Package: emacs;
Reported by: Xiyue Deng <manphiz <at> gmail.com>
Date: Tue, 3 Sep 2024 00:00:02 UTC
Severity: wishlist
Found in version 29.4
Message #26 received at 72992 <at> debbugs.gnu.org (full text, mbox):
From: Xiyue Deng <dengxiyue <at> gmail.com> To: Stefan Kangas <stefankangas <at> gmail.com>, 72992 <at> debbugs.gnu.org Cc: Ted Zlatanov <tzz <at> lifelogs.com>, Philip Kaludercic <philipk <at> posteo.net> Subject: Re: bug#72992: 29.4; towards xoauth2 support in Emacs Date: Wed, 18 Sep 2024 12:43:39 -0700
Hi Stefan, Stefan Kangas <stefankangas <at> gmail.com> writes: > Xiyue Deng <manphiz <at> gmail.com> writes: > >> Now that bug#72358 is done, as promised, I'm posting my plugin for >> auth-sources that enables oauth2 handling which you can find on >> Gitlab[1] (also attached). As the current approach tries to override >> some existing handling in auth-source, I would like to gather some >> comments on how to properly integrate this handling, and see if there is >> any benefit on providing this as a separate package for older Emacs >> versions. >> >> In the comment section of the package I put notes on how xoauth2 is >> enabled as well as existing restrictions in auth-source and how it >> workarounds them. I'll briefly explain below. > > I think it would be good if you could add to your package some general > explanation of what xoauth2 is, and what are its use cases both in a > general sense, and specifically together with the auth-source > package. Don't assume that people already know what xoauth2 is, how it > is different from oauth2, which services use it, etc. Explain it. I > would add such general information to the beginning of the "Commentary" > section. Nothing long is needed, just a general introduction and perhaps > links for where to read more. > Good suggestions. Added to the comments part. > Some examples of when it would be used, preferably with example code for > some use cases, would also go a long way. > I have added some examples on how to set it up and use it in Gnus and smtpmail after sending the earlier version. Please check it out at [1] (with the changes above.) >> Currently, auth-source search requires that the result include `:secret' >> most of the time, where when using xoauth2 it is actually the >> access-token. Actually, auth-source has existing support for xoauth2 >> authentication, though it assumes that the password value actually >> stores the access-token. > > Where can we find this "existing support"? Do you mean the > 'auth-source-xoauth2' package on GNU ELPA? > The basic support is actually in the Emacs core already, e.g. for Gnus nnimap[2] and smtpmail[3]. However, this assumes one to put the access_token in place of `:secret' in the auth-source file as Emacs uses password as the access_token in both places. However, access_token expires quite frequently (e.g. about 1 hour for Gmail) and without refreshing it automatically it is practically impossible to use conveniently. Hence the propose hack and the following suggestion. >> Because xoauth2 also makes use of >> `secret'/`password', it makes it hard to determine whether to use >> password-based or xoauth2-based authentication, which is why my plugin >> asks users to set `auth' in auth-source to determine whether to use >> xoauth2. Another complication from this is that auth-source search >> requires the entry contains a `secret' most of the time, where it does >> not need to be set when using xoauth2. Therefore I workaround this by >> temporarily disables this check and try to retrieve access-token using >> oauth2 and set the result as password. >> >> Given the inconveniences of reusing password for access-token, I wonder >> whether we can add support for a separate `:access-token' key in the >> auth-source entry and use that instead of password when authenticating >> using xoauth2. This way, we can have both password and access-token in >> an auth-source entry and nnimap and smtpmail can use either one. More >> specifically: >> >> * When performing an auth-source search, if xoauth2 related fields are >> set (see the list of fields in the comments of my plugin), it will >> retrieve access-token using oauth2. >> >> * The search should change to check for either `secret'/`password' or >> `access-token' is available. >> >> * For `nnimap-login' and `smtpmail-try-auth-method', pass in both >> password and access-token, and for xoauth2 it should use access-token >> instead of password. >> >> If this is an acceptable approach, I'll try to draft a patch to >> implement this in Emacs. Otherwise, it may still worth implement the >> current approach directly in Emacs so as to avoid using hack like >> advice. > > I'm not very familiar with auth-source.el, but on a general level the > above makes sense to me. I've also Cc:ed Ted Zlatanov, the author of > auth-source.el > Thanks! Would also like to hear Ted's opinion on this and decide which route to take. >> Meanwhile, I wonder whether this may be worth release as a separate >> package so that users of older versions can use xoauth2 as well. I'd >> like to make it compatible with the agreed-upon approach to minimize any >> incompatibilities. >> >> Thanks for reading, and any comments are appreciated. > > Are you proposing to include this in Emacs core, on GNU ELPA, or > something else? > I'd like to contribute to Emacs core once a direction is decided. Maybe also put this plugin in ELPA to support older emacs versions if both are compatible. > Thanks. > [1] https://gitlab.com/xiyueden/auth-source-xoauth2-plugin [2] https://git.savannah.gnu.org/cgit/emacs.git/tree/lisp/gnus/nnimap.el#n616 [3] https://git.savannah.gnu.org/cgit/emacs.git/tree/lisp/mail/smtpmail.el#n640 -- Xiyue Deng
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.