~rjarry/aerc-discuss

6 3

Can't figure out how to get OAuth2 working

Details
Message ID
<CJO2XVDY70X2.1AUYN8NQALM09@ArchPC>
DKIM signature
pass
Download raw message
- It would be rly great if a little help could be provided on how to get OAuth2 running for Gmail, as Gmail is going to stop supporting access for authentification over only username and password at May 30 this year 2022.
- The manpage for aerc-imap gives a few hints:
imaps+oauthbearer://
    IMAP with TLS/SSL using OAUTHBEARER Authentication

    oauth2_params:

    If specified, the configured password is used as an refresh token that is exchanged with an access token

    -   token_endpoint (required)
    -   client_id (optional)
    -   client_secret (optional)
    -   scope (optional)

    Example: imaps+oauthbearer://...?token_endpoint=https://...&client_id=

- and the following commit message: https://lists.sr.ht/~sircmpwn/aerc/%3C20190710190026.57318-1-frode.aa%40gmail.com%3E

- I first tried to follow the route described in the commit message and created a client credential over https://console.developers.google.com/apis/credentials, but the Python script at https://github.com/google/gmail-oauth2-tools/blob/master/python/oauth2.py isn't up-to-date and is still written in Python Version 2.
- And that's here now, where i'm stuck. I can't even tell if the hints in the commit message are only implementation related and if that's stuff i don't have to bother anymore (create the acess token etc.) Or if i should just go for the manpage description, where i tried out:
source = imaps+oauthbearer://<name>%40gmail.com:<password>@imap.gmail.com:993?token_endpoint=https://accounts.google.com/o/oauth2/token    as client_id etc. seemed to be optional, but that didn't seem to be the solution.
- I think my main problem is my lack of knowledge about how all this web traffic works, so I can't get behind how OAuth2 works exactly and thus can't configure it to work with Aerc.
- It would be rly kind if one could provide a few hints, a little shortcut what token_endpoint one is supposed to use and how to get the access token without this https://github.com/google/gmail-oauth2-tools/blob/master/python/oauth2.py Python script ^_^
Details
Message ID
<CJO327640SWI.1PE8SLME8PRJD@ArchPC>
In-Reply-To
<CJO2XVDY70X2.1AUYN8NQALM09@ArchPC> (view parent)
DKIM signature
fail
Download raw message
DKIM signature: fail
(I gave the email a proper formatting, such that it won't be so hard to read
on the webpage.)
- It would be rly great if a little help could be provided on how to get OAuth2
running for Gmail, as Gmail is going to stop supporting access for
authentification over only username and password at May 30 this year 2022.
- The manpage for aerc-imap gives a few hints:
imaps+oauthbearer://
    IMAP with TLS/SSL using OAUTHBEARER Authentication

    oauth2_params:

		If specified, the configured password is used as an refresh token that is
		exchanged with an access token

    -   token_endpoint (required)
    -   client_id (optional)
    -   client_secret (optional)
    -   scope (optional)

    Example: imaps+oauthbearer://...?token_endpoint=https://...&client_id=

- and the following commit message:
https://lists.sr.ht/~sircmpwn/aerc/%3C20190710190026.57318-1-frode.aa%40gmail.com%3E

- I first tried to follow the route described in the commit message and created
a client credential over
https://console.developers.google.com/apis/credentials, but the Python script
at https://github.com/google/gmail-oauth2-tools/blob/master/python/oauth2.py
isn't up-to-date and is still written in Python Version 2.
- And that's here now, where i'm stuck. I can't even tell if the hints in the
commit message are only implementation related and if that's stuff i don't have
to bother anymore (create the acess token etc.) Or if i should just go for the
manpage description, where i tried out:
source = imaps+oauthbearer://<name>%40gmail.com:<password>@imap.gmail.com:993\
?token_endpoint=https://accounts.google.com/o/oauth2/token
as client_id etc. seemed to be optional, but that didn't seem to be the
solution.
- I think my main problem is my lack of knowledge about how all this web
traffic works, so I can't get behind how OAuth2 works exactly and thus can't
configure it to work with Aerc.
- It would be rly kind if one could provide a few hints, a little shortcut what
token_endpoint one is supposed to use and how to get the access token without
this https://github.com/google/gmail-oauth2-tools/blob/master/python/oauth2.py
Python script ^_^
Details
Message ID
<CJOAU909NENV.1HGDD5LHIBBR6@Archetype>
In-Reply-To
<CJO2XVDY70X2.1AUYN8NQALM09@ArchPC> (view parent)
DKIM signature
fail
Download raw message
DKIM signature: fail
Hi, the easiest way to get a Google Account to work is an App Password.
You can generate one on the Google Account page[0].
I know that it's far from optimal to how exactly OAUTH2 is used, I have
to refer you to someone else.

