bug#72992: 29.4; towards xoauth2 support in Emacs

[Stefan Kangas]

Xiyue Deng <manphiz@gmail.com> writes:

> Now that bug#72358 is done, as promised, I'm posting my plugin for
> auth-sources that enables oauth2 handling which you can find on
> Gitlab[1] (also attached).  As the current approach tries to override
> some existing handling in auth-source, I would like to gather some
> comments on how to properly integrate this handling, and see if there is
> any benefit on providing this as a separate package for older Emacs
> versions.
>
> In the comment section of the package I put notes on how xoauth2 is
> enabled as well as existing restrictions in auth-source and how it
> workarounds them.  I'll briefly explain below.

I think it would be good if you could add to your package some general
explanation of what xoauth2 is, and what are its use cases both in a
general sense, and specifically together with the auth-source
package. Don't assume that people already know what xoauth2 is, how it
is different from oauth2, which services use it, etc. Explain it. I
would add such general information to the beginning of the "Commentary"
section. Nothing long is needed, just a general introduction and perhaps
links for where to read more.

Some examples of when it would be used, preferably with example code for
some use cases, would also go a long way.

> Currently, auth-source search requires that the result include `:secret'
> most of the time, where when using xoauth2 it is actually the
> access-token. Actually, auth-source has existing support for xoauth2
> authentication, though it assumes that the password value actually
> stores the access-token.

Where can we find this "existing support"?  Do you mean the
'auth-source-xoauth2' package on GNU ELPA?

> Because xoauth2 also makes use of
> `secret'/`password', it makes it hard to determine whether to use
> password-based or xoauth2-based authentication, which is why my plugin
> asks users to set `auth' in auth-source to determine whether to use
> xoauth2.  Another complication from this is that auth-source search
> requires the entry contains a `secret' most of the time, where it does
> not need to be set when using xoauth2.  Therefore I workaround this by
> temporarily disables this check and try to retrieve access-token using
> oauth2 and set the result as password.
>
> Given the inconveniences of reusing password for access-token, I wonder
> whether we can add support for a separate `:access-token' key in the
> auth-source entry and use that instead of password when authenticating
> using xoauth2.  This way, we can have both password and access-token in
> an auth-source entry and nnimap and smtpmail can use either one.  More
> specifically:
>
> * When performing an auth-source search, if xoauth2 related fields are
>   set (see the list of fields in the comments of my plugin), it will
>   retrieve access-token using oauth2.
>
> * The search should change to check for either `secret'/`password' or
>   `access-token' is available.
>
> * For `nnimap-login' and `smtpmail-try-auth-method', pass in both
>   password and access-token, and for xoauth2 it should use access-token
>   instead of password.
>
> If this is an acceptable approach, I'll try to draft a patch to
> implement this in Emacs.  Otherwise, it may still worth implement the
> current approach directly in Emacs so as to avoid using hack like
> advice.

I'm not very familiar with auth-source.el, but on a general level the
above makes sense to me.  I've also Cc:ed Ted Zlatanov, the author of
auth-source.el

> Meanwhile, I wonder whether this may be worth release as a separate
> package so that users of older versions can use xoauth2 as well.  I'd
> like to make it compatible with the agreed-upon approach to minimize any
> incompatibilities.
>
> Thanks for reading, and any comments are appreciated.

Are you proposing to include this in Emacs core, on GNU ELPA, or
something else?

Thanks.

> [1] https://gitlab.com/xiyueden/auth-source-xoauth2-plugin