subject:"Bug#905551\: mutt\: add OAUTHBEARER auth support"

Bug#905551: mutt: add OAUTHBEARER auth support

2018-08-07 Thread Jonathan Nieder

Debian Bug Tracking System wrote:

> Version: 1.10.1-2
> Closes: 905551

\o/ Thanks for the quick turnaround.

Bug#905551: mutt: add OAUTHBEARER auth support

2018-08-05 Thread Jonathan Nieder

Jonathan Nieder wrote:

> I'll send a debdiff in a separate message.

Patch attached.  Thoughts of all kinds welcome.
>From 31e72e18b9a9c97d67b685bbbe5b1278f5381835 Mon Sep 17 00:00:00 2001
From: Jonathan Nieder 
Date: Sun, 5 Aug 2018 17:32:40 -0700
Subject: Apply Brandon Long's oauthbearer patches

---
 debian/changelog  |  11 +
 debian/patches/series |   3 +
 .../upstream/905551-oauthbearer-imap.patch| 237 +
 .../upstream/905551-oauthbearer-refresh.patch | 467 ++
 .../upstream/905551-oauthbearer-smtp.patch| 190 +++
 5 files changed, 908 insertions(+)
 create mode 100644 debian/patches/upstream/905551-oauthbearer-imap.patch
 create mode 100644 debian/patches/upstream/905551-oauthbearer-refresh.patch
 create mode 100644 debian/patches/upstream/905551-oauthbearer-smtp.patch

diff --git a/debian/changelog b/debian/changelog
index cc82620c..8dc191d7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+mutt (1.10.1-2) UNRELEASED; urgency=low
+
+  * debian/patches:
++ added upstream patches for OAUTHBEARER support by Brandon Long
+  (Closes: #905551).
+  + upstream/905551-oauthbearer-imap.patch
+  + upstream/905551-oauthbearer-smtp.patch
+  + upstream/905551-oauthbearer-refresh.patch
+
+ -- Jonathan Nieder   Sun, 05 Aug 2018 17:31:32 -0700
+
 mutt (1.10.1-1) unstable; urgency=medium
 
   * New upstream release.
diff --git a/debian/patches/series b/debian/patches/series
index a19d2d26..12be8181 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,6 @@ debian-specific/828751-pinentry-gpg2-support.patch
 misc/gpg.rc-paths.patch
 misc/smime.rc.patch
 upstream/528233-readonly-open.patch
+upstream/905551-oauthbearer-imap.patch
+upstream/905551-oauthbearer-smtp.patch
+upstream/905551-oauthbearer-refresh.patch
diff --git a/debian/patches/upstream/905551-oauthbearer-imap.patch b/debian/patches/upstream/905551-oauthbearer-imap.patch
new file mode 100644
index ..06159d1c
--- /dev/null
+++ b/debian/patches/upstream/905551-oauthbearer-imap.patch
@@ -0,0 +1,237 @@
+From: Brandon Long 
+Date: Mon, 11 Jun 2018 10:39:49 -0700
+Subject: Initial support for OAUTHBEARER for IMAP.
+
+commit 798f749eeeb98ed04028521a2eb3e505c1a83574 upstream.
+
+Gmail supports RFC 7628 for using OAUTH with IMAP, and they really don't
+like you using password based auth.  You can still enable "less secure
+apps" and then generate an application specific password, but I figured it
+was time to support it.
+
+Being mutt, I punted on some of the "hard" work to an external script, ie
+getting/refreshing the OAUTH tokens.  This avoids the issue of how do you
+have a client-id and client-secret for an open source project, and the fact
+that OAUTH discovery is still nascent, so you'd likely need separate things
+for each of the providers.
+
+At least for Gmail, you can use the oauth2.py script from Google's
+gmail-oauth2-tools:
+https://github.com/google/gmail-oauth2-tools/blob/master/python/oauth2.py
+
+You'd need to get your own oauth client credentials for Gmail here:
+https://console.developers.google.com/apis/credentials
+
+Then, you'd use oauth2.py with --generate_oauth2_token to get a refresh
+token, and configure mutt with:
+
+set imap_authenticators="oauthbearer"
+set imap_user=""
+set imap_pass=`/path/to/oauth2.py --quiet --user=
+--client_id= --client_secret=
+--refresh_token=`
+
+For this patch, I didn't add any new configuration, but I'm open to
+suggestions on that.
+
+The patch also only support SASL-IR to reduce round-trips to the server,
+but it's certainly possible to change that if we think there are
+OAUTHBEARER IMAP servers that don't support SASL-IR.  It also requires the
+connection to be encrypted as the access token is re-usable for an hour or
+so.  Again, Gmail only allows encrypted IMAP connections, not sure if any
+OAUTHBEARER services allow non-encrypted.
+
+Turns out that auth failure leaves you in SASL mode, so I have a hack to
+issue a noop command on error.  Not sure if that's just OAUTHBEARER
+oddness, or whether I should be using lower level mutt imap functions.
+---
+ imap/Makefile.am|   7 +--
+ imap/auth.c |   1 +
+ imap/auth.h |   1 +
+ imap/auth_oauth.c   | 104 
+ imap/command.c  |   1 +
+ imap/imap_private.h |   1 +
+ 6 files changed, 112 insertions(+), 3 deletions(-)
+ create mode 100644 imap/auth_oauth.c
+
+diff --git a/imap/Makefile.am b/imap/Makefile.am
+index 527b044f..199f6d6b 100644
+--- a/imap/Makefile.am
 b/imap/Makefile.am
+@@ -13,12 +13,13 @@ else
+ AUTHENTICATORS = auth_anon.c auth_cram.c
+ endif
+ 
+-EXTRA_DIST = README TODO auth_anon.c auth_cram.c auth_gss.c auth_sasl.c
++EXTRA_DIST = README TODO auth_anon.c auth_cram.c auth_gss.c auth_oauth.c \
++	auth_sasl.c
+ 
+ AM_CPPFLAGS = -I$(top_srcdir) -I../intl
+ 
+ noinst_LIBRARIES = libimap.a
+ noinst_HEADERS = auth.h imap_private.h

