From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2 autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 4612 invoked from network); 22 Aug 2021 20:36:31 -0000 Received: from tb-ob20.topicbox.com (173.228.157.66) by inbox.vuxu.org with ESMTPUTF8; 22 Aug 2021 20:36:31 -0000 Received: from tb-mx1.topicbox.com (tb-mx1.nyi.icgroup.com [10.90.30.61]) by tb-ob20.topicbox.com (Postfix) with ESMTP id 402022141F for ; Sun, 22 Aug 2021 16:36:30 -0400 (EDT) (envelope-from bounce.mMbcaea13458be56f2909ea6c3.r522be890-2105-11eb-b15e-8d699134e1fa@9fans.bounce.topicbox.com) Received: by tb-mx1.topicbox.com (Postfix, from userid 1132) id F373F333FE7B; Sun, 22 Aug 2021 16:36:29 -0400 (EDT) ARC-Authentication-Results: i=2; topicbox.com; arc=pass; dkim=none (no signatures found); dmarc=pass policy.published-domain-policy=none policy.applied-disposition=none policy.evaluated-disposition=none (p=none,d=none,d.eval=none) policy.policy-from=p header.from=eigenstate.org; spf=pass smtp.mailfrom=ori@eigenstate.org smtp.helo=mimir.eigenstate.org; x-internal-arc=fail (as.1.topicbox.com=pass, ams.1.topicbox.com=fail (body has been altered)) (Message modified while forwarding at Topicbox) ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d= topicbox.com; h=message-id:to:subject:date:from:in-reply-to :mime-version:content-type:list-help:list-id:list-post :list-subscribe:reply-to:content-transfer-encoding :list-unsubscribe; s=sysmsg-1; t=1629664589; bh=aULFXuHRpt9NA3oD GCiw3fw1xpmhY/78MbLmZHrlqkY=; b=Iszccn0NmCLh2EUUvVqAXytqOGzu/0ve /37WqJWAPrDum4p+5osTgIpzqAp1whAyr/o+VWcX+74P/kSmG/woJ+6hbTkNYEBX 7kkGMB0xM5pgwByWwdvWnrTYC+57LbGAym34iQJFnEh/lRR61Ye2fSJuFl1nfpIn gCriHkwf3pY= ARC-Seal: i=2; a=rsa-sha256; cv=pass; d=topicbox.com; s=sysmsg-1; t= 1629664589; b=iNjJ+lB2odmE7W39qDOkEuRvoUhaXDZsRDkaCQyuXRhLvs2++E TzrYJYWc4J+EXJgPkDrzpnE3ltGAGmQU1QwA9isCq2YiF8cgv0rqEvpB8FzOPDzJ 4Zg+hz2kbYXWR48JOrffbGGMfeowDrCe5mG5nGUYV24fejypnKgS3b7nc= Authentication-Results: topicbox.com; arc=pass; dkim=none (no signatures found); dmarc=pass policy.published-domain-policy=none policy.applied-disposition=none policy.evaluated-disposition=none (p=none,d=none,d.eval=none) policy.policy-from=p header.from=eigenstate.org; spf=pass smtp.mailfrom=ori@eigenstate.org smtp.helo=mimir.eigenstate.org; x-internal-arc=fail (as.1.topicbox.com=pass, ams.1.topicbox.com=fail (body has been altered)) (Message modified while forwarding at Topicbox) X-Received-Authentication-Results: tb-mx0.topicbox.com; arc=none (no signatures found); bimi=skipped (DMARC Policy is not at enforcement); dkim=none (no signatures found); dmarc=pass policy.published-domain-policy=none policy.applied-disposition=none policy.evaluated-disposition=none (p=none,d=none,d.eval=none) policy.policy-from=p header.from=eigenstate.org; iprev=pass smtp.remote-ip=206.124.132.107 (mimir.eigenstate.org); spf=pass smtp.mailfrom=ori@eigenstate.org smtp.helo=mimir.eigenstate.org; x-aligned-from=pass (Address match); x-me-sender=none; x-ptr=pass smtp.helo=mimir.eigenstate.org policy.ptr=mimir.eigenstate.org; x-return-mx=pass