GNU bug report logs -
#78366
30.1; auth-source-xoauth2-plugin conflicts with multiple Google accounts
Previous Next
Reported by: Anush V <j <at> gnu.org>
Date: Sun, 11 May 2025 02:46:02 UTC
Severity: normal
Tags: fixed
Found in version 30.1
Fixed in version 31.1
Done: Robert Pluim <rpluim <at> gmail.com>
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Xiyue Deng <manphiz <at> gmail.com> writes:
> Xiyue Deng <manphiz <at> gmail.com> writes:
>
>> Hi Robert,
>>
>> Robert Pluim <rpluim <at> gmail.com> writes:
>>
>>>>>>>> On Thu, 15 May 2025 00:17:02 -0700, Xiyue Deng <manphiz <at> gmail.com> said:
>>>
>>> Xiyue> Thanks for the insights! I managed to reproduce the issue, and during
>>> Xiyue> debugging I got the list from the reply as Anush mentioned. Turned out
>>> Xiyue> that the return code was 334 server challenge[1], so it was waiting for
>>> Xiyue> the correct user and password. Sometimes this was directly considered
>>> Xiyue> authentication unsuccessful for Gmail[2]. `smtpmail-ok-p' considers a
>>> Xiyue> return code less than 400 as successful, and only has challenge handling
>>> Xiyue> implemented in cram-md5. As we should be providing the correct
>>> Xiyue> credentials directly in xoauth2, 334 is effectively a failure.
>>>
>>> Xiyue> Maybe in `smtpmail-try-auth-method' for xoauth2, if we see return code
>>> Xiyue> 334, we should change the return value to "535 5.7.8 Authentication
>>> Xiyue> credentials invalid". Would like to see whether the Emacs maintainers
>>> Xiyue> this is a good idea.
>>>
>>> Itʼs either that, or change `smtpmail-ok-p' to accept a second
>>> optional parameter for which codes to accept for success, which seems
>>> like overkill here.
>>>
>>
>> In this case it's more like which codes not to accept (334), but I agree
>> `smtpmail-ok-p' is probably the wrong place to handle that.
>>
>> I'll work on a patch for `smtpmail-try-auth-method' later.
>>
>
> A draft patch is attached, please take a look.
>
Friendly ping. Does the patch look acceptable for smtpmail.el?
P.S. I have auth-source-xoauth2-plugin 0.2.1 released with the
workaround. Please check it out.
> --
> Regards,
> Xiyue Deng
> From 8de2535105c1fac14ab6c5fef792435b21a0861f Mon Sep 17 00:00:00 2001
> From: Xiyue Deng <manphiz <at> gmail.com>
> Date: Fri, 16 May 2025 02:48:52 -0700
> Subject: [PATCH] Make xoauth2 auth fail when a smtp server replies 334
> (bug#78366)
>
> * lisp/mail/smtpmail.el (smtpmail-try-auth-method): Throws error 535
> when receiving a "334 server challenge" reply.
> ---
> lisp/mail/smtpmail.el | 20 +++++++++++++++-----
> 1 file changed, 15 insertions(+), 5 deletions(-)
>
> diff --git a/lisp/mail/smtpmail.el b/lisp/mail/smtpmail.el
> index 9337ee9401a..eda91793d17 100644
> --- a/lisp/mail/smtpmail.el
> +++ b/lisp/mail/smtpmail.el
> @@ -642,11 +642,21 @@ smtpmail-try-auth-method
>
> (cl-defmethod smtpmail-try-auth-method
> (process (_mech (eql 'xoauth2)) user password)
> - (smtpmail-command-or-throw
> - process
> - (concat "AUTH XOAUTH2 "
> - (base64-encode-string
> - (concat "user=" user "\1auth=Bearer " password "\1\1") t))))
> + (let ((ret (smtpmail-command-or-throw
> + process
> + (concat "AUTH XOAUTH2 "
> + (base64-encode-string
> + (concat "user=" user "\1auth=Bearer " password "\1\1")
> + t)))))
> + (if (eq (car ret) 334)
> + ;; When a server returns 334 server challenge, it usually means
> + ;; the credentials it received was wrong (e.g. was an actual
> + ;; password instead of an access token). In such case, we
> + ;; should return a string with 535 to indicate a failure so that
> + ;; smtpmail will try other authentication mechanisms. See also
> + ;; https://debbugs.gnu.org/78366.
> + (throw 'done "535 5.7.8 Authentication credentials invalid")
> + ret)))
>
> (defun smtpmail-response-code (string)
> (when string
> --
> 2.47.2
>
--
Regards,
Xiyue Deng
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 14 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.