GNU bug report logs - #72358
29.4; oauth2.el improvements

Previous Next

Full log

Message #95 received at 72358 <at> debbugs.gnu.org (full text, mbox):

From: Thomas Fitzsimmons <fitzsim <at> fitzsim.org>
To: Xiyue Deng <manphiz <at> gmail.com>
Cc: Björn Bidar <bjorn.bidar <at> thaodan.de>,
 Robert Pluim <rpluim <at> gmail.com>, 72358 <at> debbugs.gnu.org
Subject: Re: bug#72358: 29.4; oauth2.el improvements
Date: Mon, 12 Aug 2024 09:22:07 -0400

Xiyue Deng <manphiz <at> gmail.com> writes:

> Björn Bidar <bjorn.bidar <at> thaodan.de> writes:
>
>> Xiyue Deng <manphiz <at> gmail.com> writes:
>>
>>> Xiyue Deng <manphiz <at> gmail.com> writes:
>>>
>>>> Björn Bidar <bjorn.bidar <at> thaodan.de> writes:
>>>>
>>>>> Robert Pluim <rpluim <at> gmail.com> writes:
>>>>>
>>>>>>     Xiyue> - This will invalidate all existing entries and a user will have to redo
>>>>>>     Xiyue>   the authorization process again to get a new refresh token.  However,
>>>>>>     Xiyue>   I think it's more important to ensure that oauth2.el works correctly
>>>>>>     Xiyue>   for multiple accounts of the same provider, or a user may suffer from
>>>>>>     Xiyue>   confusion when adding a new account invalidates a previous account.
>>>>>>
>>>>>> I donʼt think thatʼs too big a concern. 'modern' authentication flows
>>>>>> regularly re-prompt, so this will not be too surprising (although
>>>>>> maybe call it out in the packageʼs NEWS or README).
>>>>>
>>>>> In many cases the refreshing of tokens is transparent to the user there
>>>>> doesn't have to be a re-prompt to refresh the token if the OAuth
>>>>> provider support it.
>>>>> Micrsofts OAuth workflow is quite good in this regard as there's a
>>>>> non-standard error to indicate when the user has to re-authorize the
>>>>> application.
>>>>>
>>>>
>>>> Actually I am currently having trouble for a few weeks to get my
>>>> outlook.com email work with MS OAuth2.  To avoid some repeated typing, I
>>>> have documented the issues and steps I have tried in this stackoverflow
>>>> question[1].  I would great appreciated it if you can shed some lights
>>>> there
>>>>
>>>>> I assume all implementation of OAuth have their quirks.
>>>>
>>>> Indeed.
>>>>
>>>>
>>>> [1]
>>>> https://stackoverflow.com/questions/78787763/getting-aadsts65001-error-invalid-grant-when-trying-to-refresh-access-token-fo
>>>
>>> Just want to report back that after confirming with an MS representative
>>> through online chat, outlook.com has actually disabled refreshing
>>> access_token through the token endpoint, and users are asked to migrate
>>> to Outlook app or compatibles apps (Thunderbird still works).
>>
>> Thank you for notifying me on this I will forward this to my employer.
>>
>>> I'm not sure whether this is also the case for organization emails, which may
>>> also be disabled by default (or soonish if not already) but can be
>>> enabled separately by an org admin.
>>
>> It does depend some domains use whitelist e.g. Tampere University of
>> Applies sciences. Without a specific Emacs GNUs/Caldav/whatever AppID
>> inside Microsoft OAuth2 it will be hard to pass that.
>>
>>
>>> Anyway, I'd suggest people stop
>>> wasting your time here and use Gmail (or maybe Yahoo mail) which has
>>> decent 3rd party OAuth2 support.
>>
>> I don't think that's an option for most user that complain about working
>> OAuth2 support, in most cases it's a work or some other organization
>> account.
>>
>> Another thing I think is very important is to support Nextcloud as it's
>> a FOSS app supporting OAuth2 which quite many users and organizations
>> adopted.
>>
>>
>
> Nextcloud sounds interesting.  Do you know where I can check for the
> OAuth2 credentials like client_id and client_secret?

sourcehut [1] provides a Free Software OAuth2 flow, and it has the
benefit of not requiring JavaScript (even FOSS JavaScript) anywhere in
the process.  I wrote url-http-oauth-demo.el [2] as a complete "worked"
example demonstrating its use with url-http-oauth.el.

Thomas

1. https://sourcehut.org/
2. https://git.savannah.gnu.org/cgit/emacs/elpa.git/tree/url-http-oauth-demo.el?h=externals/url-http-oauth

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.