On Fri, Aug 19, 2022 at 3:58 PM Jaroslaw Rafa via mailop <[email protected]> wrote:
> Dnia 19.08.2022 o godz. 10:31:32 Brandon Long via mailop pisze: > > I won't say that OAUTH is the perfect solution to all of these issues, > but > > it is definitely an improvement for them. > > Could TLS client certs have been issued in place of the tokens in these > > schemes? Maybe? Not sure what it > > would have gained, though. > > It would eliminate browser from the flow, which is critical for automated > tools, and I guess OP is talking about such tools. > > Think headless systems, and scripts working in background without direct > human intervention. > The browser only needs to be in the flow for the initial grant. When I was working with the gmail oauth tools, it just meant copying & pasting between the browser and the tool, but I guess that flow is being deprecated (for Google) due to issues. https://developers.google.com/identity/protocols/oauth2/resources/oob-migration OTOH, if you're running on cloud vms (or other execution environments), you probably have a mechanism to use the local authority to retrieve oauth tokens to use as well, ie on GCE it's with the metadata server, available on GCE/GKE/GAE/GCF/CR https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#applications hmm, I guess azure & aws have a similar metadata service, but I didn't see quickly how to do a similar thing. You can also use mTLS to get oauth keys on Google Cloud: https://cloud.google.com/architecture/using-mutual-tls-to-obtain-short-lived-credentials I'm sure all that probably breaks down to access Gmail since you won't have an account for the service account, we'd need to extend IAM to Apps in some fashion for that. Sorry, none of this is helpful to the original poster. Brandon
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
