From unknown Fri Aug 15 14:17:11 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#23281 <23281@debbugs.gnu.org> To: bug#23281 <23281@debbugs.gnu.org> Subject: Status: 24.5; oauth2 lacks "Authorization: Bearer" Reply-To: bug#23281 <23281@debbugs.gnu.org> Date: Fri, 15 Aug 2025 21:17:11 +0000 retitle 23281 24.5; oauth2 lacks "Authorization: Bearer" reassign 23281 emacs submitter 23281 Jon K=C3=A5re Hellan severity 23281 normal tag 23281 fixed thanks From debbugs-submit-bounces@debbugs.gnu.org Wed Apr 13 11:38:19 2016 Received: (at submit) by debbugs.gnu.org; 13 Apr 2016 15:38:19 +0000 Received: from localhost ([127.0.0.1]:33842 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1aqMrz-0004ai-9P for submit@debbugs.gnu.org; Wed, 13 Apr 2016 11:38:19 -0400 Received: from eggs.gnu.org ([208.118.235.92]:35566) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1aqJPy-0007bO-7I for submit@debbugs.gnu.org; Wed, 13 Apr 2016 07:57:10 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aqJPr-0002tX-O0 for submit@debbugs.gnu.org; Wed, 13 Apr 2016 07:57:05 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:42522) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aqJPr-0002tM-Ln for submit@debbugs.gnu.org; Wed, 13 Apr 2016 07:57:03 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54757) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aqJPq-0003Xl-8M for bug-gnu-emacs@gnu.org; Wed, 13 Apr 2016 07:57:03 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aqJPj-0002lz-OM for bug-gnu-emacs@gnu.org; Wed, 13 Apr 2016 07:57:02 -0400 Received: from hylle05.itea.ntnu.no ([129.241.56.225]:40794) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aqJPj-0002lJ-CD for bug-gnu-emacs@gnu.org; Wed, 13 Apr 2016 07:56:55 -0400 Received: from localhost (localhost [127.0.0.1]) by hylle05.itea.ntnu.no (Postfix) with ESMTP id 9BD8A90718C for ; Wed, 13 Apr 2016 13:56:47 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at hylle05.itea.ntnu.no Received: from lmJonhel13-tl.uninett.no (unknown [IPv6:2001:700:1:21:6de3:9254:c25b:abb4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: jonhe) by hylle05.itea.ntnu.no (Postfix) with ESMTPSA id 6C09C90717E for ; Wed, 13 Apr 2016 13:56:46 +0200 (CEST) To: bug-gnu-emacs@gnu.org From: =?UTF-8?Q?Jon_K=c3=a5re_Hellan?= Subject: 24.5; oauth2 lacks "Authorization: Bearer" Message-ID: <570E3400.8020708@acm.org> Date: Wed, 13 Apr 2016 13:56:48 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Wed, 13 Apr 2016 11:38:18 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.0 (----) The oauth2 elpa package provides oauth2 authentication. The Oauth2 standard works by passing around authentication tokens. The oauth2.el appends the token to the url as a query parameter. This works with some services, but the preferred way is to pass it in an "Authorization: Bearer" header. Quote from RFC 6570: Because of the security weaknesses associated with the URI method (see Section 5), including the high likelihood that the URL containing the access token will be logged, it SHOULD NOT be used unless it is impossible to transport the access token in the "Authorization" request header field or the HTTP request entity-body. oauth2.el should be able to use the header mechanism, either mandatory or as a default. My first attempt at dealing with this myself was unsuccessful. Is there an easy way to log the http(s) requests that emacs sends, including headers? (In url-http.el?) I found the buffers with the responses, but not the requests. Jon In GNU Emacs 24.5.1 (x86_64-apple-darwin13.4.0, NS apple-appkit-1265.21) of 