GNU bug report logs - #72358
29.4; oauth2.el improvements

Previous Next

Full log

Message #74 received at 72358 <at> debbugs.gnu.org (full text, mbox):

From: Xiyue Deng <manphiz <at> gmail.com>
To: Björn Bidar <bjorn.bidar <at> thaodan.de>
Cc: Robert Pluim <rpluim <at> gmail.com>, 72358 <at> debbugs.gnu.org
Subject: Re: bug#72358: 29.4; oauth2.el improvements
Date: Wed, 07 Aug 2024 16:22:23 -0700

Xiyue Deng <manphiz <at> gmail.com> writes:

> Björn Bidar <bjorn.bidar <at> thaodan.de> writes:
>
>> Robert Pluim <rpluim <at> gmail.com> writes:
>>
>>>     Xiyue> - This will invalidate all existing entries and a user will have to redo
>>>     Xiyue>   the authorization process again to get a new refresh token.  However,
>>>     Xiyue>   I think it's more important to ensure that oauth2.el works correctly
>>>     Xiyue>   for multiple accounts of the same provider, or a user may suffer from
>>>     Xiyue>   confusion when adding a new account invalidates a previous account.
>>>
>>> I donʼt think thatʼs too big a concern. 'modern' authentication flows
>>> regularly re-prompt, so this will not be too surprising (although
>>> maybe call it out in the packageʼs NEWS or README).
>>
>> In many cases the refreshing of tokens is transparent to the user there
>> doesn't have to be a re-prompt to refresh the token if the OAuth
>> provider support it.
>> Micrsofts OAuth workflow is quite good in this regard as there's a
>> non-standard error to indicate when the user has to re-authorize the
>> application.
>>
>
> Actually I am currently having trouble for a few weeks to get my
> outlook.com email work with MS OAuth2.  To avoid some repeated typing, I
> have documented the issues and steps I have tried in this stackoverflow
> question[1].  I would great appreciated it if you can shed some lights
> there
>
>> I assume all implementation of OAuth have their quirks.
>
> Indeed.
>
>
> [1] https://stackoverflow.com/questions/78787763/getting-aadsts65001-error-invalid-grant-when-trying-to-refresh-access-token-fo

Just want to report back that after confirming with an MS representative
through online chat, outlook.com has actually disabled refreshing
access_token through the token endpoint, and users are asked to migrate
to Outlook app or compatibles apps (Thunderbird still works).  I'm not
sure whether this is also the case for organization emails, which may
also be disabled by default (or soonish if not already) but can be
enabled separately by an org admin.  Anyway, I'd suggest people stop
wasting your time here and use Gmail (or maybe Yahoo mail) which has
decent 3rd party OAuth2 support.

Meanwhile I have submitted a request to re-enable this support[1].

[1] https://feedbackportal.microsoft.com/feedback/idea/069f1816-0a55-ef11-b4ad-0022484d3ecc

-- 
Xiyue Deng

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.