Support imaps with oauthbearer authentication (Gmail)
imaps+oauthbearer://user:token@host?token_endpoint=... - the config Source password is used as access token if no token_endpoint parameter is set - the config Source password is used as refresh token if token_endpoint parameter is set, and used to exchange with an access token The implementation has only been tested with Gmail. source = imaps+oauthbearer://{username}:{refersh_token}@imap.gmail.com:993? \ client_id=XX&\ client_secret=XX&\ token_endpoint=https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Ftoken client credentials created with https://console.developers.google.com/apis/credentials refresh token created with https://github.com/google/gmail-oauth2-tools/blob/master/python/oauth2.py rel: https://todo.sr.ht/~sircmpwn/aerc2/42
This commit is contained in:
parent
217e85a55d
commit
b0eaf5191c
5 changed files with 100 additions and 8 deletions
|
@ -19,7 +19,7 @@ In accounts.conf (see *aerc-config*(5)), the following IMAP-specific options are
|
|||
available:
|
||||
|
||||
*source*
|
||||
imap[s][+insecure]://username[:password]@hostname[:port]
|
||||
imap[s][+insecure|+oauthbearer]://username[:password]@hostname[:port]?[:oauth2_params]
|
||||
|
||||
Remember that all fields must be URL encoded. The "@" symbol, when URL
|
||||
encoded, is *%40*.
|
||||
|
@ -35,6 +35,22 @@ available:
|
|||
*imaps*:
|
||||
IMAP with TLS/SSL
|
||||
|
||||
*imaps+oauthbearer://*
|
||||
IMAP with TLS/SSL using OAUTHBEARER Authentication
|
||||
|
||||
*oauth2_params:*
|
||||
|
||||
If specified, the configured password is used as an refresh token that
|
||||
is exhanged with an access token
|
||||
|
||||
- token_endpoint (required)
|
||||
- client_id (optional)
|
||||
- client_secret (optional)
|
||||
- scope (optional)
|
||||
|
||||
Example:
|
||||
imaps+oauthbearer://...?token_endpoint=https://...&client_id=
|
||||
|
||||
*source-cred-cmd*
|
||||
Specifies the command to run to get the password for the IMAP
|
||||
account. This command will be run using `sh -c [command]`. If a
|
||||
|
|
3
go.mod
3
go.mod
|
@ -11,7 +11,7 @@ require (
|
|||
github.com/emersion/go-imap v1.0.0-beta.6
|
||||
github.com/emersion/go-imap-idle v0.0.0-20190519112320-2704abd7050e
|
||||
github.com/emersion/go-message v0.10.3
|
||||
github.com/emersion/go-sasl v0.0.0-20190520160400-47d427600317
|
||||
github.com/emersion/go-sasl v0.0.0-20190704090222-36b50694675c
|
||||
github.com/emersion/go-smtp v0.11.1
|
||||
github.com/gdamore/tcell v1.1.2
|
||||
github.com/go-ini/ini v1.42.0
|
||||
|
@ -28,6 +28,7 @@ require (
|
|||
github.com/smartystreets/assertions v1.0.0 // indirect
|
||||
github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a // indirect
|
||||
github.com/stretchr/testify v1.3.0
|
||||
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
|
||||
golang.org/x/sys v0.0.0-20190602015325-4c4f7f33c9ed // indirect
|
||||
gopkg.in/ini.v1 v1.42.0 // indirect
|
||||
)
|
||||
|
|
11
go.sum
11
go.sum
|
@ -1,3 +1,4 @@
|
|||
cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
|
||||
git.sr.ht/~sircmpwn/getopt v0.0.0-20190214165041-9a4f886f9fc7 h1:xTFH5S/3ltiRvAtETLLDFWm5nVIouT5GeCPHm8UaVEU=
|
||||
git.sr.ht/~sircmpwn/getopt v0.0.0-20190214165041-9a4f886f9fc7/go.mod h1:wMEGFFFNuPos7vHmWXfszqImLppbc0wEhh6JBfJIUgw=
|
||||
