From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/88919 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: Florian Weimer Newsgroups: gmane.emacs.gnus.general Subject: Re: oauth to be required for gmail Date: Mon, 23 Dec 2019 11:59:51 +0100 Message-ID: <878sn3qpco.fsf@mid.deneb.enyo.de> References: <8736dkhx05.fsf@bobnewell.net> <877e2uvpve.fsf@gnus.org> <87tv5yxgae.fsf@randomsample> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="11444"; mail-complaints-to="usenet@blaine.gmane.org" Cc: Lars Ingebrigtsen , Robert Pluim , Bob Newell , ding@gnus.org To: David Engster Original-X-From: ding-owner+M37122@lists.math.uh.edu Mon Dec 23 12:01:01 2019 Return-path: Envelope-to: ding-account@gmane.org Original-Received: from lists1.math.uh.edu ([129.7.128.208]) by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1ijLSO-0002nS-CQ for ding-account@gmane.org; Mon, 23 Dec 2019 12:01:00 +0100 Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu) by lists1.math.uh.edu with smtp (Exim 4.92.3) (envelope-from ) id 1ijLSH-0004no-Rd; Mon, 23 Dec 2019 05:00:53 -0600 Original-Received: from mx1.math.uh.edu ([129.7.128.32]) by lists1.math.uh.edu with esmtps (TLSv1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.92.3) (envelope-from ) id 1ijLSF-0004lC-7X for ding@lists.math.uh.edu; Mon, 23 Dec 2019 05:00:51 -0600 Original-Received: from quimby.gnus.org ([95.216.78.240]) by mx1.math.uh.edu with esmtps (TLSv1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.92.3) (envelope-from ) id 1ijLSD-0005BG-SZ for ding@lists.math.uh.edu; Mon, 23 Dec 2019 05:00:51 -0600 Original-Received: from albireo.enyo.de ([37.24.231.21]) by quimby.gnus.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1ijLS7-000099-BX; Mon, 23 Dec 2019 12:00:45 +0100 Original-Received: from [172.17.203.2] (helo=deneb.enyo.de) by albireo.enyo.de with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) id 1ijLS6-0007Jr-4k; Mon, 23 Dec 2019 11:00:42 +0000 Original-Received: from fw by deneb.enyo.de with local (Exim 4.92) (envelope-from ) id 1ijLRH-0003P1-49; Mon, 23 Dec 2019 11:59:51 +0100 In-Reply-To: <87tv5yxgae.fsf@randomsample> (David Engster's message of "Wed, 18 Dec 2019 08:07:53 +0100") List-ID: Precedence: bulk Xref: news.gmane.org gmane.emacs.gnus.general:88919 Archived-At: * David Engster: > So I wondered: How does Thunderbird does it? > > Oh, there are the ID's and secrets: > > https://dxr.mozilla.org/comm-central/source/comm/mailnews/base/util/OAuth2Providers.jsm > > But it seems if you put a comment above it which says "Don't copy these > values for your own application--register it yourself", then it's > fine. > > This whole OAuth2 stuff is ridiculous. Isn't there a different mode for Thunderbird, which performs a regular web login and can also support third-party authentication for enterprise accounts? Admittedly, it's been a year or two since I tried this. Basically, what seems to happen is that Thunderbird sees the OAuth2 request in the IMAP handshake, starts its internal web browser, renders the Google login page. With an enterprise domain, Google then automatically redirects to the external authentication source (based on its preconfigured records), which can do any authentication it wants (e.g., use Kerberos, so that the user doesn't even have to enter a password), and then redirects back to Google, at which point Google serves something back via the web browser which can be used to complete the IMAP handshake. My point is that it is pretty much impossible to complete that sequence without a complete, Javascript-enabled web browser. But that mode, while ridiculously complex, still isn't as pointless as the approach with static password that is not actually secret and thus does not serve any purpose at all.