2015-04-10 on builder10-9.porkrind.org Windowing system distributor `Apple', version 10.3.1404 Configured using: `configure --with-ns '--enable-locallisppath=/Library/Application Support/Emacs/${version}/site-lisp:/Library/Application Support/Emacs/site-lisp'' Important settings: locale-coding-system: utf-8-unix Major mode: Lisp Interaction Minor modes in effect: eldoc-mode: t global-flycheck-mode: t flycheck-mode: t ido-everywhere: t show-paren-mode: t tooltip-mode: t electric-indent-mode: t mouse-wheel-mode: t menu-bar-mode: t file-name-shadow-mode: t global-font-lock-mode: t font-lock-mode: t auto-composition-mode: t auto-encryption-mode: t auto-compression-mode: t line-number-mode: t transient-mark-mode: t Recent messages: Wrote /Users/jk/.emacs.d/elpa/oauth2-0.10/oauth2-pkg.elc Checking /Users/jk/.emacs.d/elpa/oauth2-0.10... Compiling /Users/jk/.emacs.d/elpa/oauth2-0.10/oauth2.el...done Wrote /Users/jk/.emacs.d/elpa/oauth2-0.10/oauth2.elc Checking /Users/jk/.emacs.d/elpa/oauth2-0.10... Done (Total of 2 files compiled, 1 skipped) End of buffer [7 times] Loading oauth2...done End of buffer Making completion list... Load-path shadows: /Users/jk/emacs/site-lisp/json hides /Applications/Emacs.app/Contents/Resources/lisp/json Features: (shadow sort mail-extr emacsbug sendmail oauth2 warnings advice cl-macs json plstore epg cl gv autoload lisp-mnt mm-archive message format-spec rfc822 mml mml-sec mailabbrev gmm-utils mailheader mm-decode mm-bodies mm-encode mail-utils network-stream starttls url-http tls mail-parse rfc2231 rfc2047 rfc2045 ietf-drums url-gw url-cache url-auth url url-proxy url-privacy url-expand url-methods url-history url-cookie url-domsuf url-util mailcap url-handlers url-parse auth-source eieio byte-opt bytecomp byte-compile cl-extra cconv eieio-core gnus-util mm-util mail-prsvr password-cache url-vars finder-inf eldoc help-fns flycheck find-func help-mode rx subr-x seq dash edmacro kmacro cl-loaddefs cl-lib flymake compile comint ansi-color ring which-func imenu ido info easymenu package epg-config pcase paren server time-date tooltip electric uniquify ediff-hook vc-hooks lisp-float-type mwheel ns-win tool-bar dnd fontset image regexp-opt fringe tabulated-list newcomment lisp-mode prog-mode register page menu-bar rfn-eshadow timer select scroll-bar mouse jit-lock font-lock syntax facemenu font-core frame cham georgian utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao korean japanese hebrew greek romanian slovak czech european ethiopic indian cyrillic chinese case-table epa-hook jka-cmpr-hook help simple abbrev minibuffer nadvice loaddefs button faces cus-face macroexp files text-properties overlay sha1 md5 base64 format env code-pages mule custom widget hashtable-print-readable backquote make-network-process cocoa ns multi-tty emacs) Memory information: ((conses 16 210988 9737) (symbols 48 28298 5) (miscs 40 48 221) (strings 32 53567 7069) (string-bytes 1 1478859) (vectors 16 24240) (vector-slots 8 519700 11630) (floats 8 97 245) (intervals 56 263 75) (buffers 960 13)) From debbugs-submit-bounces@debbugs.gnu.org Mon Apr 25 18:25:41 2016 Received: (at 23281) by debbugs.gnu.org; 25 Apr 2016 22:25:41 +0000 Received: from localhost ([127.0.0.1]:46990 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1auown-0003pn-9i for submit@debbugs.gnu.org; Mon, 25 Apr 2016 18:25:41 -0400 Received: from hermes.netfonds.no ([80.91.224.195]:48972) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1auowm-0003pg-2x for 23281@debbugs.gnu.org; Mon, 25 Apr 2016 18:25:40 -0400 Received: from cm-84.215.1.64.getinternet.no ([84.215.1.64] helo=stories) by hermes.netfonds.no with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.84_2) (envelope-from ) id 1auowj-0000W5-1W; Tue, 26 Apr 2016 00:25:39 +0200 From: Lars Magne Ingebrigtsen To: Jon =?iso-8859-1?Q?K=E5re?