For your client_{id,secret} you should probably just use the website[1]
as well, I can't really help you more in that regard though. (Scope
should probably be https://mail.google.com [2]

Hope that helped.

[0]: https://support.google.com/accounts/answer/185833?hl=en
[1]: https://developers.google.com/identity/gsi/web/guides/get-google-api-clientid
[2]: https://developers.google.com/identity/protocols/oauth2/scopes#gmail
--
Moritz Poldrack
https://moritz.sh
Details
Message ID
<CJOGNGTW2348.3BIOQQQ40C4EU@ArchPC>
In-Reply-To
<CJOAU909NENV.1HGDD5LHIBBR6@Archetype> (view parent)
DKIM signature
missing
Download raw message
> Hi, the easiest way to get a Google Account to work is an App Password.
> You can generate one on the Google Account page[0].
> I know that it's far from optimal to how exactly OAUTH2 is used, I have
> to refer you to someone else.
App Passwords are new to me, thanks didn't knew about this other option before ^_^
I just don't want, in no way to have to use a gui application for my mails as it's just so convinient to have everything clean und simple in the terminal with tmux, so i might even live with the 2-Factor-Authentification that this option would enforce on me. I will definetily go for it, when i finally resign on trying to get OAuth2 working. So i have at least one working solution, thank you very much!

> For your client_{id,secret} you should probably just use the website[1]
> as well, I can't really help you more in that regard though. (Scope
> should probably be https://mail.google.com [2]
I have doubts about my google skills, more precisely my duckduckgo skills, that's exactly the kind of official site i was looking for xD Thx ^_^

Thank you very much for taking your time to deal with my problem and for working on aerc ^_^
I'm rly amazed by aerc. For such a long time I've been searching for a way to get rid of neomutt and it's ugly configs. And then i finally found aerc yesterday. A true gem. I will definitely recommend it everywhere i can, to convert more people over to aerc!

Have a nice day and thx again,

Areo

On Sun May 1, 2022 at 10:57 AM CEST, Moritz Poldrack wrote:
> Hi, the easiest way to get a Google Account to work is an App Password.
> You can generate one on the Google Account page[0].
> I know that it's far from optimal to how exactly OAUTH2 is used, I have
> to refer you to someone else.
>
> For your client_{id,secret} you should probably just use the website[1]
> as well, I can't really help you more in that regard though. (Scope
> should probably be https://mail.google.com [2]
>
> Hope that helped.
>
> [0]: https://support.google.com/accounts/answer/185833?hl=en
> [1]: https://developers.google.com/identity/gsi/web/guides/get-google-api-clientid
> [2]: https://developers.google.com/identity/protocols/oauth2/scopes#gmail
> --
> Moritz Poldrack
> https://moritz.sh
Details
Message ID
<CJOXLL3LQDQ5.Q9U5N14T77QJ@ArchPC>
In-Reply-To
<CJOGNGTW2348.3BIOQQQ40C4EU@ArchPC> (view parent)
DKIM signature
fail
Download raw message
DKIM signature: fail
> App Passwords are new to me. Thanks didn't knew about this other
> option before ^_^
I've now actually gone for App Passwords, OAuth2 is too much effort xD
Thank you for mentioning App Passwords, App Passwords have turned out to
be a actually even better solution for my problem. Now i can sleep again
peacefully, waiting for 30. May to pass over n_n

I put a small provisional tutorial in here for others stumbling over
this Email exchange:

