Re: oauth2 support for Emacs email clients

[Andrew Cohen]

>>>>> "RW" == Roland Winkler <winkler@gnu.org> writes:

    RW> On Tue Aug 3 2021 Gregory Heytings wrote:
    >> > It is my understanding, that support of oauth2 within the Emacs
    >> > ecosystem is rather incomplete.
    >> 
    >> It is not incomplete,
    >> 
    RW> [snip]
    >> 
    >> oauth2.el refreshes tokens automatically, so once the initial
    >> ugly configuration is done, everything should work smoothly.

    RW> Upon authentication, oauth2.el does not support
    RW> `access_type=offline'.  It is my understanding that this is
    RW> needed to get upon authorization not only an access token, but
    RW> also a refresh token.  The latter is needed to grant an app
    RW> continuous access beyond the short lifetime of an access token.
    RW> However, the emacs url machinery also lacks the code that is
    RW> needed to use the referesh token in order to request a new
    RW> access token if the current access token has expired.  This goes
    RW> beyond the advice of url-http-handle-authentication that is
    RW> currently used by oauth2.el.

I don't think this is quite right. Emacs can use the refresh token to
obtain the access token just fine (this is what I have been doing for
the past year).

As others have also mentioned, once the initial setup and authorization
has been done (i.e. registering and authorizing the client) emacs can
integrate the use of oauth2 in a way that is essentially
indistinguishable from any other password protected imap or stmp
server. I have the token information stored in auth-source storage, and
with the soon-to-be-pushed changes that I posted, the access token is
properly (and automatically) refreshed when needed (roughly every hour
given the MS expiration time).

Skip the following details if you aren't interested:

A plstore contains an entry for the oauth2-protected server (imap or
smtp), including the usual :host, :port, :user keys. The entry also
includes an oauth2 token structure with key :token. Finally for the
:secret (i.e. password) I use the name of a function that gets and
returns the access token (early on when I set this up I pushed a minor
modification to auth-source to allow functions to be called for the
secret rather than just holding the password).

Here is the function I use to return the refreshed access-token:

(defun gnus-refresh-access (plist)
    (let ((token (plist-get plist :token)))
      (oauth2-token-access-token
       (oauth2-refresh-access token))))

And then I configure the server (the nnimap-authenticator server
parameter or the smtp-auth parameter  'xoauth2) and that's all. As
mentioned in another post the plstore is encrypted and requires a
password to decrypt (as Andreas pointed out the gpg-agent controls
caching of this password).

Sorry for being long-winded---I make it sound complicated but it is very
straightforward and as I said it functions the same as any other
auth-source password protected server.

Best,
A.


-- 
Andrew Cohen