Re: gmail+imap+smtp (oauth2)

[Thomas Fitzsimmons]

Hi Tim,

Tim Cross <theophilusx@gmail.com> writes:

> Thomas Fitzsimmons <fitzsim@fitzsim.org> writes:

[...]

>> Tim Cross <theophilusx@gmail.com> writes:
>>
>>> Richard Stallman <rms@gnu.org> writes:
>>>
>>>> [[[ To any NSA and FBI agents reading my email: please consider    ]]]
>>>> [[[ whether defending the US Constitution against all enemies,     ]]]
>>>> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
>>>>
>>>>   > I landed on the conclusion that SMTP 
>>>>   > and IMAP should keep working as long as you use app-passwords for 
>>>>   > logging in to your account.
>>>>
>>>> Can you explain what "app-passwords" are?  I have never used Gmail,
>>>> and I don't need to know technical details, but I have to think
>>>> about the ethical implications of this.
>>
>> [...]
>>
>>> I don't think there are any significant ethical considerations
>>> associated with app passwords (in addition to those associated with
>>> using Google/Gmail that is). It is likely that setting the app password
>>> via the Google account settings page involves non-free Javascript, but I
>>> think that boat sailed when you initially sign up for a gmail account
>>> anyway.
>>
>> One issue with OAuth2 schemes is that they periodically force the user
>> through a web-browser-only authentication process that requires non-free
>> JavaScript, in order to get a refresh token.
>>
>> (I'm hoping someone can prove me wrong, and point me to a command-line
>> procedure using only free software that allows me to get a refresh token
>> when required.  We're told OAuth2 is a modern standard, right?  So there
>> should be a modern, standard way of doing the same things as the
>> JavaScript authentication blobs... right?)
>>
>> There are two issues, which I think should be considered separately:
>>
>> One-time registration requiring non-free JavaScript (1).
>>
>> Subsequently requiring non-free JavaScript for authentication to use
>> IMAP or SMTP protocols (2).
>>
>> See the discussion in this bug report, closed wontfix:
>>
>>    https://debbugs.gnu.org/cgi/bugreport.cgi?bug=41386
>>
>> I'm hoping the FSF will study and comment on the issue in general, given
>> that gmail.com, such a large email provider, is making this OAuth2
>> change.  To me, issue (2) seems like a high priority one for Free
>> Software.  Keep in mind that avoiding issue (1) isn't always optional,
>> from an employee/student perspective.
>>
>
> I think your confusing oauth2 as an authn/authz framework/standard and
> its implementation as done by Google.

Are you aware of any email provider that advertises "OAuth 2.0" but that
does not require non-free JavaScript blobs for authentication?

> There is nothing which requires oauth2 be implemented in Javascript or
> that requies it to use non-free software.

So can you describe how to get an OAuth 2.0 gmail.com refresh token
without the use of non-free JavaScript?

Thanks,
Thomas