GNU bug report logs - #72992
29.4; towards xoauth2 support in Emacs

Previous Next

Full log

View this message in rfc822 format

From: Xiyue Deng <manphiz <at> gmail.com>
To: Andrew Cohen <acohen <at> ust.hk>
Cc: Ted Zlatanov <tzz <at> lifelogs.com>, Philip Kaludercic <philipk <at> posteo.net>, 72992 <at> debbugs.gnu.org, Stefan Kangas <stefankangas <at> gmail.com>
Subject: bug#72992: 29.4; towards xoauth2 support in Emacs
Date: Thu, 19 Sep 2024 01:22:40 -0700

Hi Andrew,

Andrew Cohen <acohen <at> ust.hk> writes:

>>>>>> "XD" == Xiyue Deng <dengxiyue <at> gmail.com> writes:
>
>     XD> Hi Stefan, Stefan Kangas <stefankangas <at> gmail.com> writes:
>
>     >> Xiyue Deng <manphiz <at> gmail.com> writes:
>     >> 
>
> [...]
>
>
>     >>> Currently, auth-source search requires that the result include
>     >>> `:secret' most of the time, where when using xoauth2 it is
>     >>> actually the access-token. Actually, auth-source has existing
>     >>> support for xoauth2 authentication, though it assumes that the
>     >>> password value actually stores the access-token.
>     >> 
>     >> Where can we find this "existing support"?  Do you mean the
>     >> 'auth-source-xoauth2' package on GNU ELPA?
>     >> 
>
>     XD> The basic support is actually in the Emacs core already,
>     XD> e.g. for Gnus nnimap[2] and smtpmail[3].  However, this assumes
>     XD> one to put the access_token in place of `:secret' in the
>     XD> auth-source file as Emacs uses password as the access_token in
>     XD> both places.  However, access_token expires quite frequently
>     XD> (e.g. about 1 hour for Gmail) and without refreshing it
>     XD> automatically it is practically impossible to use conveniently.
>     XD> Hence the propose hack and the following suggestion.
>
>
> This isn't actually true. When I added the support many years ago, I
> updated auth-source so that the :secret field can be a function, and
> this is how you should be using the current xoauth support.

Thanks for pointing this out!  I found the place where `:secret' is
handled as a function[1].  However, this requires a user to implement
the oauth2 logic oneself, which I'm afraid is a bit too low-level and
error-prone.  (Actually, can I actually put a lisp function in
auth-source.gpg?)  Maybe auth-source source can host a helper function
that checks if `:secret' is not set and xaouth2 is preferred
(e.g. `:auth' is `xoauth2') and all required credentials are available
it will get the access_token and put it `:secret' (or basically my hacky
advice :)

> On the bug thread I posted a suitable function that handles token
> refreshing (and its on my list of changes to emacs that I expect to
> push at some point).  So everything necessary to use xoauth for nnimap
> and smtpmail with auth-source, including automatic token refreshing,
> is already present in emacs.
>
> Having said that, I think some of the ideas in Xiyue's code would be
> useful. However I think it would be best to base this on the existing
> code which works very well and is in use by at least me (and I think
> some others as well).
>

Just remembered your comment in Bug#72358[2].  And of course if your
proposals can be part of auth-source that would be great for the users.
Still would be great to have a unified plan and make it happen.

P.S. Is your set up mentioned in Bug#72358 still working for outlook.com
emails?  After reaching out to an MS representative they mentioned that
token refresh was disabled[3] for outlook.com so I just gave up.  Maybe
it still works for Outlook Org emails?

> Best,
> Andy
>
>
> -- 
> Andrew Cohen

[1] https://git.savannah.gnu.org/cgit/emacs.git/tree/lisp/auth-source.el#n872
[2] https://debbugs.gnu.org/cgi/bugreport.cgi?bug=72358#47
[3] https://stackoverflow.com/questions/78787763/getting-aadsts65001-error-invalid-grant-when-trying-to-refresh-access-token-fo

-- 
Xiyue Deng

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.