From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED,DKIM_VALID,FREEMAIL_FROM,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 12957 invoked from network); 17 Aug 2021 05:43:33 -0000 Received: from tb-ob1.topicbox.com (64.147.108.173) by inbox.vuxu.org with ESMTPUTF8; 17 Aug 2021 05:43:33 -0000 Received: from tb-mx0.topicbox.com (tb-mx0.nyi.icgroup.com [10.90.30.73]) by tb-ob1.topicbox.com (Postfix) with ESMTP id 746122699A for ; Tue, 17 Aug 2021 01:43:31 -0400 (EDT) (envelope-from bounce.mMa225d00818d7370c67285bcf.r522be890-2105-11eb-b15e-8d699134e1fa@9fans.bounce.topicbox.com) Received: by tb-mx0.topicbox.com (Postfix, from userid 1132) id 7159532076E2; Tue, 17 Aug 2021 01:43:31 -0400 (EDT) ARC-Authentication-Results: i=2; topicbox.com; arc=pass; dkim=pass (2048-bit rsa key sha256) header.d=gmail.com header.i=@gmail.com header.b=V1e6haIm header.a=rsa-sha256 header.s=20161025 x-bits=2048; dmarc=pass policy.published-domain-policy=none policy.published-subdomain-policy=quarantine policy.applied-disposition=none policy.evaluated-disposition=none (p=none,sp=quarantine,d=none,d.eval=none) policy.policy-from=p header.from=gmail.com; spf=pass smtp.mailfrom=lucio.dere@gmail.com smtp.helo=mail-lf1-f51.google.com; x-internal-arc=fail (as.1.topicbox.com=pass, ams.1.topicbox.com=fail (body has been altered)) (Message modified while forwarding at Topicbox) ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d= topicbox.com; h=mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type:list-help:list-id:list-post :list-subscribe:reply-to:content-transfer-encoding :list-unsubscribe; s=sysmsg-1; t=1629179011; bh=H8cCWBhpMQR/HBxS Dy/wYKbNTBnuiRAECaSPq6Vlw+E=; b=Oyw5RCM6bkrlOX0SewCQFUMIHL0Laenp Y9VbvqPGHhZaQfQNA5by0mb4r7gLEIb8o1NA9CaPF2sU4Cl7SCgxzxgHuz7HHTYD LRoDqee8KVlB/HcoSRs/VGZ5dWHIq+7Ae5ZBPF9mXPaVfv0vK70lLBdaItYGXzUM kBCnb11Ft8Y= ARC-Seal: i=2; a=rsa-sha256; cv=pass; d=topicbox.com; s=sysmsg-1; t= 1629179011; b=a8IRYVbiTPbYgwalQr3QZwd7fnE7uDvuoQyGD/Fxv4jn+8Bi7X ePyi4hlNJc+mnlEa3HidPrjPVlR/Z+cBP4m03nz99e7iQF5qUzAPCMe/Ojp2Rhll mZjdjoWoBISHKn8CwJYFMg1p7ypPqyyAAV+rwt1c2+fYbDsQvGDZSUH4s= Authentication-Results: topicbox.com; arc=pass; dkim=pass (2048-bit rsa key sha256) header.d=gmail.com header.i=@gmail.com header.b=V1e6haIm header.a=rsa-sha256 header.s=20161025 x-bits=2048; dmarc=pass policy.published-domain-policy=none policy.published-subdomain-policy=quarantine policy.applied-disposition=none policy.evaluated-disposition=none (p=none,sp=quarantine,d=none,d.eval=none) policy.policy-from=p header.from=gmail.com; spf=pass smtp.mailfrom=lucio.dere@gmail.com smtp.helo=mail-lf1-f51.google.com; x-internal-arc=fail (as.1.topicbox.com=pass, ams.1.topicbox.com=fail (body has been altered)) (Message modified while forwarding at Topicbox) X-Received-Authentication-Results: tb-mx1.topicbox.com; arc=none (no signatures found); bimi=skipped (DMARC Policy is not at enforcement); dkim=pass (2048-bit rsa key sha256) header.d=gmail.com header.i=@gmail.com header.b=V1e6haIm header.a=rsa-sha256 header.s=20161025 x-bits=2048; dmarc=pass policy.published-domain-policy=none policy.published-subdomain-policy=quarantine policy.applied-disposition=none policy.evaluated-disposition=none (p=none,sp=quarantine,d=none,d.eval=none) policy.policy-from=p header.from=gmail.com; iprev=pass smtp.remote-ip=209.85.167.51 (mail-lf1-f51.google.com); spf=pass smtp.mailfrom=lucio.dere@gmail.com smtp.helo=mail-lf1-f51.google.com; x-aligned-from=pass (Address match); x-google-dkim=pass (2048-bit rsa key) header.d=1e100.net header.i=@1e100.net header.b=ZxRtY6Ig; x-me-sender=none; x-ptr=pass smtp.helo=mail-lf1-f51.google.com policy.ptr=mail-lf1-f51.google.com; x-return-mx=pass header.domain=gmail.com policy.is_org=yes (MX Records found: alt4.gmail-smtp-in.l.google.com,alt3.gmail-smtp-in.l.google.com,alt1.gmail-smtp-in.l.google.com,alt2.gmail-smtp-in.l.google.com,gmail-smtp-in.l.google.com); x-return-mx=pass smtp.domain=gmail.com policy.is_org=yes (MX Records found: alt4.gmail-smtp-in.l.google.com,alt3.gmail-smtp-in.l.google.com,alt1.gmail-smtp-in.l.google.com,alt2.gmail-smtp-in.l.google.com,gmail-smtp-in.l.google.com); x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384 smtp.bits=256/256; x-vs=clean score=0 state=0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=9fans.net; h= mime-version:in-reply-to:references:from:date:message-id:subject :to:content-type:list-help:list-id:list-post:list-subscribe :reply-to:content-transfer-encoding:list-unsubscribe; s=dkim-1; bh=Ybkoz/8YjpLLlURpzw7Y0yzorD8/lw5h8TricMCmTWw=; b=dEOMgWgJLypn 0GbamCXYqw3TERDLeO42hAg1fNZJCzMITn/L+MWLlYqW4+mNRfrMrg/xLXgdLC/i S+/yMzYe2Ton2zdIiBy5KIKzD+NMRSkxdr0bsIIxnA4n35gkoRhkAr0guHBN/4FR OmC6sj3XUDZ+sTLcEG4QPcW20b2Wq+o= Received: from tb-mx1.topicbox.com (localhost.local [127.0.0.1]) by tb-mx1.topicbox.com (Postfix) with ESMTP id 3BB6232C37BD for <9fans@9fans.net>; Tue, 17 Aug 2021 01:43:22 -0400 (EDT) (envelope-from lucio.dere@gmail.com) Received: from tb-mx1.topicbox.com (localhost [127.0.0.1]) by tb-mx1.topicbox.com (Authentication Milter) with ESMTP id D87C64F9A99; Tue, 17 Aug 2021 01:43:22 -0400 ARC-Seal: i=1; a=rsa-sha256; cv=none; d=topicbox.com; s=arcseal; t= 1629179002; b=ENpkUpo9irvqGQAk5I7oStE92OOO0HmZWFHQa0QNx+vuhjE4AY fjT01XoqqcFJ6l+JH6cxAykfTJkz6ak0ParVjnagbJ3NdztM5in3PMj/QmH+yZMF Yg66eA+zgjaP9MefjoOvRvHeWZsKFxwaGH6Zl8+S9bsFiGrM5W1TIt2YJol4AgIc EdY3yugjG3Icc7qk4lKpjev9zZmQpC8CSXfv8NFHdR1VXwrG/cwcj7zTtRjlCMf1 6LwVejuu4DXokFWVf/0mRgfZjh3fGUg2zWwH1jq4ho1W+sRKzSBQz25AtVPJQSxt aGoGNotgwikS6RXjN0F0gx5ubSGw44px21Mw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d= topicbox.com; h=mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type; s=arcseal; t=1629179002; bh=qXyVxlp1rOmHdL7QaQkcRYGmYg8AczgNFPwRn2jqkkc=; b=E47/rmbjfoZv cpRi4ZNCv/lQIZRkTTpqcd3IrfrCH9J+Mt4b1D39QFtMLI1I1DplpwNanUj5A/BJ iMLqsqygtWNU4Y6hsGcfwjxHzVqZpFjhGZCy8m2MogYWkDzlrtriPeO1lEYA2efX 446ymZGdzKYzQ/04+wxDKBTNFsmzYdxZ4PydnaY/GvX3HCw0Xt7GLdXnr3ndMvdD K4TTRd1vQlGSjrA5AR8FLnlASBB/cxd/C+ONLgYImm+hDDq1aqkm0lxPZCaLptjy nFZGMfS7GTDwp8Aq89Rv23mq+ZaMHf+XQnXHWRv+AgsL6fyvMUxqA3NobF+S9fzm InZHbX+BRw== ARC-Authentication-Results: i=1; tb-mx1.topicbox.com; arc=none (no signatures found); bimi=skipped (DMARC Policy is not at enforcement); dkim=pass (2048-bit rsa key sha256) header.d=gmail.com header.i=@gmail.com header.b=V1e6haIm header.a=rsa-sha256 header.s=20161025 x-bits=2048; dmarc=pass policy.published-domain-policy=none policy.published-subdomain-policy=quarantine