Howdy all, I've been meaning to look at the xoauth2 branch for a long time now, so I finally sat down to look at it. I had a few questions; I guess Eric is probably the best person to answer them, but if anyone else knows the answers then feel free to speak up.
- From looking at the protocol document and the source code, it seems that (using RFC 6749 termology) mhlogin gets an OAuth Authorization Grant (involving the user's browser), and then uses it to get an access token and a refresh token, and stores those in a credential file (by default: oauth-gmail). Is that correct? Under what circumstances will the refresh token be invalidated? - If the access token is old, the refresh token is used to get a new one. When you have an up-to-date access token, it's used to constrct the SASL exchange for the XOAUTH2 mechanism. Is that correct? In terms of the implementation ... I see only one wart that I dislike. It looks like the access token is constructed by send(1) and passed down in base64-encoded form to post(8) via the -authservice switch. I really think it would be preferrable to just pass down the 'real' authservice flag and have post(8) (well, probably the SMTP code) construct the access token. If there's a reason it's done the way it is now, I would like to understand it. I think it's almost ready to go; do other agree? --Ken _______________________________________________ Nmh-workers mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/nmh-workers
