cURL / Mailing Lists / curl-library / Single Mail


Re: [PATCH] OAUTH 2.0 Bearer token support SMTP/IMAP (XOAUTH2)

From: Kyle L. Huff <>
Date: Fri, 30 Aug 2013 09:32:35 -0400

On Sun, Aug 25, 2013 at 5:00 PM, Daniel Stenberg <> wrote:
> Yes. docs/curl.1 is the curl documentation and
> docs/libcurl/curl_easy_setopt.3 for the new setopt option.

Patches attached for both docs/curl.1 and docs/libcurl/curl_easy_setopt.3

> Yes. Run 'make test' and you'll see a few hundred tests run. The tests/
> directory has a README, there's a FILEFORMAT and has a man page
> here:
> Then of course you can check the tests/data/tests[num] files to see how
> other tests are implemented.

That sounds straight forward enough. I will see what I can do.

>> Also regarding the tests, it is unlikely a successful test of the token
>> functions could be created that would not require the user running the test
>> to provide a recent OAUTH Bearer Token. Tokens generally expire in a short
>> window of time (typically 1 hour), and are unique to the user account used
>> in the connection. Maybe you or someone else has some ideas for a good way
>> to design these tests (or perhaps I misunderstand your meaning
>> altogether...)
> Well, I'm not an expert on OAUTH or your implementation so please correct me
> if I'm wrong but are you basically providing the token "as-is" ?

The only modification to the supplied bearer token is that it is
packed into a string which has the username and some parameter
identifiers, then the entire string is base64 encoded.

For example: "user=username^Aauth=Bearer <user supplied token string>^A^A"

> We have a test server and we can pretend that the token you send is fine, so we can
> have the test server respond an OK resonse. And we can have it return a
> reject response. The tests are written explicitly and we tell the test
> server exactly that the response should be in each test, and the test
> running script makes sure that curl sends the correct protocol parts and
> gets the correct stuff back...

I think that would work; the XOAUTH2 challenge/response portion is not
very complicated. The complexity of OAUTH2 is in the authorization and
issuance of the tokens, which all happens outside the scope of cURL (a
transaction between the user, content-provider and authorization

Thank you for all your efforts -


Kyle L. Huff

List admin:

Received on 2013-08-30