= Hellan Subject: Re: bug#23281: 24.5; oauth2 lacks "Authorization: Bearer" References: <570E3400.8020708@acm.org> Date: Tue, 26 Apr 2016 00:25:36 +0200 In-Reply-To: <570E3400.8020708@acm.org> ("Jon =?iso-8859-1?Q?K=E5re?= Hellan"'s message of "Wed, 13 Apr 2016 13:56:48 +0200") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 23281 Cc: 23281@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) Jon K=E5re Hellan writes: > My first attempt at dealing with this myself was unsuccessful. Is > there an easy way to log the http(s) requests that emacs sends, > including headers? (In url-http.el?) I found the buffers with the > responses, but not the requests. (setq url-debug t) and then look in the *URL-DEBUG* buffer after fetching something. --=20 (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no From debbugs-submit-bounces@debbugs.gnu.org Mon Jul 11 20:43:18 2016 Received: (at 23281) by debbugs.gnu.org; 12 Jul 2016 00:43:18 +0000 Received: from localhost ([127.0.0.1]:47366 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bMlnB-0002di-Vh for submit@debbugs.gnu.org; Mon, 11 Jul 2016 20:43:18 -0400 Received: from mail-io0-f180.google.com ([209.85.223.180]:36287) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bMlnA-0002dO-Pj; Mon, 11 Jul 2016 20:43:17 -0400 Received: by mail-io0-f180.google.com with SMTP id b62so2963215iod.3; Mon, 11 Jul 2016 17:43:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-transfer-encoding; bh=ZhSrWwSnzJ6dUPblT2s1M9pETKwQYmRJOnldSNJix/o=; b=oy3eynSx5SmPSMWapdNrdWXzI/6vemeBJ92cWaI+xB4bHFVMSKDaCvIgVlgtX7CjZS +bRcFZU3P5WThAn2KQBX1I2dARFuLG5GaWp/Vrzw5H1ndbuNX0mcoV/jxftGvTiXUJKy orik5BAKWyl9DW6XkQEMb4teinE8CvjxFmBJFgHhrOBj0aD7EOFLKYnZp79XaFVSBQWk eBP++nzCyghtoVXEtbC+AO9L9eWMW0V+AHGruo58fqlNc6mLRUN7VBnerjiXapAKD7Mi VO/kzm7uAFhi+tRwK9iNXD2z8XGoVkri7npQwBj6YhGSgZHTbP4a2u5yTBmeXUrVnX2d dP3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:from:to:cc:subject:references:date :in-reply-to:message-id:user-agent:mime-version :content-transfer-encoding; bh=ZhSrWwSnzJ6dUPblT2s1M9pETKwQYmRJOnldSNJix/o=; b=hFhliJSNa3j69vLFX9aTTwnaKwHDdZgmajbepGEpRJfU4mNQBPq4EM2+Q+7VmBJRCu oAoHFEZigfe2j9K1dQYtHEJx06sxPL5NKb/JlZA7md4J2plmytIBgffqqlkEvR0x3yL8 7i1+k+2XFNO/KyDU4TY7TzPLEr/1amLJiWJ8xVln+s2P0OqecT1W5T0a63eOYKWv7Zap zmdDFaDSdCnDND5wDQ7KgckuU4/oSxGoilM3jUDpOFTpWQZBXnukt/fw4MLCDXZpfkTk zYEBTpKRvt+4B54Jcf9kIiNLvcuCHXATUsnasn4lQQ6aDtfBU8WsRyTEY+Z5ErhP6Bbx d8dQ== X-Gm-Message-State: ALyK8tJUEaQltc+1fNyYyRq99wFcWb67h0RmbNeGV7Ukezbvt2Q3kZv+cA1KNS61CdOT1Q== X-Received: by 10.107.201.135 with SMTP id z129mr8200426iof.114.1468284191151; Mon, 11 Jul 2016 17:43:11 -0700 (PDT) Received: from zony (206-188-64-44.cpe.distributel.net. [206.188.64.44]) by smtp.googlemail.com with ESMTPSA id v21sm9432100ita.0.2016.07.11.17.43.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Jul 2016 17:43:10 -0700 (PDT) From: npostavs@users.sourceforge.net To: Jon =?utf-8?Q?K=C3=A5re?= Hellan Subject: Re: bug#23281: 24.5; oauth2 lacks "Authorization: Bearer" References: <570E3400.8020708@acm.org> Date: Mon, 11 Jul 2016 20:43:08 -0400 In-Reply-To: <570E3400.8020708@acm.org> ("Jon =?utf-8?Q?K=C3=A5re?