- First 2-Step Verification has to be activated, but you actually don't
have to hand your phone number over to Google. Do the following:
"Security" / "Signing in to Google" -> "2 -Step Verification" ->
!Continue! -> "Use you phone...", "continue" -> "Almost there! Add a
backup..." "Use Another Backup Option" (For this option to appear you
have to sign into your email account on your phones Email client)) ->
"Download", "Next" -> "Turn On"
- Now a option "App Password" should have appeared under "Security" /
"Signing in to Google" / "App Password...". Then just follow the
instructions like on the help page Moritz send in:
https://support.google.com/accounts/answer/185833?hl=en#zippy=%2Cwhy-you-may-need-an-app-password
. Now you can just use this App Password at the place where your
password would else be placed.

Also interesting is how to change your language from your main language
to english if everything in your account is unfortunetely not in
english, so you can't follow the tutorial:
- https://support.google.com/accounts/answer/32047?hl=en&co=GENIE.Platform%3DDesktop
- "Personal info" -> "General preferences for the web" / "Language" ->
pick "English" and after that your main language

Have a nice day and thx again,

Areo
Details
Message ID
<CL2LRIZU09K0.9N3HCUB3FR9T@nano>
In-Reply-To
<CJO2XVDY70X2.1AUYN8NQALM09@ArchPC> (view parent)
DKIM signature
pass
Download raw message
hello, all!

i don't mean to beat a dead horse, but i managed to get oauth2 working!!
it really worked all along, but the process on how to do so was never
clearly described.

i was successful thanks to areotwister outlining his initial attempt.

Areotwister wrote:
> It would be rly great if a little help could be provided on how to get
> OAuth2 running for Gmail, as Gmail is going to stop supporting access
> for authentification over only username and password at May 30 this
> year 2022.

agreed.  and i was in a similar boat with this account, and out of
stubbornness i did not want to enable 2fa in order to create an app
specific password.  changes like these really increase one's dependence
on outside factors / other devices, and this isn't a good thing imho.
i've gone through creating an app specific password for my other gmail
accounts and admittedly doing so is much easier than setting aerc up
with oauthbearer, but i digress.

> - The manpage for aerc-imap ...

the man page would much benefit from elaborating on this!  i'd be
willing to submit a patch improving the documentation on this matter
when i find the time.

> - and the following commit message [0]

pointing to that commit message is really what helped me figure this
out.

> ... follow the route described in the commit message

this is the way.

> ... the Python > script at [1] isn't up-to-date and is still written
> in Python Version 2.

we would all benefit if the script were updated to python3, but you have
to understand this isn't a priority for a company which revenues $182.5B
such a script may already exist that we overlooked.  at my prior job
(not at google) i had to port some of the old python2 google api stuff
to python3.

however, it still works if one is willing to install a much deprecated
python2.

> And that's here now, where i'm stuck. I can't even tell if the hints
> in the commit message are only implementation related and if that's
> stuff i don't have to bother anymore (create the acess token etc.)

yes, the refresh token is needed and should go in what is typically the
password field in accounts.conf
also, remember that those fields need to be url encoded.  my refresh
token had two forward slashes in it that i converted manually.

i know most of us that still use gmail have likely already moved on to
app specific passwords, but i'm not a big fan of forced change like this
and am super excited that aerc can work to authenticate this way with
oauthbearer.

[0]: https://lists.sr.ht/~sircmpwn/aerc/%3C20190710190026.57318-1-frode.aa%40gmail.com%3E
[1]: https://github.com/google/gmail-oauth2-tools/blob/master/python/oauth2.py

best,
akspecs

sent via aerc with an smtps+oauthbearer configuration
Details
Message ID
<CL2LWIG6079J.342ZQT4EVPIHI@nano>
In-Reply-To
<CL2LRIZU09K0.9N3HCUB3FR9T@nano> (view parent)
DKIM signature
pass
Download raw message
oh, and i should also mention:
for gmail users,
token_endpoint=https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Ftoken

yes, just like it's described in the original patch from nearly 3 years
ago.
Reply to thread Export thread (mbox)