[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: gmail+imap+smtp (oauth2)
|
From: |
Tomas Hlavaty |
|
Subject: |
Re: gmail+imap+smtp (oauth2) |
|
Date: |
Thu, 12 May 2022 01:38:52 +0200 |
On Wed 11 May 2022 at 05:04, Richard Stallman <rms@gnu.org> wrote:
> > > Our concern is whether the Oauth2 protocol can be used to communicate
> > > with Gmail without using any non-libre software.
>
> > oauth2 mandates whitelist of allowed clients
> > the issue is getting on and staying on that whitelist controlled by google
>
> There is a leap between the concern I mentined and your reply.
> I don't know how to relate the two.
I think Oauth2 protocol could theoretically be used to communicate with
Gmail without using any non-libre software.
Writing an oauth2 client software is not that difficult.
But having an oauth2 client software is useless without having the
software on a whitelist. In the case of gmail, on two whitelists.
1) client_id whitelist
oauth2 requires the client_id parameter. It means getting the
software whitelisted by X. Who X is depends on the use-case. It is
not clear to me yet, who X is in this particular use-case, Google or
the school/university?
oauth2 says client_id should be secret.
Having the client_id public would obviously break the whitelist.
2) application id whitelist
In case of gmail, google apparently requires the application id parameter.
Google T&C apparently says application id should be secret.
Having the application id public would obviously break the whitelist.
This is not a problem for services where there usually is a business
incentive to put those parameters on the whitelist(s) and keep those
values secret, per service.
In case of programs, this gets problematic.
For example, what is an application for the purpose of application id?
If oauth2 client software was a standalone program, would it be a value
specific to that program? Or would it be a value specific to the actual
mail client, e.g. gnus? Would each fork (what would that mean exactly?)
need to get own application id? Etc
Some people suggested ignoring Googles T&C, citing Thunderbird as
precedent. That seems wrong. The way to comply for a program seems
that each user should get his own application id. Likely inconvenient,
that is why they decided to ignore (or dispute?) Google T&C and
apparently publish the application id.
What incentive would an organisation have to deal with whitelisting programs?
Similar for client_id.
- Re: gmail+imap+smtp (oauth2), (continued)
- Re: gmail+imap+smtp (oauth2), Tomas Hlavaty, 2022/05/06
- Re: gmail+imap+smtp (oauth2), Tim Cross, 2022/05/06
- Re: gmail+imap+smtp (oauth2), Tomas Hlavaty, 2022/05/06
- Re: gmail+imap+smtp (oauth2), Tomas Hlavaty, 2022/05/06
- Re: gmail+imap+smtp (oauth2), Tim Cross, 2022/05/06
- Re: gmail+imap+smtp (oauth2), Stefan Monnier, 2022/05/06
- Re: gmail+imap+smtp (oauth2), Richard Stallman, 2022/05/08
- Re: gmail+imap+smtp (oauth2), Tim Cross, 2022/05/08
- Re: gmail+imap+smtp (oauth2), Tomas Hlavaty, 2022/05/10
- Re: gmail+imap+smtp (oauth2), Richard Stallman, 2022/05/11
- Re: gmail+imap+smtp (oauth2),
Tomas Hlavaty <=
- Re: gmail+imap+smtp (oauth2), Tomas Hlavaty, 2022/05/12
- Re: gmail+imap+smtp (oauth2), Thomas Fitzsimmons, 2022/05/12
- Re: gmail+imap+smtp (oauth2), Richard Stallman, 2022/05/15
- Re: gmail+imap+smtp (oauth2), Tomas Hlavaty, 2022/05/12
- Re: gmail+imap+smtp (oauth2), Tomas Hlavaty, 2022/05/12
- Re: gmail+imap+smtp (oauth2), Richard Stallman, 2022/05/06
- Re: gmail+imap+smtp (oauth2), Eric S Fraga, 2022/05/06
- Re: gmail+imap+smtp (oauth2), Richard Stallman, 2022/05/08
- Re: gmail+imap+smtp (oauth2), tomas, 2022/05/09
- Re: gmail+imap+smtp (oauth2), Eric S Fraga, 2022/05/09