= Hellan"'s message of "Wed, 13 Apr 2016 13:56:48 +0200") Message-ID: <87r3azfzz7.fsf@users.sourceforge.net> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.93 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 23281 Cc: 23281@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) tags 23281 fixed close 23281 oauth2/0.11 quit Jon K=C3=A5re Hellan writes: > The oauth2 elpa package provides oauth2 authentication. The Oauth2 > standard works by passing around authentication tokens. The oauth2.el > appends the token to the url as a query parameter. This works with some > services, but the preferred way is to pass it in an > "Authorization: Bearer" header. Quote from RFC 6570: > > Because of the security weaknesses associated with the URI method > (see Section 5), including the high likelihood that the URL > containing the access token will be logged, it SHOULD NOT be used > unless it is impossible to transport the access token in the > "Authorization" request header field or the HTTP request entity-body. > > oauth2.el should be able to use the header mechanism, either mandatory > or as a default. This seems to have been implemented in oauth2 version 0.11 (elpa commit 55da50d5 2016-07-09 "oauth2: send authentication token via Authorization header"). From debbugs-submit-bounces@debbugs.gnu.org Mon Jul 11 21:38:39 2016 Received: (at control) by debbugs.gnu.org; 12 Jul 2016 01:38:39 +0000 Received: from localhost ([127.0.0.1]:47397 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bMmel-0005cH-F2 for submit@debbugs.gnu.org; Mon, 11 Jul 2016 21:38:39 -0400 Received: from mail-it0-f42.google.com ([209.85.214.42]:35405) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bMmej-0005c4-UT for control@debbugs.gnu.org; Mon, 11 Jul 2016 21:38:38 -0400 Received: by mail-it0-f42.google.com with SMTP id u186so75543786ita.0 for ; Mon, 11 Jul 2016 18:38:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:from:to:subject:date:message-id:mime-version; bh=3zK8IvsPvSqjvecDn7a8EtvSYq5g7kgnw+EGdpkBIbY=; b=GDIkr69EHhdJZ3SdPentaNiKglABfWr6q/5qnX1K7tNrafM267nfZc8wINr9ydy73K YnwdRJWjaNBoNrckwB1U4mYncyMxkF7geX8qX6MvmstrH9LiB7Z5rxt9UKjNA10qA48t wGVvQhUrsYMgaTIpgKajA8q9rP8ef8S+7OiaxNtsNWCk4G4cZgnoP8xwLdFBbyWMBMOB TvQv73p2oWMMIOCQ0LVHz6flkdlNF3ltuERdNntKux8VSTcW+Hfrgj3ijQs5fRjVVhT2 68CU1h9uVjt9I8EapYiBVD806GAFCv5lH90aoDVuU4FRlHpLq2ZPtjmJp/QzeS25m4HC sRxQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:from:to:subject:date:message-id :mime-version; bh=3zK8IvsPvSqjvecDn7a8EtvSYq5g7kgnw+EGdpkBIbY=; b=ExwpCJmibjiyXB9GUzOlYsm2uNdiKr5z8KTF4uX++wf3abapdVaDwwEOAhg4uvzAYP 5wA4K91AjfnhcarvO8x/sQ2GJfudYst1iS5BqxPiLIFDqMxVu89OMVSLGxg+qT5U20Ub xoDTcJAOa665OfELG8oZ9j1DnMx/TJ+GV5Fk+s8gzMAyr/9Hrb7hha5oapNnnk/X9Y1F kmsgW82Iw2OCWNBXVy5GW0i37Yc0bYh/L7efVfUado0GI5Gzr8nHUIK8oO+T3K7RHadv LLXz/QpMd22Toz7DuVGJrqXSDYalRcYgj4uryURamut8rJ3A8KTdu5QKDx4ewEnrwk0L sc1g== X-Gm-Message-State: ALyK8tJw7fC4Op2eR/KjRgKqtTNexEtY0F6mf1BUPMME7dv0ZFIWf80zWR3uxHrEXb13Hw== X-Received: by 10.36.149.69 with SMTP id m66mr94059itd.85.1468287512540; Mon, 11 Jul 2016 18:38:32 -0700 (PDT) Received: from zony (206-188-64-44.cpe.distributel.net. [206.188.64.44]) by smtp.googlemail.com with ESMTPSA id j5sm2623819ith.1.2016.07.11.18.38.31 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Jul 2016 18:38:32 -0700 (PDT) From: npostavs@users.sourceforge.net To: control@debbugs.gnu.org Subject: control message for bug #23281 Date: Mon, 11 Jul 2016 21:38:30 -0400 Message-ID: <87oa63fxex.fsf@users.sourceforge.net> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) close 23281 quit From unknown Fri Aug 15 14:17:11 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Tue, 09 Aug 2016 11:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator