From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2 autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 2355 invoked from network); 22 Aug 2021 20:17:16 -0000 Received: from tb-ob20.topicbox.com (173.228.157.66) by inbox.vuxu.org with ESMTPUTF8; 22 Aug 2021 20:17:16 -0000 Received: from tb-mx1.topicbox.com (tb-mx1.nyi.icgroup.com [10.90.30.61]) by tb-ob20.topicbox.com (Postfix) with ESMTP id D2BC621122 for ; Sun, 22 Aug 2021 16:17:14 -0400 (EDT) (envelope-from bounce.mM539f47f30599e6cfecb3adb9.r522be890-2105-11eb-b15e-8d699134e1fa@9fans.bounce.topicbox.com) Received: by tb-mx1.topicbox.com (Postfix, from userid 1132) id 8C5AB333D7FA; Sun, 22 Aug 2021 16:17:14 -0400 (EDT) ARC-Authentication-Results: i=2; topicbox.com; arc=pass; dkim=none (no signatures found); dmarc=pass policy.published-domain-policy=none policy.applied-disposition=none policy.evaluated-disposition=none (p=none,d=none,d.eval=none) policy.policy-from=p header.from=eigenstate.org; spf=pass smtp.mailfrom=ori@eigenstate.org smtp.helo=mimir.eigenstate.org; x-internal-arc=fail (as.1.topicbox.com=pass, ams.1.topicbox.com=fail (body has been altered)) (Message modified while forwarding at Topicbox) ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d= topicbox.com; h=message-id:to:subject:date:from:in-reply-to :mime-version:content-type:list-help:list-id:list-post :list-subscribe:reply-to:content-transfer-encoding :list-unsubscribe; s=sysmsg-1; t=1629663434; bh=5C2X4t/ecnKwIbfb 0nlCDG1ScwCy7etBO8gDlRGCQ2U=; b=KHxhthhzIHzB7QBFOJZuYckAxovBSF2V Bxqi0d2tGDKrqgpxC27E5k5WLsOUxLr4n5Hyew4267bS3xy8EMtpuTQ9tR6Gsv3v SuDgtAnDnWWCF2KNmbkeXrMMHOHkJ+nTLLTbHWdQXNdrTsij/M1enYepivA/Y4rq BMVz0SUN9W8= ARC-Seal: i=2; a=rsa-sha256; cv=pass; d=topicbox.com; s=sysmsg-1; t= 1629663434; b=HF/nKHuj4d8x3r/bMOh2/hPuwZMleDEWN/rEJSTMCIL4DsXnzw LjYAk4wRHhGXvtc/LecL2PE9IYL+LDPTlVfFzAs1HJ0z/NYo7KmG06/xUkTB7T/C WyB6QIryRtRnsfaeE47MnzUcVSs/nF2BoVdnwF2uF+2GS2frspPogrgds= Authentication-Results: topicbox.com; arc=pass; dkim=none (no signatures found); dmarc=pass policy.published-domain-policy=none policy.applied-disposition=none policy.evaluated-disposition=none (p=none,d=none,d.eval=none) policy.policy-from=p header.from=eigenstate.org; spf=pass smtp.mailfrom=ori@eigenstate.org smtp.helo=mimir.eigenstate.org; x-internal-arc=fail (as.1.topicbox.com=pass, ams.1.topicbox.com=fail (body has been altered)) (Message modified while forwarding at Topicbox) X-Received-Authentication-Results: tb-mx1.topicbox.com; arc=none (no signatures found); bimi=skipped (DMARC Policy is not at enforcement); dkim=none (no signatures found); dmarc=pass policy.published-domain-policy=none policy.applied-disposition=none policy.evaluated-disposition=none (p=none,d=none,d.eval=none) policy.policy-from=p header.from=eigenstate.org; iprev=pass smtp.remote-ip=206.124.132.107 (mimir.eigenstate.org); spf=pass smtp.mailfrom=ori@eigenstate.org smtp.helo=mimir.eigenstate.org; x-aligned-from=pass (Address match); x-me-sender=none; x-ptr=pass smtp.helo=mimir.eigenstate.org policy.ptr=mimir.eigenstate.org; x-return-mx=pass header.domain=eigenstate.org policy.is_org=yes (MX Records found: kusuri.pikopiko.org,nokogiri.pikopiko.org,eigenstate.org,mail.pikopiko.org); x-return-mx=pass smtp.domain=eigenstate.org policy.is_org=yes (MX Records found: kusuri.pikopiko.org,nokogiri.pikopiko.org,eigenstate.org,mail.pikopiko.org); x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384 smtp.bits=256/256; x-vs=clean score=0 state=0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=9fans.net; h=message-id :to:subject:date:from:in-reply-to:mime-version:content-type :list-help:list-id:list-post:list-subscribe:reply-to :content-transfer-encoding:list-unsubscribe; s=dkim-1; bh=UeZFrC o476RpjMk6YEA2j5fGNRuHHDPBIbsIfJYfam8=; b=aBxlFWAtqDkczklQZNKIMq CqFkARNqgnOKRSo0Jqq+VwOJ+uIvfj80Qy8pvi9Tpzems/EsPV2EUHhOv7sKsM1X /uHrJo9xO8QV3/LauC/afF+IRJAXdI5BBlj25Sm+BTNpsrdVjyBOmKW1tL5LDXqk wkx9yqoqNEDAFxNURT/YY= Received: from tb-mx1.topicbox.com (localhost.local [127.0.0.1]) by tb-mx1.topicbox.com (Postfix) with ESMTP id 5F846333D3F6 for <9fans@9fans.net>; Sun, 22 Aug 2021 16:17:02 -0400 (EDT) (envelope-from ori@eigenstate.org) Received: from tb-mx1.topicbox.com (localhost [127.0.0.1]) by tb-mx1.topicbox.com (Authentication Milter) with ESMTP id 5265A4A22BB; Sun, 22 Aug 2021 16:17:02 -0400 ARC-Seal: i=1; a=rsa-sha256; cv=none; d=topicbox.com; s=arcseal; t= 1629663422; b=hl1Lq2VrOlG3UTOTCxhrX9iIe/ZTTMOtuehIcP9lLSEn8ItQ7S omy1/qNO6p48JdK+/flmkj+HDK9igMo/Nv0iihNVt+XT1wVwjEEsxAKVFpNVr+pP kt0LkdJtmvXdaahmEx1dZ5ke8dDZfBQ+rEVssiFmBCsLI3YoIQvSNlSoFLSdwXCP ZAa19RtaJN+mc7SUWigZMXBbWJL7DMTC8yAj7XNLxMHeR0PAW6vlQm8WYLjE0y/h AKnY/2kNaknkWsWm0DnRHiObZt8RS38EHG62YqOFJ9VzsxgAAJnpWNNArdeHUqG/ yF8Hqv5SQINN77zBJZ4LRziofkUpz6BFRr4A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d= topicbox.com; h=message-id:to:subject:date:from:in-reply-to :mime-version:content-type; s=arcseal; t=1629663422; bh=sScNd9CI wkU4+ahhU5BSqeEgb4jZOyaQh0MkSi0Vg3Y=; b=eU4rDzycfkH4oKuUgCZyH/wz Hof0DsUAs+ElZZpO1UO3RcXMW6OWpqpdPuplBYtAPLwVlY4xQWrqLYJ31tFti/Bu BlU+xl2ZtrvPQNCaj1RyJ23x/95phs7IcQRSnJnt+Gp9lZDqdaXgWPCe7uDoaqko KiJaM2a5XyjJzKTj35+fJUlwT92Yoi/yInDHVvtptXOIuiMikS5yBABuuXymSvmj dxyVFPTrzPd1SKgZJAYFsqsLHXmEl3Cxfy9FAL8HoxWH3CMtonYhc+OWfjPz4saH Xiyey0T9xCElydFmboNdmZtq9uPx5sG3jIFhW5RMRp5HiD7QFAmB2HlXSdjyFA== ARC-Authentication-Results: i=1; tb-mx1.topicbox.com; arc=none (no signatures found); bimi=skipped (DMARC Policy is not at enforcement); dkim=none (no signatures found); dmarc=pass policy.published-domain-policy=none policy.applied-disposition=none policy.evaluated-disposition=none (p=none,d=none,d.eval=none) policy.policy-from=p header.from=eigenstate.org; iprev=pass smtp.remote-ip=206.124.132.107 (mimir.eigenstate.org); spf=pass smtp.mailfrom=ori@eigenstate.org smtp.helo=mimir.eigenstate.org; x-aligned-from=pass (Address match); x-me-sender=none; x-ptr=pass smtp.helo=mimir.eigenstate.org policy.ptr=mimir.eigenstate.org; x-return-mx=pass header.domain=eigenstate.org policy.is_org=yes (MX Records