policy.applied-disposition=none policy.evaluated-disposition=none (p=none,sp=quarantine,d=none,d.eval=none) policy.policy-from=p header.from=gmail.com; iprev=pass smtp.remote-ip=209.85.167.51 (mail-lf1-f51.google.com); spf=pass smtp.mailfrom=lucio.dere@gmail.com smtp.helo=mail-lf1-f51.google.com; x-aligned-from=pass (Address match); x-google-dkim=pass (2048-bit rsa key) header.d=1e100.net header.i=@1e100.net header.b=ZxRtY6Ig; x-me-sender=none; x-ptr=pass smtp.helo=mail-lf1-f51.google.com policy.ptr=mail-lf1-f51.google.com; x-return-mx=pass header.domain=gmail.com policy.is_org=yes (MX Records found: alt4.gmail-smtp-in.l.google.com,alt3.gmail-smtp-in.l.google.com,alt1.gmail-smtp-in.l.google.com,alt2.gmail-smtp-in.l.google.com,gmail-smtp-in.l.google.com); x-return-mx=pass smtp.domain=gmail.com policy.is_org=yes (MX Records found: alt4.gmail-smtp-in.l.google.com,alt3.gmail-smtp-in.l.google.com,alt1.gmail-smtp-in.l.google.com,alt2.gmail-smtp-in.l.google.com,gmail-smtp-in.l.google.com); x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384 smtp.bits=256/256; x-vs=clean score=0 state=0 X-ME-VSCause: gggruggvucftvghtrhhoucdtuddrgedvtddrledvgdeljecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdpuffr tefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecunecujfgurhepjghfhfffkf fuvfgtsehttdertddttdejnecuhfhrohhmpefnuhgtihhoucffvgcutfgvuceolhhutghi ohdruggvrhgvsehgmhgrihhlrdgtohhmqeenucggtffrrghtthgvrhhnpeefffejjedutd efheehueejveevhfelgeehhfeiuddtgfeiheeijeffkefgkeegueenucffohhmrghinhep ghhithhhuhgsrdgtohhmpdhtohhpihgtsghogidrtghomhenucfkphepvddtledrkeehrd duieejrdehudenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpedv tdelrdekhedrudeijedrhedupdhhvghlohepmhgrihhlqdhlfhduqdhfhedurdhgohhogh hlvgdrtghomhdpmhgrihhlfhhrohhmpeeolhhutghiohdruggvrhgvsehgmhgrihhlrdgt ohhmqe X-ME-VSScore: 0 X-ME-VSCategory: clean Received-SPF: pass (gmail.com ... _spf.google.com: Sender is authorized to use 'lucio.dere@gmail.com' in 'mfrom' identity (mechanism 'include:_netblocks.google.com' matched)) receiver=tb-mx1.topicbox.com; identity=mailfrom; envelope-from="lucio.dere@gmail.com"; helo=mail-lf1-f51.google.com; client-ip=209.85.167.51 Received: from mail-lf1-f51.google.com (mail-lf1-f51.google.com [209.85.167.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by tb-mx1.topicbox.com (Postfix) with ESMTPS for <9fans@9fans.net>; Tue, 17 Aug 2021 01:43:21 -0400 (EDT) (envelope-from lucio.dere@gmail.com) Received: by mail-lf1-f51.google.com with SMTP id y34so39149559lfa.8 for <9fans@9fans.net>; Mon, 16 Aug 2021 22:43:21 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=qXyVxlp1rOmHdL7QaQkcRYGmYg8AczgNFPwRn2jqkkc=; b=ZxRtY6Ig0lTFTs+QPHlMPg1vAevmR8dzvy4Acu1R42A1XiODete/uAvncqUpHqOHFI /9iR0tXyAB/3UrMZnxA+5DkqtiAjSTZBXq6AxqmunfLxFPRPptBIwi3/j8vtcyP3E7R6 6m6lE3cB70nh6GETKjwZuBY8X0ZM6oLXxug7HGJvg1mJ57Bsjhc3ZM2e/GZksGMx1gS7 BwbIsoDRhEY+iRD4xHCnt2Yoybj+HwpGSBf9YjtaHSUeASrv5f6a2GgjVdQz5zGEsJET 1eKe/KFBIk06rwXSWy5leZ+sIBysI0Ahc9jo2vjyL0wa2+lHYZkZGa/xi2mvpAcNo9I/ ABrQ== X-Gm-Message-State: AOAM530jp67FnAbS2I8AIs+V1GnPvQ+C4zWm0XsoahEUtCayG0qqe/Il 39GC5k9odGUNconDq5l8YntbRULUht6rMm4vwShdO8JObiQ= X-Google-Smtp-Source: ABdhPJyuno+rIB5zGwq4mtuMER0wDnI5iE0c8ws91zgZJQCGPMzqCrEjFw7dtWNALm/eRBZsu4jbmh0mn+U1jFV4JDk= X-Received: by 2002:ac2:5a0b:: with SMTP id q11mr1082073lfn.578.1629178999944; Mon, 16 Aug 2021 22:43:19 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a2e:b8d4:0:0:0:0:0 with HTTP; Mon, 16 Aug 2021 22:43:19 -0700 (PDT) In-Reply-To: <7EA3DC247AC9813D5F4838AB2791F295@eigenstate.org> References: <7EA3DC247AC9813D5F4838AB2791F295@eigenstate.org> From: Lucio De Re Date: Tue, 17 Aug 2021 07:43:19 +0200 Message-ID: Subject: Re: [9fans] OAuth2 in factotum To: 9fans <9fans@9fans.net> Content-Type: text/plain; charset="UTF-8" Topicbox-Policy-Reasoning: allow: sender is a member Topicbox-Message-UUID: 0b21ed12-ff1e-11eb-9dc8-d1691c495ae5 Archived-At: =?UTF-8?B?PGh0dHBzOi8vOWZhbnMudG9waWNib3guY29tL2dyb3Vwcy85?= =?UTF-8?B?ZmFucy9UNjg5OWJmM2YwNjU0Mjk1ZC1NYTIyNWQwMDgxOGQ3MzcwYzY3Mjg1?= =?UTF-8?B?YmNmPg==?= List-Help: List-Id: "9fans" <9fans.9fans.net> List-Post: List-Software: Topicbox v0 List-Subscribe: Precedence: list Reply-To: 9fans <9fans@9fans.net> Content-Transfer-Encoding: quoted-printable List-Unsubscribe: , Topicbox-Delivery-ID: 2:9fans:437d30aa-c441-11e9-8a57-d036212d11b0:522be890-2105-11eb-b15e-8d699134e1fa:Ma225d00818d7370c67285bcf:1:HIkbgC0fFqdLuADQg4Qs2FPkUKM9Dpr5SY9VOZDpvtE On 8/17/21, ori@eigenstate.org wrote: > [full disclosure, I've been involved in this as a gsoc > mentor; moving discussion to public list.] > > These are the two main sticking points, IMO. > > Quoth Demetrius Iatrakis : >> Only the device and refresh flows are supported. There is an >> implementation of the authorization code flow (tested on macOS) here: >> https://github.com/Mitsos101/plan9port/pull/1. However, it is not >> included in the module as there is no good browser to plumb the URL >> to. > > First off, for those following along at home, device > flow is a browserless way of using oauth, but providers > appear to often limit it beyond the point usefulness, so > we'd need to find a way to make factotum communicate > with a browser in order to get the tokens in. > > Sadly, even the netsurf port isn't enough browser to run > Google's oauth login page. > > So, the question here becomes how to glue in a helper > program between factotum and oauth. > > There are a few options -- using the plumber in both > directions will work, but it's a bit gross -- and > involves broadcasting the tokens. > > The only real alternative I can imagine is having a > special file that factotum calls out to in the namespace, > something like: > > /rc/bin/oauth-helper: > > #!/bin/rc > ssh user@unix invoke-browser-and-get-token-helper > >> Refresh tokens are not saved to persistent storage when factotum >> exits. The user must provide consent every time factotum is restarted. >=20 > For this, the tokens should probably be persisted into > secstore -- but there are some security implications > in giving factotum long-lived access to the persistent key > store. >=20 --=20 Lucio De Re 2 Piet Retief St Kestell (Eastern Free State) 9860 South Africa Ph.: +27 58 653 1433 Cell: +27 83 251 5824 ------------------------------------------ 9fans: 9fans Permalink: https://9fans.topicbox.com/groups/9fans/T6899bf3f0654295d-Ma225d= 00818d7370c67285bcf Delivery options: https://9fans.topicbox.com/groups/9fans/subscription