header.domain=eigenstate.org policy.is_org=yes (MX Records found: kusuri.pikopiko.org,nokogiri.pikopiko.org,eigenstate.org,mail.pikopiko.org); x-return-mx=pass smtp.domain=eigenstate.org policy.is_org=yes (MX Records found: kusuri.pikopiko.org,nokogiri.pikopiko.org,eigenstate.org,mail.pikopiko.org); x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384 smtp.bits=256/256; x-vs=clean score=0 state=0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=9fans.net; h=message-id :to:subject:date:from:in-reply-to:mime-version:content-type :list-help:list-id:list-post:list-subscribe:reply-to :content-transfer-encoding:list-unsubscribe; s=dkim-1; bh=TXVWSV WrUx4UzWrtcdialW0CezGDr414WV9kZORXwVQ=; b=Yn3wxSjRLr0qCOXB47mTYZ /js21QcVOzH7gMumowv0RMhmYnMGt6rxPRtzjQFghqg2iy61FriupaFRUPldUKnP XrMsQWV3bqNt2Q69b0txx3P7vANjFVS2wd3Pftx+Xmc/cwWVKA4fUidT/kW05BGC z2BBIOErq01MgmEHqIoH0= Received: from tb-mx0.topicbox.com (localhost.local [127.0.0.1]) by tb-mx0.topicbox.com (Postfix) with ESMTP id 5D754331D2D0 for <9fans@9fans.net>; Sun, 22 Aug 2021 16:36:20 -0400 (EDT) (envelope-from ori@eigenstate.org) Received: from tb-mx0.topicbox.com (localhost [127.0.0.1]) by tb-mx0.topicbox.com (Authentication Milter) with ESMTP id BD299E03271; Sun, 22 Aug 2021 16:36:20 -0400 ARC-Seal: i=1; a=rsa-sha256; cv=none; d=topicbox.com; s=arcseal; t= 1629664580; b=JdCKkuNmBVTdrYm7ncX3rElEH91OJ+zojFkt+bf7KMO5IBkfvA 4ek7m9PDNVZk6a++IrE3gBCUhAnzh3ZRgWHg9zDUyDkbnTBNdbbe8Ee0vvG/zMzM KDZYiATxCKb5wI552f7hQHj+AENkGkE+aS924fVkrXMrg5SgcXFhgI7LQP6csm4r mdJWH/kP13q8WmYfDTj5QeDSdOc4r91thTZxdfZJw51zTwyuG5gog5E28e2v52kn 4H3kduj5w6U9AYxflevxac6uxHaSV7q/dp+eBwbYMjUj4LdQKajjeKPfcaNzqmOv aGATvGzVhVAUiLOW0o0aDYLbVbPZ/uSfsPgA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d= topicbox.com; h=message-id:to:subject:date:from:in-reply-to :mime-version:content-type; s=arcseal; t=1629664580; bh=cLKioMDq 2PZN6D6sICaQFJ29vybsDIkXTcp71jNZmKg=; b=aLPoctnhj6iQ3JrJQiHrldY3 FNFLtEim8argUeNkS/ckrq2IIouosYsRoYr3gXErzB2tjLL2pW8PmIJxbuxuhpYo N2Bc2l30LeTjtOvsYbIjtDLIcUtvMwvYY2P4UgXpU+ssEn4rje5LVkfoZUBooPay MKOX9KjMiMGjsMWlVGrsYGupqeETvZZ1VbyGjTU7l51LdtlOBcL/qvOJmw7KbhUE 8wFb5ExGMaewQqPhHo4+HtXlvwrzY5yt/KfTkHBshVqDPp5PbCxTA2pLKsd3frZx aO5iy+LJ9OYydvH4h2JN+JpKMkem1q8BYJZH9DHCTOA8dIMywq7lVuvNfvxODw== ARC-Authentication-Results: i=1; tb-mx0.topicbox.com; arc=none (no signatures found); bimi=skipped (DMARC Policy is not at enforcement); dkim=none (no signatures found); dmarc=pass policy.published-domain-policy=none policy.applied-disposition=none policy.evaluated-disposition=none (p=none,d=none,d.eval=none) policy.policy-from=p header.from=eigenstate.org; iprev=pass smtp.remote-ip=206.124.132.107 (mimir.eigenstate.org); spf=pass smtp.mailfrom=ori@eigenstate.org smtp.helo=mimir.eigenstate.org; x-aligned-from=pass (Address match); x-me-sender=none; x-ptr=pass smtp.helo=mimir.eigenstate.org policy.ptr=mimir.eigenstate.org; x-return-mx=pass header.domain=eigenstate.org policy.is_org=yes (MX Records found: kusuri.pikopiko.org,nokogiri.pikopiko.org,eigenstate.org,mail.pikopiko.org); x-return-mx=pass smtp.domain=eigenstate.org