found: kusuri.pikopiko.org,nokogiri.pikopiko.org,eigenstate.org,mail.pikopiko.org); x-return-mx=pass smtp.domain=eigenstate.org policy.is_org=yes (MX Records found: kusuri.pikopiko.org,nokogiri.pikopiko.org,eigenstate.org,mail.pikopiko.org); x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384 smtp.bits=256/256; x-vs=clean score=0 state=0 X-ME-VSCause: gggruggvucftvghtrhhoucdtuddrgedvtddruddtuddgledtucdltddurdegudelrddttd dmucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgf nhhsuhgsshgtrhhisggvpdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttd enucenucfjughrpefkvffufffhjgggtgesmhdtjeertddtvdenucfhrhhomhepohhrihes vghighgvnhhsthgrthgvrdhorhhgnecuggftrfgrthhtvghrnhepleehveeugfekieeghf efueegjeetvdevfefgvdetfffhkeektdfhheettddthefhnecuffhomhgrihhnpehgihht hhhusgdrtghomhdpghhoohhglhgvrdgtohhmpdhhthhtphgurdhphidpghhmrghilhdrtg homhenucfkphepvddtiedruddvgedrudefvddruddtjedpjeegrddutdekrdehiedrvddv heenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpedvtdeirdduvd egrddufedvrddutdejpdhhvghlohepmhhimhhirhdrvghighgvnhhsthgrthgvrdhorhhg pdhmrghilhhfrhhomhepoehorhhisegvihhgvghnshhtrghtvgdrohhrgheq X-ME-VSScore: 0 X-ME-VSCategory: clean Received-SPF: pass (eigenstate.org: 206.124.132.107 is authorized to use 'ori@eigenstate.org' in 'mfrom' identity (mechanism 'mx' matched)) receiver=tb-mx1.topicbox.com; identity=mailfrom; envelope-from="ori@eigenstate.org"; helo=mimir.eigenstate.org; client-ip=206.124.132.107 Received: from mimir.eigenstate.org (mimir.eigenstate.org [206.124.132.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by tb-mx1.topicbox.com (Postfix) with ESMTPS for <9fans@9fans.net>; Sun, 22 Aug 2021 16:17:01 -0400 (EDT) (envelope-from ori@eigenstate.org) Received: from abbatoir.myfiosgateway.com (pool-74-108-56-225.nycmny.fios.verizon.net [74.108.56.225]) by mimir.eigenstate.org (OpenSMTPD) with ESMTPSA id a18e843d (TLSv1.2:ECDHE-RSA-AES256-SHA:256:NO); Sun, 22 Aug 2021 13:17:00 -0700 (PDT) Message-ID: To: 9fans@9fans.net, 9front@9front.org Subject: Re: [9fans] OAuth2 in factotum Date: Sun, 22 Aug 2021 16:16:58 -0400 From: ori@eigenstate.org In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="upas-jjdjbetwoeaehrwgnwdrkwsrds" Topicbox-Policy-Reasoning: allow: sender is a member Topicbox-Message-UUID: ed14c01c-0385-11ec-b407-a46e6418c333 Archived-At: =?UTF-8?B?PGh0dHBzOi8vOWZhbnMudG9waWNib3guY29tL2dyb3Vwcy85?= =?UTF-8?B?ZmFucy9UNjg5OWJmM2YwNjU0Mjk1ZC1NNTM5ZjQ3ZjMwNTk5ZTZjZmVjYjNh?= =?UTF-8?B?ZGI5Pg==?= List-Help: List-Id: "9fans" <9fans.9fans.net> List-Post: List-Software: Topicbox v0 List-Subscribe: Precedence: list Reply-To: 9fans <9fans@9fans.net> Content-Transfer-Encoding: 7bit List-Unsubscribe: , Topicbox-Delivery-ID: 2:9fans:437d30aa-c441-11e9-8a57-d036212d11b0:522be890-2105-11eb-b15e-8d699134e1fa:M539f47f30599e6cfecb3adb9:1:B9ClR7iUKBagv_lUBeV2vwO6Rqq1bonJDpp742Y7Vxs --upas-jjdjbetwoeaehrwgnwdrkwsrds Content-Disposition: inline Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Content-ID: <16296634320.937Ffa.617568@tb-mx1> Quoth