GNU bug report logs - #41386
28.0.50; Gnus nnimap OAuth 2.0 support

Previous Next

Full log

View this message in rfc822 format

From: David Engster <deng <at> randomsample.de>
To: Richard Stallman <rms <at> gnu.org>
Cc: Lars Ingebrigtsen <larsi <at> gnus.org>, fitzsim <at> fitzsim.org, 41386 <at> debbugs.gnu.org
Subject: bug#41386: 28.0.50; Gnus nnimap OAuth 2.0 support
Date: Fri, 22 May 2020 10:28:38 +0200

> The two Google announcements clearly describe how Google plans to
> block access with anything other than OAuth 2.  They don't go into
> much detail about what OAuth 2 requires, and don't describe how this
> conflicts with free software.
>
> Can someone find a page describing this issue in a careful
> and thorough way, written by someone who knows the subject?

I've described the main issue in another mail in this bug thread. The
problem is that Google's terms of service explicitly forbid to put
client IDs into "open source projects". You can read their terms of
service here:

  https://developers.google.com/terms

Section 4b, paragraph 1:

  Developer credentials (such as passwords, keys, and client IDs) are
  intended to be used by you and identify your API Client. You will keep
  your credentials confidential and make reasonable efforts to prevent and
  discourage other API Clients from using your credentials. Developer
  credentials may not be embedded in open source projects.

So for authors of (F)OSS non-web applications, this in effect makes it
impossible to use OAuth2 with Google services if a client id/secret is
required. The client id/secret is used to identify the application that
is making the request.

-David

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.