git.sr.ht/~sircmpwn/getopt v0.0.0-20190609193657-e7e23d1cd3a3 h1:2l17fmuVbiS2cSx1m8e8GbikDUjAT5lril3/+XQsZAs=
|
||||
|
@ -28,6 +29,8 @@ github.com/emersion/go-sasl v0.0.0-20161116183048-7e096a0a6197 h1:rDJPbyliyym8ZL
|
|||
github.com/emersion/go-sasl v0.0.0-20161116183048-7e096a0a6197/go.mod h1:G/dpzLu16WtQpBfQ/z3LYiYJn3ZhKSGWn83fyoyQe/k=
|
||||
github.com/emersion/go-sasl v0.0.0-20190520160400-47d427600317 h1:tYZxAY8nu3JJQKios9f27Sbvbkfm4XHXT476gVtszu0=
|
||||
github.com/emersion/go-sasl v0.0.0-20190520160400-47d427600317/go.mod h1:G/dpzLu16WtQpBfQ/z3LYiYJn3ZhKSGWn83fyoyQe/k=
|
||||
github.com/emersion/go-sasl v0.0.0-20190704090222-36b50694675c h1:Spm8jy+jWYG/Dn6ygbq/LBW/6M27kg59GK+FkKjexuw=
|
||||
github.com/emersion/go-sasl v0.0.0-20190704090222-36b50694675c/go.mod h1:G/dpzLu16WtQpBfQ/z3LYiYJn3ZhKSGWn83fyoyQe/k=
|
||||
github.com/emersion/go-smtp v0.11.1 h1:2IBWhU2zjrfOOmZal3qRxVsfYnf0rN+ccImZrjnMT7E=
|
||||
github.com/emersion/go-smtp v0.11.1/go.mod h1:CfUbM5NgspbOMHFEgCdoK2PVrKt48HAPtL8hnahwfYg=
|
||||
github.com/emersion/go-textwrapper v0.0.0-20160606182133-d0e65e56babe h1:40SWqY0zE3qCi6ZrtTf5OUdNm5lDnGnjRSq9GgmeTrg=
|
||||
|
@ -36,6 +39,7 @@ github.com/gdamore/encoding v1.0.0 h1:+7OoQ1Bc6eTm5niUzBa0Ctsh6JbMW6Ra+YNuAtDBdk
|
|||
github.com/gdamore/encoding v1.0.0/go.mod h1:alR0ol34c49FCSBLjhosxzcPHQbf2trDkoo5dl+VrEg=
|
||||
github.com/go-ini/ini v1.42.0 h1:TWr1wGj35+UiWHlBA8er89seFXxzwFn11spilrrj+38=
|
||||
github.com/go-ini/ini v1.42.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
|
||||
github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
|
||||
github.com/google/shlex v0.0.0-20181106134648-c34317bd91bf h1:7+FW5aGwISbqUtkfmIpZJGRgNFg2ioYPvFaUxdqpDsg=
|
||||
github.com/google/shlex v0.0.0-20181106134648-c34317bd91bf/go.mod h1:RpwtwJQFrIEPstU94h88MWPXP2ektJZ8cZ0YntAmXiE=
|
||||
github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
|
||||
|
@ -77,7 +81,13 @@ github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0
|
|||
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
|
||||
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
|
||||
golang.org/x/image v0.0.0-20190523035834-f03afa92d3ff/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
|
||||
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||
golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||
golang.org/x/net v0.0.0-20190311183353-d8887717615a h1:oWX7TPOiFAMXLq8o0ikBYfCJVlRHBcsciT5bXOrH628=
|
||||
golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
|
||||
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 h1:SVwTIAaPC2U/AvvLNZ2a7OVsmBpC8L5BlwK1whH3hm0=
|
||||
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/sys v0.0.0-20190602015325-4c4f7f33c9ed h1:uPxWBzB3+mlnjy9W58qY1j/cjyFjutgw/Vhan2zLy/A=
|
||||
|
@ -88,5 +98,6 @@ golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
|
|||
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
|
||||
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
|
||||
golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
|
||||
google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
|
||||
gopkg.in/ini.v1 v1.42.0 h1:7N3gPTt50s8GuLortA00n8AqRTk75qOP98+mTPpgzRk=
|
||||
gopkg.in/ini.v1 v1.42.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
|
||||
|
|
42
lib/oauthbearer.go
Normal file
42
lib/oauthbearer.go
Normal file
|
@ -0,0 +1,42 @@
|
|||
package lib
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"github.com/emersion/go-imap/client"
|
||||
"github.com/emersion/go-sasl"
|
||||
"golang.org/x/oauth2"
|
||||
)
|
||||
|
||||
type OAuthBearer struct {
|
||||
OAuth2 *oauth2.Config
|
||||
Enabled bool
|
||||
}
|
||||
|
||||
func (c *OAuthBearer) exchangeRefreshToken(refreshToken string) (*oauth2.Token, error) {
|
||||
token := new(oauth2.Token)
|
||||
token.RefreshToken = refreshToken
|
||||
token.TokenType = "Bearer"
|
||||
return c.OAuth2.TokenSource(context.TODO(), token).Token()
|
||||
}
|
||||
|
||||
func (c *OAuthBearer) Authenticate(username string, password string, client *client.Client) error {
|
||||
if ok, err := client.SupportAuth(sasl.OAuthBearer); err != nil || !ok {
|
||||
return fmt.Errorf("OAuthBearer not supported %v", err)
|
||||
}
|
||||
|
||||
if c.OAuth2.Endpoint.TokenURL != "" {
|
||||
token, err := c.exchangeRefreshToken(password)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
password = token.AccessToken
|
||||
}
|
||||
|
||||
saslClient := sasl.NewOAuthBearerClient(&sasl.OAuthBearerOptions{
|
||||
Username: username,
|
||||
Token: password,
|
||||
})
|
||||
|
||||
return client.Authenticate(saslClient)
|
||||
}
|
|
@ -9,7 +9,9 @@ import (
|
|||
"github.com/emersion/go-imap"
|
||||
idle "github.com/emersion/go-imap-idle"
|
||||
"github.com/emersion/go-imap/client"
|
||||
"golang.org/x/oauth2"
|
||||
|
||||
"git.sr.ht/~sircmpwn/aerc/lib"
|
||||
"git.sr.ht/~sircmpwn/aerc/models"
|
||||
"git.sr.ht/~sircmpwn/aerc/worker/types"
|
||||
)
|
||||
|
@ -23,11 +25,12 @@ type imapClient struct {
|
|||
|
||||
type IMAPWorker struct {
|
||||
config struct {
|
||||
scheme string
|
||||
insecure bool
|
||||
addr string
|
||||
user *url.Userinfo
|
||||
folders []string
|
||||
scheme string
|
||||
insecure bool
|
||||
addr string
|
||||
user *url.Userinfo
|
||||
folders []string
|
||||
oauthBearer lib.OAuthBearer
|
||||
}
|
||||
|
||||
client *imapClient
|
||||
|
@ -71,6 +74,20 @@ func (w *IMAPWorker) handleMessage(msg types.WorkerMessage) error {
|
|||
w.config.insecure = true
|
||||
}
|
||||
|
||||
if strings.HasSuffix(w.config.scheme, "+oauthbearer") {
|
||||
w.config.scheme = strings.TrimSuffix(w.config.scheme, "+oauthbearer")
|
||||
w.config.oauthBearer.Enabled = true
|
||||
q := u.Query()
|
||||
if q.Get("token_endpoint") != "" {
|
||||
w.config.oauthBearer.OAuth2 = &oauth2.Config{
|
||||
ClientID: q.Get("client_id"),
|
||||
ClientSecret: q.Get("client_secret"),
|
||||
Scopes: []string{q.Get("scope")},
|
||||
}
|
||||
w.config.oauthBearer.OAuth2.Endpoint.TokenURL = q.Get("token_endpoint")
|
||||
}
|
||||
}
|
||||
|
||||
w.config.addr = u.Host
|
||||
if !strings.ContainsRune(w.config.addr, ':') {
|
||||
w.config.addr += ":" + w.config.scheme
|
||||
|
@ -110,7 +127,12 @@ func (w *IMAPWorker) handleMessage(msg types.WorkerMessage) error {
|
|||
if !hasPassword {
|
||||
// TODO: ask password
|
||||
}
|
||||
if err := c.Login(username, password); err != nil {
|
||||
|
||||
if w.config.oauthBearer.Enabled {
|
||||
if err := w.config.oauthBearer.Authenticate(username, password, c); err != nil {
|
||||
return err
|
||||
}
|
||||
} else if err := c.Login(username, password); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue