4EM2+Q+7VmBJRCu oAoHFEZigfe2j9K1dQYtHEJx06sxPL5NKb/JlZA7md4J2plmytIBgffqqlkEvR0x3yL8 7i1+k+2XFNO/KyDU4TY7TzPLEr/1amLJiWJ8xVln+s2P0OqecT1W5T0a63eOYKWv7Zap zmdDFaDSdCnDND5wDQ7KgckuU4/oSxGoilM3jUDpOFTpWQZBXnukt/fw4MLCDXZpfkTk zYEBTpKRvt+4B54Jcf9kIiNLvcuCHXATUsnasn4lQQ6aDtfBU8WsRyTEY+Z5ErhP6Bbx d8dQ== X-Gm-Message-State: ALyK8tJUEaQltc+1fNyYyRq99wFcWb67h0RmbNeGV7Ukezbvt2Q3kZv+cA1KNS61CdOT1Q== X-Received: by 10.107.201.135 with SMTP id z129mr8200426iof.114.1468284191151; Mon, 11 Jul 2016 17:43:11 -0700 (PDT) Original-Received: from zony (206-188-64-44.cpe.distributel.net. [206.188.64.44]) by smtp.googlemail.com with ESMTPSA id v21sm9432100ita.0.2016.07.11.17.43.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Jul 2016 17:43:10 -0700 (PDT) In-Reply-To: <570E3400.8020708@acm.org> ("Jon =?UTF-8?Q?K=C3=A5re?= Hellan"'s message of "Wed, 13 Apr 2016 13:56:48 +0200") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.93 (gnu/linux) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:120880 Archived-At: tags 23281 fixed close 23281 oauth2/0.11 quit Jon K=C3=A5re Hellan writes: > The oauth2 elpa package provides oauth2 authentication. The Oauth2 > standard works by passing around authentication tokens. The oauth2.el > appends the token to the url as a query parameter. This works with some > services, but the preferred way is to pass it in an > "Authorization: Bearer" header. Quote from RFC 6570: > > Because of the security weaknesses associated with the URI method > (see Section 5), including the high likelihood that the URL > containing the access token will be logged, it SHOULD NOT be used > unless it is impossible to transport the access token in the > "Authorization" request header field or the HTTP request entity-body. > > oauth2.el should be able to use the header mechanism, either mandatory > or as a default. This seems to have been implemented in oauth2 version 0.11 (elpa commit 55da50d5 2016-07-09 "oauth2: send authentication token via Authorization header").