Bug#905551: mutt: add OAUTHBEARER auth support

2018-08-05 Thread Jonathan Nieder

Package: mutt
Version: 1.10.1-1
Severity: wishlist
Tags: upstream patch fixed-upstream

Hi,

As described in
http://lists.mutt.org/pipermail/mutt-dev/Week-of-Mon-20180611/000121.html,
Gmail supports RFC 7628 for oauth as a way of avoiding password based
auth.  Applying three upstream patches gets mutt to support this
reasonably well:

1. 798f749eeeb98ed04028521a2eb3e505c1a83574 (Initial support for
   OAUTHBEARER for IMAP, 2018-06-11)

2. fcd333986c0d15dec67870b7b74fef0e00e8c28b (Support for using
   OAUTHBEARER for smtp, 2018-06-12)

3. 98cc42365ac97b0dfeafadf5561043e06744fcf6 (Improve OAUTHBEARER
   support, 2018-06-26)

I'm running with those now, with the following configuration:

  set from=@gmail.com
  set folder=imaps://@gmail@imap.gmail.com/
  set smtp_url=smtps://@gmail@smtp.gmail.com:465/
  set spoolfile==INBOX
  set imap_authenticators="oauthbearer"
  set imap_user="@gmail.com"
  set imap_oauth_refresh_command="$HOME/bin/oauth2.py --quiet 
--user=@gmail.com --client_id= --client_secret= 
--refresh_token="
  set smtp_authenticators="oauthbearer"
  set smtp_oauth_refresh_command="$HOME/bin/oauth2.py --quiet 
--user=@gmail.com --client_id= --client_secret= 
--refresh_token="

It works like a charm.  oauth2.py is [1].   is $USER.  ,
, and  were generated following the
instructions at [2].

All three patches are in mutt "master", but I don't know how long it
will be until the next upstream release.  What do you think of
applying the patches in the meantime?  I'll send a debdiff in a
separate message.

Thanks,
Jonathan

[1] python/oauth2.py in https://github.com/google/gmail-oauth2-tools
[2] 
https://github.com/google/gmail-oauth2-tools/wiki/OAuth2DotPyRunThrough#creating-and-authorizing-an-oauth-token

Bug#905551: mutt: add OAUTHBEARER auth support

Bug#905551: mutt: add OAUTHBEARER auth support

Bug#905551: mutt: add OAUTHBEARER auth support

3 matches

Site Navigation

Mail list logo

Footer information