Pulling GitHub into the kernel process

Posted Jun 24, 2021 16:10 UTC (Thu) by mathstuf (subscriber, #69389)
In reply to: Pulling GitHub into the kernel process by Cyberax
Parent article: Pulling GitHub into the kernel process

Gmail does support it (I send patches through it). But with XOAUTH2 being a thing, app-specific passwords being sunset, and not knowing how msmtp and offlineimap are going to support it[1], that's not something I'd expect to be true for too much longer. Though for those poor souls trying to send via the web interface, yeah, that's a lost cause at this point and has been for at least a few years.

[1] My $DAYJOB email is fine because I can register apps and make offlineimap work at least, but my personal account doesn't seem to have the ability to register an application, so I'm probably stuck in the long term, but at least I have been migrating away for personal usage.

Pulling GitHub into the kernel process

Posted Jun 24, 2021 16:36 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (3 responses)

I think there's a project that works as a local XOAUTH2 proxy for IMAP. So technically it should be still doable, but it's adding a new layer of brokenness.

Pulling GitHub into the kernel process

Posted Jun 24, 2021 17:03 UTC (Thu) by mathstuf (subscriber, #69389) [Link] (2 responses)

That works if the app itself is registered, but since the app secret key is necessarily visible to me since I'd only really trust it if it were FOSS, that is destined to be revoked if/when the attention of the Eye of Sauron^WGoogle comes across it. OAuth is really good at locking out custom builds because now the service providers can deny arbitrary apps based on whatever whims they have that day. It is useful for blocking copycat spamware, but the knock-on effects for those of us who cobble together our setups is quite unfortunate :( .

Pulling GitHub into the kernel process

Posted Jun 24, 2021 17:06 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

Yes, OAuth has this problem. I'm not even sure what the solution would be. WebAuthn over SASL?

Pulling GitHub into the kernel process

Posted Jun 24, 2021 17:54 UTC (Thu) by mathstuf (subscriber, #69389) [Link]

AFAIU, OAuth is supposed to add in a "this app is authorized to use this service" step to using the service through my account. This usually does come with real benefits:

- apps are limited in the API they access (and is curated by the developer rather than users not knowing what is actually necessary)
- additional permissions can be intercepted and requested at application update time (when refreshing their active token)
- dropping permissions doesn't require users to go and do it manually
- if my account secret token is stolen from app A, app B can't use it to access my account because it isn't authorized to do so
- services can pinpoint misbehaving applications or use of deprecated APIs and contact application developers directly

Of course, Fastmail's application-specific passwords allow you to limit which service(s) are available, but since there's no application authentication, stealing the password from offlineimap does grant IMAP access which is…substantial.

Honestly, I think I'd be OK with service-specific passwords that can be authorized every N days through WebAuthn or some other hardware token mediated thing. Though this would mean my automated backups would require some more maintenance though since I'd need to go and touch a Yubikey or whatever to keep its authorization token alive.