adding OAuth
Ken Hornstein
kenh at cmf.nrl.navy.mil
Fri Jun 1 11:43:53 EDT 2018
> KH: 'To support OAuth2 for Gmail requires your project to
>register with Google and obtain a specific key (well, what you get is
>a "client_id" and a "client_secret"); we did that for nmh. It's not
>clear to me how that would work for Cyrus-SASL; would every
>application have to register an API key?'
> This isn't a problem for me: sendmail is the only app that
>matters to me.
I don't think you quite understand the problem here. Are YOU, Russell
Bell, going to be registering a key for sendmail, an application that as
far as I can tell you do not manage? I can only say that if someone did
that for nmh and I wasn't involved in that I'd be kind of pissed. If
you, Russell Bell, are going to be registering a client key for "Russell
Bell's Awesome Email application" and you just happen to use that with
your copy of sendmail then that's fine, but it's more work.
> KH: 'the key difference here is the GSSAPI library and
>Kerberos utilities take care of all that for you; all you need to do
>as an application programmer is make GSSAPI calls and you get the
>necessary info back. There is not, AFAIK, a comparable library in C
>that is designed for this work'
> liboauth is a collection of c functions implementing the
>http://oauth.net API - does that help?
Ah, that library was not listed on the OAuth web page. But ... I would
caution you that it seems like that library hasn't been worked on in 4-5
years and it looks like it only implements OAuth 1.0 (the original XOAUTH
mechanism), and GMail now supports OAuth 2.0.
> I found a plugin for mutt that does this; mutt uses sendmail.
>I also found Java and VB scripts. I think it's possible as a
>wrap-around - I just have to reverse-engineer it. I also found a
>description of how to do it by telnetting to the SMTP port, passing
>the token, a couple of extra steps.
Right, I've done that myself during testing, but I think "wrapping"
sendmail is probably a lot harder than you realize, since the SASL
negotiation happens in-band (I suppose a simple proxy might be easier).
Some more digging around showed there was enough pieces that might make
this feasible; there is a OAUTH SASL mechanism plugin (which looks like
it only implements the older XOAUTH mechanism, not XOAUTH2), and you are
given a Python script that lets you do the login sequence you need to
get the grant. I am not sure it would be the best choice for sendmail,
though ... it looks like it might assume that you can do some interactive
stuff for additional information and that won't work with sendmail.
But I suppose there is only one way to find out.
--Ken
More information about the Cyrus-sasl
mailing list