aerc/lib/oauthbearer.go

package lib

import (
	"context"
	"fmt"

	"github.com/emersion/go-imap/client"
	"github.com/emersion/go-sasl"
	"golang.org/x/oauth2"
)

type OAuthBearer struct {
	OAuth2  *oauth2.Config
	Enabled bool
}

func (c *OAuthBearer) ExchangeRefreshToken(refreshToken string) (*oauth2.Token, error) {
	token := new(oauth2.Token)
	token.RefreshToken = refreshToken
	token.TokenType = "Bearer"
	return c.OAuth2.TokenSource(context.TODO(), token).Token()
}

func (c *OAuthBearer) Authenticate(username string, password string, client *client.Client) error {
	if ok, err := client.SupportAuth(sasl.OAuthBearer); err != nil || !ok {
		return fmt.Errorf("OAuthBearer not supported %w", err)
	}

	if c.OAuth2.Endpoint.TokenURL != "" {
		token, err := c.ExchangeRefreshToken(password)
		if err != nil {
			return err
		}
		password = token.AccessToken
	}

	saslClient := sasl.NewOAuthBearerClient(&sasl.OAuthBearerOptions{
		Username: username,
		Token:    password,
	})

	return client.Authenticate(saslClient)
}
Support imaps with oauthbearer authentication (Gmail) imaps+oauthbearer://user:token@host?token_endpoint=... - the config Source password is used as access token if no token_endpoint parameter is set - the config Source password is used as refresh token if token_endpoint parameter is set, and used to exchange with an access token The implementation has only been tested with Gmail. source = imaps+oauthbearer://{username}:{refersh_token}@imap.gmail.com:993? \ client_id=XX&\ client_secret=XX&\ token_endpoint=https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Ftoken client credentials created with https://console.developers.google.com/apis/credentials refresh token created with https://github.com/google/gmail-oauth2-tools/blob/master/python/oauth2.py rel: https://todo.sr.ht/~sircmpwn/aerc2/42 2019-07-10 21:00:28 +02:00			`package lib`

			`import (`
			`"context"`
			`"fmt"`
lint: apply new formatting rules Run `make fmt`. Signed-off-by: Moritz Poldrack <git@moritz.sh> Acked-by: Robin Jarry <robin@jarry.cc> 2022-07-31 22:16:40 +02:00
Support imaps with oauthbearer authentication (Gmail) imaps+oauthbearer://user:token@host?token_endpoint=... - the config Source password is used as access token if no token_endpoint parameter is set - the config Source password is used as refresh token if token_endpoint parameter is set, and used to exchange with an access token The implementation has only been tested with Gmail. source = imaps+oauthbearer://{username}:{refersh_token}@imap.gmail.com:993? \ client_id=XX&\ client_secret=XX&\ token_endpoint=https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Ftoken client credentials created with https://console.developers.google.com/apis/credentials refresh token created with https://github.com/google/gmail-oauth2-tools/blob/master/python/oauth2.py rel: https://todo.sr.ht/~sircmpwn/aerc2/42 2019-07-10 21:00:28 +02:00			`"github.com/emersion/go-imap/client"`
			`"github.com/emersion/go-sasl"`
			`"golang.org/x/oauth2"`
			`)`

			`type OAuthBearer struct {`
			`OAuth2 *oauth2.Config`
			`Enabled bool`
			`}`

Add `oauthbearer` support for SMTP This piggybacks on the existing IMAP support, and uses the same configuration format (my local testing example has the IMAP and SMTP lines almost copy-pasted from one another). It's a little clumsy in that a new token is negotiated for every `Send()` command, but it's a start... 2020-05-26 13:29:58 +02:00			`func (c OAuthBearer) ExchangeRefreshToken(refreshToken string) (oauth2.Token, error) {`
Support imaps with oauthbearer authentication (Gmail) imaps+oauthbearer://user:token@host?token_endpoint=... - the config Source password is used as access token if no token_endpoint parameter is set - the config Source password is used as refresh token if token_endpoint parameter is set, and used to exchange with an access token The implementation has only been tested with Gmail. source = imaps+oauthbearer://{username}:{refersh_token}@imap.gmail.com:993? \ client_id=XX&\ client_secret=XX&\ token_endpoint=https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Ftoken client credentials created with https://console.developers.google.com/apis/credentials refresh token created with https://github.com/google/gmail-oauth2-tools/blob/master/python/oauth2.py rel: https://todo.sr.ht/~sircmpwn/aerc2/42 2019-07-10 21:00:28 +02:00			`token := new(oauth2.Token)`
			`token.RefreshToken = refreshToken`
			`token.TokenType = "Bearer"`
			`return c.OAuth2.TokenSource(context.TODO(), token).Token()`
			`}`

			`func (c OAuthBearer) Authenticate(username string, password string, client client.Client) error {`
			`if ok, err := client.SupportAuth(sasl.OAuthBearer); err != nil \|\| !ok {`
lint: work nicely with wrapped errors (errorlint) Error wrapping as introduced in Go 1.13 adds some additional logic to use for comparing errors and adding information to it. Signed-off-by: Moritz Poldrack <moritz@poldrack.dev> Acked-by: Robin Jarry <robin@jarry.cc> 2022-07-31 15:15:27 +02:00			`return fmt.Errorf("OAuthBearer not supported %w", err)`
Support imaps with oauthbearer authentication (Gmail) imaps+oauthbearer://user:token@host?token_endpoint=... - the config Source password is used as access token if no token_endpoint parameter is set - the config Source password is used as refresh token if token_endpoint parameter is set, and used to exchange with an access token The implementation has only been tested with Gmail. source = imaps+oauthbearer://{username}:{refersh_token}@imap.gmail.com:993? \ client_id=XX&\ client_secret=XX&\ token_endpoint=https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Ftoken client credentials created with https://console.developers.google.com/apis/credentials refresh token created with https://github.com/google/gmail-oauth2-tools/blob/master/python/oauth2.py rel: https://todo.sr.ht/~sircmpwn/aerc2/42 2019-07-10 21:00:28 +02:00			`}`

			`if c.OAuth2.Endpoint.TokenURL != "" {`
Add `oauthbearer` support for SMTP This piggybacks on the existing IMAP support, and uses the same configuration format (my local testing example has the IMAP and SMTP lines almost copy-pasted from one another). It's a little clumsy in that a new token is negotiated for every `Send()` command, but it's a start... 2020-05-26 13:29:58 +02:00			`token, err := c.ExchangeRefreshToken(password)`
Support imaps with oauthbearer authentication (Gmail) imaps+oauthbearer://user:token@host?token_endpoint=... - the config Source password is used as access token if no token_endpoint parameter is set - the config Source password is used as refresh token if token_endpoint parameter is set, and used to exchange with an access token The implementation has only been tested with Gmail. source = imaps+oauthbearer://{username}:{refersh_token}@imap.gmail.com:993? \ client_id=XX&\ client_secret=XX&\ token_endpoint=https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Ftoken client credentials created with https://console.developers.google.com/apis/credentials refresh token created with https://github.com/google/gmail-oauth2-tools/blob/master/python/oauth2.py rel: https://todo.sr.ht/~sircmpwn/aerc2/42 2019-07-10 21:00:28 +02:00			`if err != nil {`
			`return err`
			`}`
			`password = token.AccessToken`
			`}`

			`saslClient := sasl.NewOAuthBearerClient(&sasl.OAuthBearerOptions{`
			`Username: username,`
			`Token: password,`
			`})`

			`return client.Authenticate(saslClient)`
			`}`