|
From: | João Távora |
Subject: | Re: [GNU ELPA] New package: url-http-oauth |
Date: | Mon, 8 May 2023 08:50:06 +0100 |
Hi,
I would like to add one or two new packages to GNU ELPA.
The main one is url-http-oauth, which adds OAuth 2.0 support to the URL
library, via "url-auth" hooks, like url-http-basic, url-http-digest and
url-http-ntlm. It provides auth-source integration for secrets, using
the netrc backend.
https://git.sr.ht/~fitzsim/url-http-oauth
This package is unrelated to oauth2.el in GNU ELPA, which provides new
oauth2-url-retrieve and oauth2-url-retrieve-synchronously functions, and
has plstore instead of auth-source integration. For Excorporate, I
needed something that would work with the built-in url-retrieve
functions and I couldn't see how to do that with oauth2.el. I haven't
tested, but I see no reason that the two packages would interfere with
one another.
For the next release of Excorporate I want to depend on url-http-oauth
to fix the longstanding bug#50113, "Excorporate: Communicating with
domain that requires SSO?". I have the changes ready; I am using them
daily.
The OAuth 2.0 standard encodes the use of a user-agent (i.e., web
browser) for authorization steps which differ per OAuth 2.0 provider,
and are not defined by the specification. I have provided support for
package authors and users to write custom functions to automate these
web browser interactions in arbitrary ways:
AUTHORIZATION-CODE-FUNCTION is an elisp function that takes an
authorization URL as a string argument, and returns, as a string, a
full URL containing a code value in its query string.
By default though, url-http-oauth will prompt the user to copy-n-paste
URLs to and from the web browser. This is the most general default I
could think of; for example, this allows performing authorization in a
local web browser then pasting the result to an Emacs session running
three SSH hops away, where `browse-url' may not do the right thing.
Users and package authors can design automatic user-agent interactions,
but those ways are so varied that I wanted to see how they would evolve.
For example, I would like to see someone write an
authorization-code-function for Sourcehut that would use EWW inline.
For other OAuth 2.0 providers whose authorization steps require
_javascript_, EWW would not work.
I have published another, tiny package:
https://git.sr.ht/~fitzsim/url-http-oauth-demo
It demonstrates the use of url-http-oauth against the Emacs-friendliest
OAuth 2.0 implementation I've found: Sourcehut. Sourcehut's
implementation is entirely Free Software, and it does not require
_javascript_ in the authorization steps. Its client registration process
does not have onerous terms of use. Any Sourcehut user should be able
to get url-http-oauth-demo working. Maybe this package makes sense in
GNU ELPA, or perhaps it could be part of url-http-oauth's documentation.
I wrote these packages myself [1] and I have copyright assignment
paperwork on file.
Thomas
1. Except url-http-oauth--netrc-delete, which borrows lots of code from
auth-source.el.
[Prev in Thread] | Current Thread | [Next in Thread] |