From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.0 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2 autolearn=ham
	autolearn_force=no version=3.4.4
Received: (qmail 3331 invoked from network); 17 Aug 2021 04:14:01 -0000
Received: from tb-ob21.topicbox.com (173.228.157.67)
  by inbox.vuxu.org with ESMTPUTF8; 17 Aug 2021 04:14:01 -0000
Received: from tb-mx1.topicbox.com (tb-mx1.nyi.icgroup.com [10.90.30.61])
	by tb-ob21.topicbox.com (Postfix) with ESMTP id 3B1E31CFD0
	for <ml@inbox.vuxu.org>; Tue, 17 Aug 2021 00:13:59 -0400 (EDT)
	(envelope-from bounce.mM4a39ddac185f3a4de8c91e0a.r522be890-2105-11eb-b15e-8d699134e1fa@9fans.bounce.topicbox.com)
Received: by tb-mx1.topicbox.com (Postfix, from userid 1132)
	id 0030632C1B0D; Tue, 17 Aug 2021 00:13:58 -0400 (EDT)
ARC-Authentication-Results: i=2; topicbox.com; arc=pass; dkim=none (no signatures
 found); dmarc=pass policy.published-domain-policy=none
 policy.applied-disposition=none policy.evaluated-disposition=none
 (p=none,d=none,d.eval=none) policy.policy-from=p header.from=eigenstate.org;
 spf=pass smtp.mailfrom=ori@eigenstate.org smtp.helo=mimir.eigenstate.org;
 x-internal-arc=fail (as.1.topicbox.com=pass, ams.1.topicbox.com=fail (message
 has been altered)) (Message modified while forwarding at Topicbox)
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=
	topicbox.com; h=message-id:to:subject:date:from:in-reply-to
	:mime-version:content-type:content-transfer-encoding:list-help
	:list-id:list-post:list-subscribe:reply-to:list-unsubscribe; s=
	sysmsg-1; t=1629173638; bh=Xk7cTwpjo0nA5Qou9b1rBMOcoHUMdGCliNIs7
	V6iCsU=; b=mykAw1UInryDp+QIZP/kFef0nHCMJ8YF4VIa01IBCObCyTNEaT8tr
	hJeBoKAUHY2g/tuu6OYipMu8Py4Dt7AeLR64oFUSXHWABgmnC/O5HHBvrRHLrmfo
	jQgqQc7pyss0tRex9a5BrLlbLy6JTJjx59mnPbSJdpeRE0XTjsfsb4=
ARC-Seal: i=2; a=rsa-sha256; cv=pass; d=topicbox.com; s=sysmsg-1; t=
	1629173638; b=T/MwQA4cz0pMrH5aTEQQqg9OpDsTGRocwOW5KdvUapbu38+X3/
	/2ISkw4Ehgjmc5vkn7lZqS8X0hUzWEY8E24JYRLpChvyza6niY0nGiVQKOzQbd1m
	HrMcZLelqCCAsbtyEp6PtCS1clQ2sy90cS8wKNCmzGD60hI5usMeHwl1Y=
Authentication-Results: topicbox.com; arc=pass; dkim=none (no signatures
 found); dmarc=pass policy.published-domain-policy=none
 policy.applied-disposition=none policy.evaluated-disposition=none
 (p=none,d=none,d.eval=none) policy.policy-from=p header.from=eigenstate.org;
 spf=pass smtp.mailfrom=ori@eigenstate.org smtp.helo=mimir.eigenstate.org;
 x-internal-arc=fail (as.1.topicbox.com=pass, ams.1.topicbox.com=fail (message
 has been altered)) (Message modified while forwarding at Topicbox)
X-Received-Authentication-Results: tb-mx1.topicbox.com; arc=none (no
 signatures found); bimi=skipped (DMARC Policy is not at enforcement);
 dkim=none (no signatures found); dmarc=pass
 policy.published-domain-policy=none policy.applied-disposition=none
 policy.evaluated-disposition=none (p=none,d=none,d.eval=none)
 policy.policy-from=p header.from=eigenstate.org; iprev=pass
 smtp.remote-ip=206.124.132.107 (mimir.eigenstate.org); spf=pass
 smtp.mailfrom=ori@eigenstate.org smtp.helo=mimir.eigenstate.org;
 x-aligned-from=pass (Address match); x-me-sender=none; x-ptr=pass
 smtp.helo=mimir.eigenstate.org policy.ptr=mimir.eigenstate.org;