Demetrius Iatrakis : > This is a preview of OAuth2 support in factotum, as part of this year's GSoC: > https://github.com/Mitsos101/plan9front/pull/1 > > Installation, on 9front: > > git/clone https://github.com/Mitsos101/plan9front plan9front-oauth > cd plan9front-oauth > git/branch oauth > bind sys/include /sys/include > @{cd sys/src/libauth && mk install} > @{cd sys/src/cmd/auth && mk install} > @{cd sys/src/cmd/webfs && mk install} > > This will replace your factotum. > > Usage: > > You need to obtain OAuth credentials from your issuer first. See, for > example, Google's guide: > https://developers.google.com/identity/protocols/oauth2. > > % echo 'key proto=oauth issuer=https://accounts.google.com scope=email > client_id=1234 !client_secret=5678' > /mnt/factotum/ctl > % auth/oauth 'client_id=1234' > go to https://google.com/device > your code is ABCD-EFGH > > > auth_oauth is also available in libauth. Webfs uses it to implement > the preoauth command. > > Bugs: > > This code is specific to 9front, as libjson is required and Plan 9's > webfs doesn't support preoauth. > > factotum uses the needkey RPC to display the verification URL and code > to the user. This means that, for now, the needkey file must not be > open so that fgui doesn't intercept it. > > The module imports lots of code to support HTTP/1.0 so that the > refresh token doesn't leave factotum's address space. > > Only the device and refresh flows are supported. There is an > implementation of the authorization code flow (tested on macOS) here: > https://github.com/Mitsos101/plan9port/pull/1. However, it is not > included in the module as there is no good browser to plumb the URL > to. > > Refresh tokens are not saved to persistent storage when factotum > exits. The user must provide consent every time factotum is restarted. > And, now that we have something working, I wrote some code to use it. I wrote a patch to add oauth support to upas/fs -- see attached: To use the patch, I followed this kind of clunky process: https://developers.google.com/identity/protocols/oauth2 I went to the 'credentials' section on the sidebar and I created a key for a 'desktop application'; Then I went to the 'oauth consent screen' and added my work email account as a 'test user'. I grabbed the keys, and on my unix box, went to the patched oauth: % cd $HOME/src/plan9port/src/cmd/oauth and generated a key using the full, browser based auth flow: % python httpd.py % ./oauth https://accounts.google.com https://mail.google.com/ $clientkey $clientsecret key proto=oauth issuer=https://accounts.google.com client_id=72... then edited the resulting output to include the appropriate attributes, adding the attributes in >>...