cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] OAUTH 2.0 Bearer token support SMTP/IMAP (XOAUTH2)

From: Kyle L. Huff <kyle.huff_at_curetheitch.com>
Date: Sat, 12 Oct 2013 13:53:49 -0400

On Fri, Sep 20, 2013 at 5:08 PM, Steve Holme <steve_holme_at_hotmail.com> wrote:

> Daniel announced this week that we are approaching feature freeze for cURL
> 7.33 and as I felt it would be best to add XOAUTH to POP3 in the same
> release as IMAP and SMTP I have cobbled together the appropriate
> implementation.

Sorry for the late reply, I've been slammed at work.

> I have pushed this as commit 18db7438512de1 and would appreciate it if you
> would be so kind to review the code at some point.

I have taken a look, and I don't see any issues. I don't have access
to a server that actually implements XOAUTH2 via POP3, but it operates
as expected with dummy test POP3 service using string comparison.

I did however notice while I was poking around that the option
'--bearer' might be slightly ambiguous in name. It doesn't create any
conflict that I am aware of at the moment, however, OAUTH v2 is not
the only authentication mechanism which uses "bearer" tokens. I wonder
if this might need to be changed to something more implementation
specific... I don't know enough about the OAUTH v1.0 implementation to
say if something like "--oauth-bearer" would be a better choice, and
of course that presumes that there is a possibility that at some point
OAUTH v1.0 will be implemented in cURL -- which as I understand it,
OAUTH v1.0 is, and will remain valid, and is in use by some major
players.

What are your thoughts? Also, should this scrutiny be applied to the
nomenclature used in OAUTH v2.0 curl_easy_setopt options? Currently,
the curl_easy_setopt name for OAUTH v2.0 is CURLOPT_XOAUTH2_BEARER,
which is protocol and version specific, but if the naming convention
of the CLI option is protocol and version agnostic, perhaps this
option should be as well.

Now, from what I understand about the OAUTH v1.0 specification, the
bearer token is sent in addition to some other fields, such as the
client ID and the client secret, so perhaps making the parameter
version specific makes more sense. ??
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-10-12

This message: [ Message body ]
Next message: Dan Fandrich: "Re: [PATCH] OAUTH 2.0 Bearer token support SMTP/IMAP (XOAUTH2)"
Previous message: Sunny Khatri: "Re: transfer closed with outstanding read data remaining"
Next in thread: Dan Fandrich: "Re: [PATCH] OAUTH 2.0 Bearer token support SMTP/IMAP (XOAUTH2)"
Reply: Dan Fandrich: "Re: [PATCH] OAUTH 2.0 Bearer token support SMTP/IMAP (XOAUTH2)"
Reply: Steve Holme: "RE: [PATCH] OAUTH 2.0 Bearer token support SMTP/IMAP (XOAUTH2)"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]