 x-return-mx=pass header.domain=eigenstate.org policy.is_org=yes (MX Records
 found:
 eigenstate.org,kusuri.pikopiko.org,mail.pikopiko.org,nokogiri.pikopiko.org);
 x-return-mx=pass smtp.domain=eigenstate.org policy.is_org=yes (MX Records
 found:
 eigenstate.org,kusuri.pikopiko.org,mail.pikopiko.org,nokogiri.pikopiko.org);
 x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384
 smtp.bits=256/256; x-vs=clean score=0 state=0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=9fans.net; h=message-id
	:to:subject:date:from:in-reply-to:mime-version:content-type
	:content-transfer-encoding:list-help:list-id:list-post
	:list-subscribe:reply-to:list-unsubscribe; s=dkim-1; bh=uPrpeJlE
	3JAX7Pw/GyppwU2VMgpohUkE/qxrLEdUdes=; b=dXFkLR6dhjzdTBlhd2EW12Sn
	1k8giAydNZggqZNTYC+B3LOreV0Ep5e+WEWKOCZKXdlFsaRLq6hsJzxTRRr2R+D6
	sz4Rks3fq2YfrQfvfvbc4krJfw0WNKBfGmMBdEkH1oCWPsl63pDozOqV/pZpEcYb
	YJJ1u6Z7pA9bd8ZCi+k=
Received: from tb-mx1.topicbox.com (localhost.local [127.0.0.1])
	by tb-mx1.topicbox.com (Postfix) with ESMTP id 79EB432C166F
	for <9fans@9fans.net>; Tue, 17 Aug 2021 00:13:49 -0400 (EDT)
	(envelope-from ori@eigenstate.org)
Received: from tb-mx1.topicbox.com (localhost [127.0.0.1])
    by tb-mx1.topicbox.com (Authentication Milter) with ESMTP
    id AF9F8969AC5;
    Tue, 17 Aug 2021 00:13:49 -0400
ARC-Seal: i=1; a=rsa-sha256; cv=none; d=topicbox.com; s=arcseal; t=
    1629173629; b=W2tFimB/piVWVqMrvrWCXX+8Ts8jLTGxzzdCabX1btBEYd21JV
    IbqgUu3Tm8xH4dwwQ6PyEEA7Bxd4c16cI2bQoeqwNNUQq2+cGmB0PZ9lX+WCmU6f
    P3+A/BlYcf7r57T6HYYo/X1DLHX+cujjWP/DYJTDS+cI38r7zlbEWc5+g4LmAR+1
    vgNVlidOtJMwgHkjYTCbFm1CEAeWUFIVP4TWigA4H9x8ueR1TUhgZKzgOrW3iF/x
    WNlZNRoqei/oXGmr6SbAGDym5xramlRP5n39JscbZyP3tnw4SHVz3M5hssONhgkn
    nhkKJXN7CsMENHF1H3uAsrHpmE8p8bOryuSA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=
    topicbox.com; h=message-id:to:subject:date:from:in-reply-to
    :mime-version:content-type:content-transfer-encoding; s=arcseal;
    t=1629173629; bh=2RCXQ4HdpgRY8ajFQq7jYoxu446BV+8oat8qvxp1nTY=; b=
    wfwWaakvJGbCEoEhrl8Aqx+hVdFbKk6mL5HIrfN2ED0gxypzfkqoiLDdSadfUfnB
    eiuim8Pcr9IGHgZwzNHZIvCyTrLf+eqTnX5KWtxFUEwRkppfbWorQ439neMGJ/1f
    qOWXIMzYLu5EXnrTaM/FX8OxhVKsetClhaUgrQUhTmhX492MzOLn+mvOOn0E3+aD
    ZUpwALx1NFP8DPXgMYNFwHY8P8F2R8nu0AnaJhhH/Me0qiibzacgnT5ro8UzLQ8i
    JOfSgIaPUIHW3XOQZCsUpj5smt6YQB2gWY0Cy6PxNyBLZqp3aNOgdr1AUCoO4X2g
    TtcKOOTa2fw6nOyDAifRNQ==
ARC-Authentication-Results: i=1; tb-mx1.topicbox.com;
    arc=none (no signatures found);
    bimi=skipped (DMARC Policy is not at enforcement);
    dkim=none (no signatures found);
    dmarc=pass policy.published-domain-policy=none
    policy.applied-disposition=none policy.evaluated-disposition=none
    (p=none,d=none,d.eval=none) policy.policy-from=p
    header.from=eigenstate.org;
    iprev=pass smtp.remote-ip=206.124.132.107 (mimir.eigenstate.org);
    spf=pass smtp.mailfrom=ori@eigenstate.org
    smtp.helo=mimir.eigenstate.org;
    x-aligned-from=pass (Address match);
    x-me-sender=none;
    x-ptr=pass smtp.helo=mimir.eigenstate.org
    policy.ptr=mimir.eigenstate.org;
    x-return-mx=pass header.domain=eigenstate.org policy.is_org=yes
    (MX Records found: eigenstate.org,kusuri.pikopiko.org,mail.pikopiko.org,nokogiri.pikopiko.org);
