GNU bug report logs - #72358
29.4; oauth2.el improvements

Previous Next

Full log

View this message in rfc822 format

From: Björn Bidar <bjorn.bidar <at> thaodan.de>
To: Xiyue Deng <manphiz <at> gmail.com>
Cc: Robert Pluim <rpluim <at> gmail.com>, 72358 <at> debbugs.gnu.org
Subject: bug#72358: 29.4; oauth2.el improvements
Date: Thu, 08 Aug 2024 09:11:09 +0300

Xiyue Deng <manphiz <at> gmail.com> writes:

> Xiyue Deng <manphiz <at> gmail.com> writes:
>
>> Björn Bidar <bjorn.bidar <at> thaodan.de> writes:
>>
>>> Robert Pluim <rpluim <at> gmail.com> writes:
>>>
>>>>     Xiyue> - This will invalidate all existing entries and a user will have to redo
>>>>     Xiyue>   the authorization process again to get a new refresh token.  However,
>>>>     Xiyue>   I think it's more important to ensure that oauth2.el works correctly
>>>>     Xiyue>   for multiple accounts of the same provider, or a user may suffer from
>>>>     Xiyue>   confusion when adding a new account invalidates a previous account.
>>>>
>>>> I donʼt think thatʼs too big a concern. 'modern' authentication flows
>>>> regularly re-prompt, so this will not be too surprising (although
>>>> maybe call it out in the packageʼs NEWS or README).
>>>
>>> In many cases the refreshing of tokens is transparent to the user there
>>> doesn't have to be a re-prompt to refresh the token if the OAuth
>>> provider support it.
>>> Micrsofts OAuth workflow is quite good in this regard as there's a
>>> non-standard error to indicate when the user has to re-authorize the
>>> application.
>>>
>>
>> Actually I am currently having trouble for a few weeks to get my
>> outlook.com email work with MS OAuth2.  To avoid some repeated typing, I
>> have documented the issues and steps I have tried in this stackoverflow
>> question[1].  I would great appreciated it if you can shed some lights
>> there
>>
>>> I assume all implementation of OAuth have their quirks.
>>
>> Indeed.
>>
>>
>> [1] https://stackoverflow.com/questions/78787763/getting-aadsts65001-error-invalid-grant-when-trying-to-refresh-access-token-fo
>
> Just want to report back that after confirming with an MS representative
> through online chat, outlook.com has actually disabled refreshing
> access_token through the token endpoint, and users are asked to migrate
> to Outlook app or compatibles apps (Thunderbird still works).

Thank you for notifying me on this I will forward this to my employer.

> I'm not sure whether this is also the case for organization emails, which may
> also be disabled by default (or soonish if not already) but can be
> enabled separately by an org admin.

It does depend some domains use whitelist e.g. Tampere University of
Applies sciences. Without a specific Emacs GNUs/Caldav/whatever AppID
inside Microsoft OAuth2 it will be hard to pass that.


> Anyway, I'd suggest people stop
> wasting your time here and use Gmail (or maybe Yahoo mail) which has
> decent 3rd party OAuth2 support.

I don't think that's an option for most user that complain about working
OAuth2 support, in most cases it's a work or some other organization
account.

Another thing I think is very important is to support Nextcloud as it's
a FOSS app supporting OAuth2 which quite many users and organizations
adopted.


> Meanwhile I have submitted a request to re-enable this support[1].
>
> [1] https://feedbackportal.microsoft.com/feedback/idea/069f1816-0a55-ef11-b4ad-0022484d3ecc

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.