[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Making GNUS continue to work with Gmail
From: |
Michael Anckaert |
Subject: |
Re: Making GNUS continue to work with Gmail |
Date: |
Fri, 07 Aug 2020 20:37:13 +0200 |
User-agent: |
mu4e 1.4.12; emacs 26.3 |
Cesar Crusius writes:
> Richard Stallman <rms@gnu.org> writes:
>
>> [[[ To any NSA and FBI agents reading my email: please consider ]]]
>> [[[ whether defending the US Constitution against all enemies, ]]]
>> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
>>
>> > The person you want to reach out to is probably
>> > dvratil@kde.org. Here's a relevant blog post from him, about how
>> > he fixed the Kontact Oauth2 problem:
>>
>> > https://www.dvratil.cz/2019/08/kontact-google-integration-issue/
>>
>> Lars, is this something you can do?
>>
>> > My auth-source-xoauth2 package "avoids" that by having every user
>> > do the API key dance with Google, and as a result is rather hard
>> > to setup.
>>
>> Aside from the inconvenience, is there anything about this we simply
>> cannot ask users to do? Does it require accepting terms that are
>> unjust and not required for using Gmail itself?
>
> I went through the process a long time ago, so I can't answer that with
> certainty. The current legalese is in the pages here:
>
> https://developers.google.com/terms
>
> Somebody with a keener legal eye could look at it, but there are certainly
> more/different terms there.
>
> As an aside, it is worth noting that my package is not Gmail-specific. It
> could be used for the Reddit example given before via similar means: register
> a project/app in Reddit, get the keys, etc.
>
> The crux here is that there needs to be an app - their intent is that the
> software producer (in this case an "Emacs" or "Gnus") registers an "official"
> app, and the app manages its secrets in a way compliant with their terms
> (which we already know is pretty hard for OSS projects).
I've picked up this discussion from the list archives and decided to chime in
with some information I have. Since I lack the previous emails in this
discussion, please excuse me replying out of sync.
Including the client ID / secret key in Emacs source code (as Thunderbird does)
is bad practice. In addition, I believe there might be some legal / moral
issues with registering an FSF application under the Google TOS.
The only suitable alternative would be to have the user register his own Google
Cloud Project and use that client ID to run the OAUTH2 flow. This approach
differs in that instead of having one client and many users, we have one client
for every user.
In the past I've written a number of software packages for companies that had
to make use of Google API's using OAUTH2 authentication. In some cases we
couldn't include the client secret in those packages (various departments had
their own Google Cloud projects and API usage guidelines). So in essence I had
the same issue as what Emacs is facing now.
The solution was to have the software prompt the user to create a specific
project on Google Cloud and specify the client secret in the application
configuration. A similar approach could be chosen for Emacs so that instead of
having a single client ID for Emacs, every user creates his/her own project and
configures the client ID in his/her Emacs configuration. Then the OAUTH2 flow
has to be run for that 'Emacs application'.
The flow as I once implemented it could be adapted to Emacs as follows:
* The Emacs documentation specifies the user what type of Google Cloud project
has to be created and what client ID / secrets have to be configured.
* After configuring this information, the user starts an Emacs command (eg M-x
retrieve-oauth-credentials)
* This command starts a local webserver and opens the address in the user's
browser
* The webpage displayed allows the user to start the OAUTH2 flow which
redirects to the local webpage with the OAUTH2 token
* Emacs stores the OAUTH2 token in a suitable location
I would have to check back to some code I have stored to verify the entire flow
and make sure I didn't miss anything. But in essence the flow above is what
would be required.
If deemed suitable, I'm willing to aid in development of this feature if
someone can spend some time mentoring / guiding me on the required steps and
correct implementation details.
--
Michael Anckaert
michael.anckaert@sinax.be
+32 474 066 467
https://sinax.be
- Re: Making GNUS continue to work with Gmail, (continued)
- Re: Making GNUS continue to work with Gmail, Cesar Crusius, 2020/08/06
- Re: Making GNUS continue to work with Gmail, Colin Baxter, 2020/08/11
- Re: Making GNUS continue to work with Gmail, Colin Baxter, 2020/08/11
- Re: Making GNUS continue to work with Gmail, Uwe Brauer, 2020/08/11
- Re: Making GNUS continue to work with Gmail, Uwe Brauer, 2020/08/11
- Re: Making GNUS continue to work with Gmail, Colin Baxter, 2020/08/11
- Re: Making GNUS continue to work with Gmail, Richard Stallman, 2020/08/11
- Re: Making GNUS continue to work with Gmail, Colin Baxter, 2020/08/12
- Re: Making GNUS continue to work with Gmail, Richard Stallman, 2020/08/06
- Re: Making GNUS continue to work with Gmail, Cesar Crusius, 2020/08/07
- Re: Making GNUS continue to work with Gmail,
Michael Anckaert <=
- Re: Making GNUS continue to work with Gmail, Cesar Crusius, 2020/08/07
- Re: Making GNUS continue to work with Gmail, T.V Raman, 2020/08/07
- Re: Making GNUS continue to work with Gmail, Richard Stallman, 2020/08/07
- Re: Making GNUS continue to work with Gmail, Richard Stallman, 2020/08/07
- Re: Making GNUS continue to work with Gmail, Richard Stallman, 2020/08/07
Re: Making GNUS continue to work with Gmail, Uwe Brauer, 2020/08/09