    x-return-mx=pass smtp.domain=eigenstate.org policy.is_org=yes
    (MX Records found: eigenstate.org,kusuri.pikopiko.org,mail.pikopiko.org,nokogiri.pikopiko.org);
    x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384
    smtp.bits=256/256;
    x-vs=clean score=0 state=0
X-ME-VSCause: gggruggvucftvghtrhhoucdtuddrgedvtddrledugdduiedtucdltddurdegudehrddttd
    dmucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgf
    nhhsuhgsshgtrhhisggvpdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttd
    enucenucfjughrpefkvffufffhjgggtgfgsehtjeejtddttddvnecuhfhrohhmpehorhhi
    segvihhgvghnshhtrghtvgdrohhrghenucggtffrrghtthgvrhhnpeefgfefgeekleeije
    fggeejueetveekgedvudelffdvvdeiteeihfejgffggfeuleenucffohhmrghinhepghhi
    thhhuhgsrdgtohhmnecukfhppedvtdeirdduvdegrddufedvrddutdejpdejgedruddtke
    drheeirddvvdehnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthep
    vddtiedruddvgedrudefvddruddtjedphhgvlhhopehmihhmihhrrdgvihhgvghnshhtrg
    htvgdrohhrghdpmhgrihhlfhhrohhmpeeoohhrihesvghighgvnhhsthgrthgvrdhorhhg
    qe
X-ME-VSScore: 0
X-ME-VSCategory: clean
Received-SPF: pass
    (eigenstate.org: 206.124.132.107 is authorized to use 'ori@eigenstate.org' in 'mfrom' identity (mechanism 'mx' matched))
    receiver=tb-mx1.topicbox.com;
    identity=mailfrom;
    envelope-from="ori@eigenstate.org";
    helo=mimir.eigenstate.org;
    client-ip=206.124.132.107
Received: from mimir.eigenstate.org (mimir.eigenstate.org [206.124.132.107])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by tb-mx1.topicbox.com (Postfix) with ESMTPS
	for <9fans@9fans.net>; Tue, 17 Aug 2021 00:13:48 -0400 (EDT)
	(envelope-from ori@eigenstate.org)
Received: from abbatoir.myfiosgateway.com (pool-74-108-56-225.nycmny.fios.verizon.net [74.108.56.225])
	by mimir.eigenstate.org (OpenSMTPD) with ESMTPSA id 4af7faeb (TLSv1.2:ECDHE-RSA-AES256-SHA:256:NO)
	for <9fans@9fans.net>;
	Mon, 16 Aug 2021 21:13:46 -0700 (PDT)
Message-ID: <7EA3DC247AC9813D5F4838AB2791F295@eigenstate.org>
To: 9fans@9fans.net
Subject: Re: [9fans] OAuth2 in factotum
Date: Tue, 17 Aug 2021 00:13:45 -0400
From: ori@eigenstate.org
In-Reply-To: <CALo7eEuXOfgr=2nj7A-rKNDejHdyBHWg98eJhvmLTneNaM5=Gw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Topicbox-Policy-Reasoning: allow: sender is a member
Topicbox-Message-UUID: 88982fac-ff11-11eb-997b-cc5b16eda69c
Archived-At: =?UTF-8?B?PGh0dHBzOi8vOWZhbnMudG9waWNib3guY29tL2dyb3Vwcy85?=
 =?UTF-8?B?ZmFucy9UNjg5OWJmM2YwNjU0Mjk1ZC1NNGEzOWRkYWMxODVmM2E0ZGU4Yzkx?=
 =?UTF-8?B?ZTBhPg==?=
List-Help: <https://9fans.topicbox.com/groups/9fans>
List-Id: "9fans" <9fans.9fans.net>
List-Post: <mailto:9fans@9fans.net>
List-Software: Topicbox v0
List-Subscribe: <https://9fans.topicbox.com/groups/9fans>
Precedence: list
Reply-To: 9fans <9fans@9fans.net>
List-Unsubscribe: <https://9fans.topicbox.com/groups/9fans>,
 <mailto:9fans+unsubscribe@9fans.net?subject=x-tx-unsubscribe:2:9fans:437d30aa-c441-11e9-8a57-d036212d11b0:522be890-2105-11eb-b15e-8d699134e1fa:M4a39ddac185f3a4de8c91e0a:1:RL9AuOjZQ2EdWBH3nfUpNaVjLzTy5tuF8-V-rPzwtqI>
Topicbox-Delivery-ID:
 2:9fans:437d30aa-c441-11e9-8a57-d036212d11b0:522be890-2105-11eb-b15e-8d699134e1fa:M4a39ddac185f3a4de8c91e0a:1:pbH-4-X5HNgj7RrmTxsT4mJhvaEq37tfJGyawA44vYM

