Hi Ted, Ted Zlatanov writes: > On Thu, 03 Oct 2024 15:41:34 -0700 Xiyue Deng wrote: > > XD> Just want to follow up on this: may we try your fixes and maybe try to > XD> contribute for committing upstream? Also, for the :secret in closures, > XD> do you suggest to remove it or is there another up-to-date way to hide > XD> it in memory? > > I think contributing the oauth2 support directly to Emacs is the best > approach because it would help the greatest number of users without > requiring extra configuration. I'd say modifying auth-source.el to fit > the need is absolutely OK. I would just ask that if you modify the > format of the authinfo file, to keep it compatible with JSON > serialization for those of us that use an authinfo.json file. > > I'd prefer to find another way to hide the secrets if closures don't > work anymore. I don't know if Emacs offers something; if not then we > should make an effort to do it. But that effort should not block the > oauth2 support, it's completely separate IMO. > > XD> Maybe auth-source source can host a helper function that checks > XD> if `:secret' is not set and xaouth2 is preferred (e.g. `:auth' > XD> is `xoauth2') and all required credentials are available it will > XD> get the access_token and put it `:secret' (or basically my hacky > XD> advice :) > > Sure, if that makes the code easier. I think the important thing is just > to make it compatible with the current usage and to avoid making the > user customize things to make oauth2 support Just Work. > > XD> In this regard, is it desirable to make `auth-source-search-backends' a > XD> defgeneric acting on a given protocol (basic vs. xoauth2 vs. others), > XD> and similarly for `nnimap-login' et al.? > > I'm not sure if that would benefit the users. If it benefits the > developers that's nice, but definitely not required, and especially if > it changes the search API and can't be implemented in a compatible way. > Because there may be a dozen packages on Github or whatever using that > API, and updating all of them will be painful. > > Basically if the search API works right now, it's probably easier to > leave it or make a new one and transition gradually. > > I hope this was helpful :) > > -- > Ted Zlatanov It seems I completely missed your email, and sorry for that. I think your suggestions are very helpful: we should make oauth2 available for auth-source while keeping the existing interface. I think there are a few more things to do before that can happen: * Ship oauth2.el with Emacs, so that auth-source can make use of it. * Decide which sequence of credentials to try before giving up and throw an error. I wonder how hard it would be to make these happen. Since this thread is already very long, I'll probably file new bugs for tracking. Thanks again! -- Regards, Xiyue Deng