<< for upas/fs: key proto=oauth >>service=imap server=imap.gmail.com user=ori@pingthings.io<< issuer=https://accounts.google.com client_id= token_type=Bearer exptime=1629662303 scope=... and then added that to factotum: echo key=... >/mnt/factotum/ctl With that, upas/fs just worked with my work email: upas/fs -f /imaps/imap.gmail.com/ori@pingthings.io Bugs: there are way too many steps. Unfortunately, the most annoying one is generating and adding an oauth client key/secret, and short of shipping a pregenerated one (is that a good idea?), I don't think there's a solution. Beyond that, 2 small bits of polish which I think we can do: - Adding a '-t' flag to oauth (the way auth/rsa does) to add type information to auth/oauth login would make it more convenient to use: the output could be stored directly rather than needing editing. - Adding a script that allows spawning a browser and http listener on unix (or redirecting thigns through to plan 9) would make it easier to drive the auth process from plan 9. Thanks for doing this work, Demetrius! --upas-jjdjbetwoeaehrwgnwdrkwsrds Content-Disposition: inline Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Content-ID: <16296634321.31BBCDc6D.617568@tb-mx1> diff bcfee7b54757eb64cade34e476cf0dba672832f6 uncommitted --- a/sys/src/cmd/upas/fs/imap.c +++ b/sys/src/cmd/upas/fs/imap.c @@ -24,6 +24,7 @@ Cnolog =3D 1<<0, Ccram =3D 1<<1, Cntlm =3D 1<<2, + Coauth =3D 1<<3, =20 /* flags */ Fssl =3D 1<<0, @@ -151,7 +152,7 @@ static void imap4cmd(Imap *imap, char *fmt, ...) { - char buf[256], *p; + char buf[1024], *p; va_list va; =20 va_start(va, fmt); @@ -430,6 +431,8 @@ imap->cap |=3D Ccram; if(strcmp(p, "ntlm") =3D=3D 0) imap->cap |=3D Cntlm; + if(strcmp(p, "xoauth2") =3D=3D 0) + imap->cap |=3D Coauth; }else if(strcmp(t[i], "logindisabled") =3D=3D 0) imap->cap |=3D Cnolog; } @@ -733,6 +736,38 @@ } =20 static char* +imap4oauth(Imap *imap) +{ + char *s, *auth, *enc; + int n; + OAuth *oa; + + if(imap->user =3D=3D nil) + return "user required for oauth"; + oa =3D auth_getoauth(auth_getkey, "proto=3Doauth service=3Dimap ser= ver=3D%q user=3D%q", imap->host, imap->user); + if(oa =3D=3D nil) + return "cannot find IMAP oauth token"; + + imap->tag =3D 1; + if((auth =3D smprint("user=3D%s\x01auth=3DBearer %s\x01\x01", imap-= >user, oa->access_token)) =3D=3D nil) + sysfatal("smprint: %r"); + if((enc =3D smprint("%[", auth) =3D=3D nil) + sysfatal("smprint: %r"); + imap4cmd(imap, "authenticate xoauth2 %s", enc); + free(auth); + free(enc); + free(oa); + s =3D imap4resp(imap); + if(isokay(s)) + return nil; + imap4cmd(imap, ""); + s =3D imap4resp(imap); + if(isokay(s)) + return nil; + return s; +} + +static char* imap4passwd(Imap *imap) { char *s; @@ -762,6 +797,8 @@ e =3D imap4cram(imap); else if(imap->cap & Cntlm) e =3D imap4ntlm(imap); + else if(imap->cap & Coauth) + e =3D imap4oauth(imap); else e =3D imap4passwd(imap); if(e) @@ -1165,6 +1202,7 @@ imap->host =3D f[2]; if(strstr(imap->host, "gmail.com")) imap->flags |=3D Fgmail; + imap->flags |=3D Fdebug; imap->refreshtime =3D 60; if(nf < 4) imap->user =3D nil; ------------------------------------------ 9fans: 9fans Permalink: https://9fans.topicbox.com/groups/9fans/T6899bf3f0654295d-M539f4= 7f30599e6cfecb3adb9 Delivery options: https://9fans.topicbox.com/groups/9fans/subscription --upas-jjdjbetwoeaehrwgnwdrkwsrds--