[full disclosure, I've been involved in this as a gsoc
mentor; moving discussion to public list.]

These are the two main sticking points, IMO.

Quoth Demetrius Iatrakis <demetrius.iatrakis@gmail.com>:
> Only the device and refresh flows are supported. There is an
> implementation of the authorization code flow (tested on macOS) here:
> https://github.com/Mitsos101/plan9port/pull/1. However, it is not
> included in the module as there is no good browser to plumb the URL
> to.

First off, for those following along at home, device
flow is a browserless way of using oauth, but providers
appear to often limit it beyond the point usefulness, so
we'd need to find a way to make factotum communicate
with a browser in order to get the tokens in.

Sadly, even the netsurf port isn't enough browser to run
Google's oauth login page.

So, the question here becomes how to glue in a helper
program between factotum and oauth.

There are a few options -- using the plumber in both
directions will work, but it's a bit gross -- and
involves broadcasting the tokens.

The only real alternative I can imagine is having a
special file that factotum calls out to in the namespace,
something like:

        /rc/bin/oauth-helper:

                #!/bin/rc
                ssh user@unix invoke-browser-and-get-token-helper

> Refresh tokens are not saved to persistent storage when factotum
> exits. The user must provide consent every time factotum is restarted.

For this, the tokens should probably be persisted into
secstore -- but there are some security implications
in giving factotum long-lived access to the persistent key
store.



------------------------------------------
9fans: 9fans
Permalink: https://9fans.topicbox.com/groups/9fans/T6899bf3f0654295d-M4a39d=
dac185f3a4de8c91e0a
Delivery options: https://9fans.topicbox.com/groups/9fans/subscription