GNU bug report logs - #79242
30.1; [ELPA] More proposed improvements for oauth2

Previous Next

Full log

View this message in rfc822 format

From: Xiyue Deng <manphiz <at> gmail.com>
To: 79242 <at> debbugs.gnu.org
Cc: Xiyue Deng <manphiz <at> gmail.com>
Subject: bug#79242: [PATCH 8/8] Update NEWS with summary of recent changes
Date: Fri, 15 Aug 2025 03:06:14 -0700

---
 NEWS | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/NEWS b/NEWS
index 72b0606659..9858605bc1 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,43 @@ Summary of changes to oauth2.el
 (For changes of 0.16 and older please check the git history of the
 repository of oauth2.el.)
 
+* 0.18
+
+** Support reusing cached access_token before it expires
+
+In 0.17 and older version, each time one calls `oauth2-refresh-access'
+it will refresh the access_token immediately, which is kind of
+wasteful if the access_token is still valid.  Some services will
+return the same token before it expires, though it would be great to
+avoid the network request.  This has now been implemented.
+
+Note: some people may notice that in most cases there is actually no
+extra network request generated.  This is because auth-source caches
+the credentials, which is controlled by auth-source-cache-expiry (7200
+seconds by default).  As most access_tokens are valid for around 1
+hour, it is advised to reduce that value to 3600 seconds or lower, or
+you may see auth-source login error because the cached credentials are
+expired.
+
+** Support OAuth2 PKCE extension
+
+Proof Key for Code Exchange is an extension to prevent CSRF and
+authorization code injection attacks (RFC7636) and supported by most
+OAuth2 servers.  This is now implemented and enabled by default.
+
+** Another update to plstore id generation
+
+The generation of plstore id now also includes `user-name'.  This
+enables the usage of predefined `client-id'/`client-secret' from
+e.g. thunderbird, evolution, etc.  This is because the same client
+info is shared among accounts, and other access required info like
+auth-url, token-url, etc. are the same for the same service, which
+leads to the same plstore id and prevent handling multiple accounts.
+Adding `user-name' ensures a unique plstore id for each account.
+
+This would mean that users would have to re-authenticate for all
+accounts (like in the last release).
+
 * 0.17
 
 ** Changes to plstore id generation and needs to reacquire refresh_token
-- 
2.47.2

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.