From: Gregory Heytings <gregory@heytings.org>
To: Tim Cross <theophilusx@gmail.com>
Cc: emacs-devel@gnu.org
Subject: Re: oauth2 support for Emacs email clients
Date: Tue, 03 Aug 2021 12:55:45 +0000 [thread overview]
Message-ID: <de477a47cc4a6c98b148@heytings.org> (raw)
In-Reply-To: <87lf5ircmd.fsf@gmail.com>
>
> I also wonder if the 'ban' on putting credentials into the source
> (public) is that 'clear cut'.
>
Again, IANAL, but I at least would never take the risk to deliberately and
publicly violate the terms of a contract I signed with Google or Microsoft
(or, for that matter, with anyone else).
>
> From what I've read, the 'applicaiton key', was never supposed to be
> secret - this was apparently an oversight in the initial oauth specs
>
It is indeed "security through obscurity". But it is (a kind of) security
nonetheless. The application key is used by the provider to identify the
application that requests access to the resources (in this case emails).
If Mr. Black Hat copies the application key of (say) Gnus in his malware
(which he obviously did not submit for approval to Google), its users will
see an approval screen "Do you allow Gnus to access your emails?". If Mr.
Black Hat's names its application "Gnus", its users will believe its
application is a legitimate and approved one, and will click "OK".
>
> Of course, the chance of getting a decision from the right person at
> either google or MS is next to zero, so I guess we are stuck.
>
Indeed.
>
> I guess in the end, all we can really do is try to find a way of
> streamlining the process to get a developer key for each user as this
> seems to be the main barrier to a more straight-forward setup.
>
I fear that's not possible either, each email provider has their own
process to create an application key, which they adapt from time to time
(at least from a user experience viewpoint).
>
> The good news is that once you have that key, the oauth2.el library
> seems to take care of renewal of session tokens, so once setup, things
> should just work.
>
Indeed.
next prev parent reply other threads:[~2021-08-03 12:55 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-03 5:00 oauth2 support for Emacs email clients Roland Winkler
2021-08-03 6:32 ` Uwe Brauer
2021-08-03 8:21 ` Andrew Cohen
2021-08-03 19:38 ` Roland Winkler
2021-08-04 0:56 ` Andrew Cohen
2021-08-04 7:27 ` Andrew Cohen
2021-08-04 7:41 ` Andreas Schwab
2021-08-04 23:12 ` Andrew Cohen
2021-08-04 7:03 ` Lars Ingebrigtsen
2021-08-04 7:21 ` Andrew Cohen
2021-08-05 10:34 ` Lars Ingebrigtsen
2021-08-03 9:00 ` Gregory Heytings
2021-08-03 19:27 ` Roland Winkler
2021-08-03 22:02 ` Gregory Heytings
2021-08-05 0:21 ` Andrew Cohen
2021-08-10 14:39 ` Roland Winkler
2021-08-11 0:43 ` Andrew Cohen
2021-08-11 0:54 ` Andrew Cohen
2021-08-12 2:16 ` Richard Stallman
2021-08-12 2:33 ` Andrew Cohen
2021-08-03 20:21 ` Arthur Miller
2021-08-03 20:40 ` Gregory Heytings
2021-08-03 21:14 ` Eric Abrahamsen
2021-08-03 21:19 ` Gregory Heytings
2021-08-14 10:46 ` Richard Stallman
2021-08-14 11:12 ` Gregory Heytings
2021-08-14 11:47 ` Ulrich Mueller
2021-08-15 3:04 ` Richard Stallman
2021-08-15 3:04 ` Making your own application credentials as a user Richard Stallman
2021-08-15 4:10 ` Tim Cross
2021-08-03 9:20 ` oauth2 support for Emacs email clients Eric S Fraga
2021-08-03 11:17 ` Tim Cross
2021-08-03 12:55 ` Gregory Heytings [this message]
2021-08-03 13:14 ` tomas
2021-08-05 14:15 ` Richard Stallman
2021-08-03 15:04 ` Eric S Fraga
2021-08-03 19:45 ` Roland Winkler
2021-08-04 6:58 ` Eric S Fraga
2021-08-03 19:41 ` Roland Winkler
2021-08-04 6:59 ` Eric S Fraga
2021-08-04 14:45 ` Thomas Fitzsimmons
2021-08-04 22:45 ` Tim Cross
2021-08-04 23:29 ` Thomas Fitzsimmons
2021-08-05 7:45 ` Ulrich Mueller
2021-08-08 3:58 ` Richard Stallman
2021-08-09 8:30 ` Eric S Fraga
2021-08-12 2:15 ` Richard Stallman
2021-08-12 18:59 ` Roland Winkler
2021-08-03 23:38 ` Richard Stallman
2021-08-08 6:01 ` Roland Winkler
2021-08-08 6:30 ` Andreas Schwab
2021-08-08 23:48 ` Roland Winkler
2021-08-09 0:01 ` Andrew Cohen
2021-08-08 8:52 ` David Engster
2021-08-08 14:22 ` Thomas Fitzsimmons
2021-08-08 14:47 ` David Engster
2021-08-08 15:30 ` Thomas Fitzsimmons
2021-08-08 16:00 ` David Engster
2021-08-08 23:31 ` Roland Winkler
2021-08-10 2:01 ` Thomas Fitzsimmons
2021-08-10 9:07 ` David Engster
2021-08-10 14:41 ` Thomas Fitzsimmons
2021-08-10 15:56 ` David Engster
2021-08-11 6:37 ` Alexandre Garreau
2021-08-11 3:00 ` Richard Stallman
2021-08-11 9:57 ` David Engster
2021-08-13 3:10 ` Richard Stallman
2021-08-11 2:55 ` Richard Stallman
2021-08-14 15:00 ` Thomas Fitzsimmons
2021-08-14 15:26 ` Gregory Heytings
2021-08-08 16:05 ` Tim Cross
2021-08-09 8:39 ` Eric S Fraga
2021-08-10 3:29 ` Richard Stallman
2021-08-10 6:08 ` Tim Cross
2021-08-10 14:18 ` Roland Winkler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=de477a47cc4a6c98b148@heytings.org \
--to=gregory@heytings.org \
--cc=emacs-devel@gnu.org \
--cc=theophilusx@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.