GNU bug report logs - #72358
29.4; oauth2.el improvements

Previous Next

Full log

Message #98 received at 72358 <at> debbugs.gnu.org (full text, mbox):

From: Björn Bidar <bjorn.bidar <at> thaodan.de>
To: Thomas Fitzsimmons <fitzsim <at> fitzsim.org>
Cc: Robert Pluim <rpluim <at> gmail.com>, 72358 <at> debbugs.gnu.org,
 Xiyue Deng <manphiz <at> gmail.com>
Subject: Re: bug#72358: 29.4; oauth2.el improvements
Date: Mon, 12 Aug 2024 19:26:06 +0300

Thomas Fitzsimmons <fitzsim <at> fitzsim.org> writes:

> Xiyue Deng <manphiz <at> gmail.com> writes:
>
>> Björn Bidar <bjorn.bidar <at> thaodan.de> writes:
>>
>>> Xiyue Deng <manphiz <at> gmail.com> writes:
>>>
>>>> Xiyue Deng <manphiz <at> gmail.com> writes:
>>>>
>>>>> Björn Bidar <bjorn.bidar <at> thaodan.de> writes:
>>>>>
>>>>>> Robert Pluim <rpluim <at> gmail.com> writes:
>>>>>>
>>>>>>>     Xiyue> - This will invalidate all existing entries and a user will have to redo
>>>>>>>     Xiyue>   the authorization process again to get a new refresh token.  However,
>>>>>>>     Xiyue>   I think it's more important to ensure that oauth2.el works correctly
>>>>>>>     Xiyue>   for multiple accounts of the same provider, or a user may suffer from
>>>>>>>     Xiyue>   confusion when adding a new account invalidates a previous account.
>>>>>>>
>>>>>>> I donʼt think thatʼs too big a concern. 'modern' authentication flows
>>>>>>> regularly re-prompt, so this will not be too surprising (although
>>>>>>> maybe call it out in the packageʼs NEWS or README).
>>>>>>
>>>>>> In many cases the refreshing of tokens is transparent to the user there
>>>>>> doesn't have to be a re-prompt to refresh the token if the OAuth
>>>>>> provider support it.
>>>>>> Micrsofts OAuth workflow is quite good in this regard as there's a
>>>>>> non-standard error to indicate when the user has to re-authorize the
>>>>>> application.
>>>>>>
>>>>>
>>>>> Actually I am currently having trouble for a few weeks to get my
>>>>> outlook.com email work with MS OAuth2.  To avoid some repeated typing, I
>>>>> have documented the issues and steps I have tried in this stackoverflow
>>>>> question[1].  I would great appreciated it if you can shed some lights
>>>>> there
>>>>>
>>>>>> I assume all implementation of OAuth have their quirks.
>>>>>
>>>>> Indeed.
>>>>>
>>>>>
>>>>> [1]
>>>>> https://stackoverflow.com/questions/78787763/getting-aadsts65001-error-invalid-grant-when-trying-to-refresh-access-token-fo
>>>>
>>>> Just want to report back that after confirming with an MS representative
>>>> through online chat, outlook.com has actually disabled refreshing
>>>> access_token through the token endpoint, and users are asked to migrate
>>>> to Outlook app or compatibles apps (Thunderbird still works).
>>>
>>> Thank you for notifying me on this I will forward this to my employer.
>>>
>>>> I'm not sure whether this is also the case for organization emails, which may
>>>> also be disabled by default (or soonish if not already) but can be
>>>> enabled separately by an org admin.
>>>
>>> It does depend some domains use whitelist e.g. Tampere University of
>>> Applies sciences. Without a specific Emacs GNUs/Caldav/whatever AppID
>>> inside Microsoft OAuth2 it will be hard to pass that.
>>>
>>>
>>>> Anyway, I'd suggest people stop
>>>> wasting your time here and use Gmail (or maybe Yahoo mail) which has
>>>> decent 3rd party OAuth2 support.
>>>
>>> I don't think that's an option for most user that complain about working
>>> OAuth2 support, in most cases it's a work or some other organization
>>> account.
>>>
>>> Another thing I think is very important is to support Nextcloud as it's
>>> a FOSS app supporting OAuth2 which quite many users and organizations
>>> adopted.
>>>
>>>
>>
>> Nextcloud sounds interesting.  Do you know where I can check for the
>> OAuth2 credentials like client_id and client_secret?
>
> sourcehut [1] provides a Free Software OAuth2 flow, and it has the
> benefit of not requiring JavaScript (even FOSS JavaScript) anywhere in
> the process.  I wrote url-http-oauth-demo.el [2] as a complete "worked"
> example demonstrating its use with url-http-oauth.el.

Would that provide OAuth2 for providers that require a login through
their webinterface, such as Nextcloud Login, without a browser?
Most platforms such as Android, KDE or Sailfish OS use a browser for
OAuth2 login to login, authorize and then forward the token to the
OS/app.


> Thomas
>
> 1. https://sourcehut.org/
> 2. https://git.savannah.gnu.org/cgit/emacs/elpa.git/tree/url-http-oauth-demo.el?h=externals/url-http-oauth

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.