policy.is_org=yes (MX Records found: kusuri.pikopiko.org,nokogiri.pikopiko.org,eigenstate.org,mail.pikopiko.org); x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384 smtp.bits=256/256; x-vs=clean score=0 state=0 X-ME-VSCause: gggruggvucftvghtrhhoucdtuddrgedvtddruddtuddgudegleculddtuddrgeduhedrtd dtmdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpggft fghnshhusghstghrihgsvgdpuffrtefokffrpgfnqfghnecuuegrihhlohhuthemuceftd dtnecunecujfgurhepkffvufffhfgjgggtsehmtdejredttddvnecuhfhrohhmpehorhhi segvihhgvghnshhtrghtvgdrohhrghenucggtffrrghtthgvrhhnpeelheevuefgkeeige fhfeeugeejtedvveefgfdvteffhfekkedthfehtedttdehhfenucffohhmrghinhepghhi thhhuhgsrdgtohhmpdhgohhoghhlvgdrtghomhdphhhtthhpugdrphihpdhgmhgrihhlrd gtohhmnecukfhppedvtdeirdduvdegrddufedvrddutdejpdejgedruddtkedrheeirddv vdehnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepvddtiedrud dvgedrudefvddruddtjedphhgvlhhopehmihhmihhrrdgvihhgvghnshhtrghtvgdrohhr ghdpmhgrihhlfhhrohhmpeeoohhrihesvghighgvnhhsthgrthgvrdhorhhgqe X-ME-VSScore: 0 X-ME-VSCategory: clean Received-SPF: pass (eigenstate.org: 206.124.132.107 is authorized to use 'ori@eigenstate.org' in 'mfrom' identity (mechanism 'mx' matched)) receiver=tb-mx0.topicbox.com; identity=mailfrom; envelope-from="ori@eigenstate.org"; helo=mimir.eigenstate.org; client-ip=206.124.132.107 Received: from mimir.eigenstate.org (mimir.eigenstate.org [206.124.132.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by tb-mx0.topicbox.com (Postfix) with ESMTPS for <9fans@9fans.net>; Sun, 22 Aug 2021 16:36:19 -0400 (EDT) (envelope-from ori@eigenstate.org) Received: from abbatoir.myfiosgateway.com (pool-74-108-56-225.nycmny.fios.verizon.net [74.108.56.225]) by mimir.eigenstate.org (OpenSMTPD) with ESMTPSA id 2782455b (TLSv1.2:ECDHE-RSA-AES256-SHA:256:NO); Sun, 22 Aug 2021 13:36:18 -0700 (PDT) Message-ID: <7BD08FA33BDEF31677ABBA911CD6A3FE@eigenstate.org> To: 9fans@9fans.net, 9front@9front.org Subject: Re: [9fans] OAuth2 in factotum Date: Sun, 22 Aug 2021 16:36:17 -0400 From: ori@eigenstate.org In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="upas-ifmpfcjiockyosceugiyqlgyjc" Topicbox-Policy-Reasoning: allow: sender is a member Topicbox-Message-UUID: 9e627d12-0388-11ec-911a-e4af8fe49e98 Archived-At: =?UTF-8?B?PGh0dHBzOi8vOWZhbnMudG9waWNib3guY29tL2dyb3Vwcy85?= =?UTF-8?B?ZmFucy9UNjg5OWJmM2YwNjU0Mjk1ZC1NYmNhZWExMzQ1OGJlNTZmMjkwOWVh?= =?UTF-8?B?NmMzPg==?= List-Help: List-Id: "9fans" <9fans.9fans.net> List-Post: List-Software: Topicbox v0 List-Subscribe: Precedence: list Reply-To: 9fans <9fans@9fans.net> Content-Transfer-Encoding: 7bit List-Unsubscribe: , Topicbox-Delivery-ID: 2:9fans:437d30aa-c441-11e9-8a57-d036212d11b0:522be890-2105-11eb-b15e-8d699134e1fa:Mbcaea13458be56f2909ea6c3:1:eKD9jYXwMS5M2vYIRM_u_3mmqYN97iYD0iIts2pOT_I --upas-ifmpfcjiockyosceugiyqlgyjc Content-Disposition: inline Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Content-ID: <16296645870.937Ffa.725759@tb-mx1> Quoth ori@eigenstate.org: > Quoth Demetrius Iatrakis : > > This is a preview of OAuth2 support in factotum, as part of this year's GSoC: > > https://github.com/Mitsos101/plan9front/pull/1 > > > > Installation, on 9front: > > > > git/clone https://github.com/Mitsos101/plan9front plan9front-oauth > > cd plan9front-oauth > > git/branch oauth > > bind sys/include /sys/include > > @{cd sys/src/libauth && mk install} > > @{cd sys/src/cmd/auth && mk install} > > @{cd sys/src/cmd/webfs && mk install} > > > > This will replace your factotum. > > > > Usage: > > > > You need to obtain OAuth credentials from your issuer first. See, for > > example, Google's guide: > > https://developers.google.com/identity/protocols/oauth2. > > > > % echo 'key proto=oauth issuer=https://accounts.google.com scope=email > > client_id=1234 !client_secret=5678' > /mnt/factotum/ctl > > % auth/oauth 'client_id=1234' > > go to https://google.com/device > > your code is ABCD-EFGH > > > > > > auth_oauth is also available in libauth. Webfs uses it to implement > > the preoauth command. > > > > Bugs: > > > > This code is specific to 9front, as libjson is required and Plan 9's > > webfs doesn't support preoauth. > > > > factotum uses the needkey RPC to display the verification URL and code > > to the user. This means that, for now, the needkey file must not be > > open so that fgui doesn't intercept it. > > > > The module imports lots of code to support HTTP/1.0 so that the > > refresh token doesn't leave factotum's address space. > > > > Only the device and refresh flows are supported. There is an > > implementation of the authorization code flow (tested on macOS) here: > > https://github.com/Mitsos101/plan9port/pull/1. However, it is not > > included in the module as there is no good browser to plumb the URL > > to. > > > > Refresh tokens are not saved to persistent storage when factotum > > exits. The user must provide consent every time factotum is restarted. > > > > And, now that we have something working, I wrote > some code to use it. I wrote a patch to add oauth > support to upas/fs -- see attached: > > To use the patch, I followed this kind of clunky > process: > > https://developers.google.com/identity/protocols/oauth2 > > I went to the 'credentials' section on the sidebar > and I created a key for a 'desktop application'; Then > I went to the 'oauth consent screen' and added my work > email account as a 'test user'. > > I grabbed the keys, and on my unix box, went to > the patched oauth: > > % cd $HOME/src/plan9port/src/cmd/oauth > > and generated a key using the full, browser based > auth flow: > > % python httpd.py > % ./oauth https://accounts.google.com https://mail.google.com/ $clientkey $clientsecret > key proto=oauth issuer=https://accounts.google.com client_id=72... > > then edited the resulting output to include the appropriate > attributes, adding the attributes in >>...