GNU bug report logs - #41386
28.0.50; Gnus nnimap OAuth 2.0 support

Previous Next

Package: emacs;

Reported by: Thomas Fitzsimmons <fitzsim <at> fitzsim.org>

Date: Tue, 19 May 2020 02:06:01 UTC

Severity: wishlist

Tags: wontfix

Found in version 28.0.50

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Björn Bidar <bjorn.bidar <at> thaodan.de>
To: Thomas Fitzsimmons <fitzsim <at> fitzsim.org>
Cc: 41386 <at> debbugs.gnu.org
Subject: bug#41386: 28.0.50; Gnus nnimap OAuth 2.0 support
Date: Sat, 29 Oct 2022 18:36:41 +0300

I know this bug is marked as wontfix however more and more providers are
moving to Oauth2, even those that use plain standards like
imap/{cal,card}dav/smpt, thous increasing the importance of Oauth2
support in Gnus.

The main advantage I see is that oauth allows for two factor
authentication and the invalidation of the "password" that the app
stores. The password or token that the app has usually only lasts for a
duration of time and can be invalidated if needed. Like if the person no
loner works for the employer or the device has been stolen.

Some providers like Microsoft require it next year and the employer
can already enforce the use of Oauth2 [1].
The argument "just use another email provider" doesn't really work in
such cases.

SailfishOS recently addeded oauth2 support for Microsoft Oauth and
KDE also does support it[2].
In the case of Microsoft there are no "secrets" that can be stored publicly just the
application id[3].

Without proper OAuth2 support there is no use for Gnus for such users,
except to try third party solutions that can help.

On Elpa there's oauth2.el which provides Oauth2 support for Emacs. There
are externals who implemented oauth for Gmail[4] and Microsoft 365[5]
through the use of oauth2.el.

However these don't handle the oauth workflow of acquiring the token.
It is possible to try to do that inside emacs or use an external browser
and then catch the response or make the user copy the response address
into Emacs.

The main issue to implement this I think is to have an official "appid"
for Emacs and add the Oauth2 workflow.
I don't know about google right now but for Microsoft 365 this seams
feasible as there's just an appid that can be stored publicly. 


Br,

Björn Bidar

---

[1] https://techcommunity.microsoft.com/t5/exchange-team-blog/improving-security-together/ba-p/805892
[2] https://invent.kde.org/pim/kdepim-runtime/-/tree/master/resources/ews/ewsclient/auth
[3] https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
[4] https://github.com/ggervasio/gnus-gmail-oauth/
[5] https://gitlab.com/Binary-Eater/gnus-o365-oauth2/-/tree/master
This bug report was last modified 2 years and 200 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.