Now that bug#72358 is done, as promised, I'm posting my plugin for
auth-sources that enables oauth2 handling which you can find on
Gitlab[1] (also attached). As the current approach tries to override
some existing handling in auth-source, I would like to gather some
comments on how to properly integrate this handling, and see if there is
any benefit on providing this as a separate package for older Emacs
versions.
In the comment section of the package I put notes on how xoauth2 is
enabled as well as existing restrictions in auth-source and how it
workarounds them. I'll briefly explain below.
Currently, auth-source search requires that the result include `:secret'
most of the time, where when using xoauth2 it is actually the
access-token. Actually, auth-source has existing support for xoauth2
authentication, though it assumes that the password value actually
stores the access-token. Because xoauth2 also makes use of
`secret'/`password', it makes it hard to determine whether to use
password-based or xoauth2-based authentication, which is why my plugin
asks users to set `auth' in auth-source to determine whether to use
xoauth2. Another complication from this is that auth-source search
requires the entry contains a `secret' most of the time, where it does
not need to be set when using xoauth2. Therefore I workaround this by
temporarily disables this check and try to retrieve access-token using
oauth2 and set the result as password.
Given the inconveniences of reusing password for access-token, I wonder
whether we can add support for a separate `:access-token' key in the
auth-source entry and use that instead of password when authenticating
using xoauth2. This way, we can have both password and access-token in
an auth-source entry and nnimap and smtpmail can use either one. More
specifically:
* When performing an auth-source search, if xoauth2 related fields are
set (see the list of fields in the comments of my plugin), it will
retrieve access-token using oauth2.
* The search should change to check for either `secret'/`password' or
`access-token' is available.
* For `nnimap-login' and `smtpmail-try-auth-method', pass in both
password and access-token, and for xoauth2 it should use access-token
instead of password.
If this is an acceptable approach, I'll try to draft a patch to
implement this in Emacs. Otherwise, it may still worth implement the
current approach directly in Emacs so as to avoid using hack like
advice.
Meanwhile, I wonder whether this may be worth release as a separate
package so that users of older versions can use xoauth2 as well. I'd
like to make it compatible with the agreed-upon approach to minimize any
incompatibilities.
Thanks for reading, and any comments are appreciated.
[1] https://gitlab.com/xiyueden/auth-source-xoauth2-plugin
In GNU Emacs 29.4 (build 1, x86_64-pc-linux-gnu, GTK+ Version 3.24.38,
cairo version 1.16.0) of 2024-07-02, modified by Debian built on
debian-hx90
System Description: Debian GNU/Linux 12 (bookworm)
Configured using:
'configure --build x86_64-linux-gnu --prefix=/usr
--sharedstatedir=/var/lib --libexecdir=/usr/libexec
--localstatedir=/var/lib --infodir=/usr/share/info
--mandir=/usr/share/man --with-libsystemd --with-pop=yes
--enable-locallisppath=/etc/emacs:/usr/local/share/emacs/29.4/site-lisp:/usr/local/share/emacs/site-lisp:/usr/share/emacs/29.4/site-lisp:/usr/share/emacs/site-lisp
--with-sound=alsa --without-gconf --with-mailutils
--with-native-compilation --build x86_64-linux-gnu --prefix=/usr
--sharedstatedir=/var/lib --libexecdir=/usr/libexec
--localstatedir=/var/lib --infodir=/usr/share/info
--mandir=/usr/share/man --with-libsystemd --with-pop=yes
--enable-locallisppath=/etc/emacs:/usr/local/share/emacs/29.4/site-lisp:/usr/local/share/emacs/site-lisp:/usr/share/emacs/29.4/site-lisp:/usr/share/emacs/site-lisp
--with-sound=alsa --without-gconf --with-mailutils
--with-native-compilation --with-cairo --with-x=yes
--with-x-toolkit=gtk3 --with-toolkit-scroll-bars 'CFLAGS=-g -O2
-ffile-prefix-map=/build/emacs-UNWIcy/emacs-29.4+1=. -fstack-protector-strong
-Wformat -Werror=format-security -Wall' 'CPPFLAGS=-Wdate-time
-D_FORTIFY_SOURCE=2' LDFLAGS=-Wl,-z,relro'
Configured features:
ACL CAIRO DBUS FREETYPE GIF GLIB GMP GNUTLS GPM GSETTINGS HARFBUZZ JPEG
JSON LCMS2 LIBOTF LIBSELINUX LIBSYSTEMD LIBXML2 M17N_FLT MODULES
NATIVE_COMP NOTIFY INOTIFY PDUMPER PNG RSVG SECCOMP SOUND SQLITE3
THREADS TIFF TOOLKIT_SCROLL_BARS TREE_SITTER WEBP X11 XDBE XIM XINPUT2
XPM GTK3 ZLIB
Important settings:
value of $LANG: en_US.UTF-8
locale-coding-system: utf-8-unix
Major mode: Lisp Interaction
Minor modes in effect:
global-git-commit-mode: t
magit-auto-revert-mode: t
shell-dirtrack-mode: t
mu4e-modeline-mode: t
windmove-mode: t
rcirc-track-minor-mode: t
server-mode: t
subword-mode: t
bug-reference-prog-mode: t
whitespace-mode: t
yas-minor-mode: t
xclip-mode: t
global-treesit-auto-mode: t
treemacs-pro