<< for upas/fs: > > key proto=oauth > >>service=imap server=imap.gmail.com user=ori@pingthings.io<< > issuer=https://accounts.google.com client_id= > token_type=Bearer exptime=1629662303 scope=... > > and then added that to factotum: > > echo key=... >/mnt/factotum/ctl > > With that, upas/fs just worked with my work email: > > upas/fs -f /imaps/imap.gmail.com/ori@pingthings.io > > > Bugs: there are way too many steps. Unfortunately, the most > annoying one is generating and adding an oauth client key/secret, > and short of shipping a pregenerated one (is that a good idea?), > I don't think there's a solution. > > Beyond that, 2 small bits of polish which I think we > can do: > > - Adding a '-t' flag to oauth (the way auth/rsa does) > to add type information to auth/oauth login would > make it more convenient to use: the output could > be stored directly rather than needing editing. > - Adding a script that allows spawning a browser and > http listener on unix (or redirecting thigns through > to plan 9) would make it easier to drive the auth > process from plan 9. > > Thanks for doing this work, Demetrius! Oops, realized that I'd left this line in the patch: + imap->flags |= Fdebug; you'll really want to delete that, or you end up with a *TON* of debug spew. Updated patch attached. --upas-ifmpfcjiockyosceugiyqlgyjc Content-Disposition: inline Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Content-ID: <16296645871.31BBCDc6D.725759@tb-mx1> diff bcfee7b54757eb64cade34e476cf0dba672832f6 uncommitted --- a/sys/src/cmd/upas/fs/imap.c +++ b/sys/src/cmd/upas/fs/imap.c @@ -24,6 +24,7 @@ Cnolog =3D 1<<0, Ccram =3D 1<<1, Cntlm =3D 1<<2, + Coauth =3D 1<<3, =20 /* flags */ Fssl =3D 1<<0, @@ -151,7 +152,7 @@ static void imap4cmd(Imap *imap, char *fmt, ...) { - char buf[256], *p; + char buf[1024], *p; va_list va; =20 va_start(va, fmt); @@ -430,6 +431,8 @@ imap->cap |=3D Ccram; if(strcmp(p, "ntlm") =3D=3D 0) imap->cap |=3D Cntlm; + if(strcmp(p, "xoauth2") =3D=3D 0) + imap->cap |=3D Coauth; }else if(strcmp(t[i], "logindisabled") =3D=3D 0) imap->cap |=3D Cnolog; } @@ -733,6 +736,38 @@ } =20 static char* +imap4oauth(Imap *imap) +{ + char *s, *auth, *enc; + int n; + OAuth *oa; + + if(imap->user =3D=3D nil) + return "user required for oauth"; + oa =3D auth_getoauth(auth_getkey, "proto=3Doauth service=3Dimap ser= ver=3D%q user=3D%q", imap->host, imap->user); + if(oa =3D=3D nil) + return "cannot find IMAP oauth token"; + + imap->tag =3D 1; + if((auth =3D smprint("user=3D%s\x01auth=3DBearer %s\x01\x01", imap-= >user, oa->access_token)) =3D=3D nil) + sysfatal("smprint: %r"); + if((enc =3D smprint("%[", auth) =3D=3D nil) + sysfatal("smprint: %r"); + imap4cmd(imap, "authenticate xoauth2 %s", enc); + free(auth); + free(enc); + free(oa); + s =3D imap4resp(imap); + if(isokay(s)) + return nil; + imap4cmd(imap, ""); + s =3D imap4resp(imap); + if(isokay(s)) + return nil; + return s; +} + +static char* imap4passwd(Imap *imap) { char *s; @@ -762,6 +797,8 @@ e =3D imap4cram(imap); else if(imap->cap & Cntlm) e =3D imap4ntlm(imap); + else if(imap->cap & Coauth) + e =3D imap4oauth(imap); else e =3D imap4passwd(imap); if(e) ------------------------------------------ 9fans: 9fans Permalink: https://9fans.topicbox.com/groups/9fans/T6899bf3f0654295d-Mbcaea= 13458be56f2909ea6c3 Delivery options: https://9fans.topicbox.com/groups/9fans/subscription --upas-ifmpfcjiockyosceugiyqlgyjc--