Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

The key elements in human thinking are not numbers but labels of fuzzy sets. -- L. Zadeh


computers / comp.mail.pine / Re: On Xoauth

SubjectAuthor
* On XoauthRoderick
+* Re: On XoauthEduardo Chappa
|`* Re: On XoauthRoderick
| `- Re: On XoauthEduardo Chappa
`* Re: On XoauthRoderick
 `* Re: On XoauthEduardo Chappa
  `* Re: On XoauthRoderick
   `- Re: On XoauthEduardo Chappa

1
On Xoauth

<7afba082-4e31-989f-dc5a-84f5714d176b@gmail.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=356&group=comp.mail.pine#356

 copy link   Newsgroups: comp.mail.pine
Path: i2pn2.org!i2pn.org!aioe.org!news.mb-net.net!open-news-network.org!.POSTED.ip5f5bd1bc.dynamic.kabel-deutschland.de!not-for-mail
From: hru...@gmail.com (Roderick)
Newsgroups: comp.mail.pine
Subject: On Xoauth
Date: Mon, 7 Mar 2022 08:15:52 +0000
Organization: MB-NET.NET for Open-News-Network e.V.
Message-ID: <7afba082-4e31-989f-dc5a-84f5714d176b@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
Injection-Info: gwaiyur.mb-net.net; posting-host="ip5f5bd1bc.dynamic.kabel-deutschland.de:95.91.209.188";
logging-data="4002080"; mail-complaints-to="abuse@open-news-network.org"
Cancel-Lock: sha1:mLfvZV8F2G3HrMRXQVSYeMQJutw=
X-User-ID: U2FsdGVkX19LDapEgsS/58UpntM3T3UUpS1/vLTFdsnlXfHTU495eA==
 by: Roderick - Mon, 7 Mar 2022 08:15 UTC

Dear Sirs!

I have some questions.

(1) I added /auth=xoauth2 also on the smtp server:

smtp-server=smtp.gmail.com:587/tls/auth=xoauth2/user=xxx

Is it OK?

(2) Can I run multiple instances of alpine in the same computer
with the same Configuration file (and same same ID and Key)?

(3) Can I run different instances of alpine on different computers
with the same Configuration file (and same same ID and Key)?

(4) ID and Key are saved in the configuration file.
Where does alpine save the temporary tokens?

Thanks
Rodrigo

Re: On Xoauth

<ee4be94b-129c-d09f-5843-7a29369193da@washington.edu>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=357&group=comp.mail.pine#357

 copy link   Newsgroups: comp.mail.pine
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: cha...@washington.edu (Eduardo Chappa)
Newsgroups: comp.mail.pine
Subject: Re: On Xoauth
Date: Mon, 7 Mar 2022 08:44:34 -0700
Organization: A noiseless patient Spider
Lines: 57
Message-ID: <ee4be94b-129c-d09f-5843-7a29369193da@washington.edu>
References: <7afba082-4e31-989f-dc5a-84f5714d176b@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Injection-Info: reader02.eternal-september.org; posting-host="fe28fd75ebd19a46a43341465e98ba86";
logging-data="7291"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/ce31or99dEupWUTEZMQ9r"
Cancel-Lock: sha1:ns9w3M48BIJ7palBZZsmdZJf7lY=
In-Reply-To: <7afba082-4e31-989f-dc5a-84f5714d176b@gmail.com>
 by: Eduardo Chappa - Mon, 7 Mar 2022 15:44 UTC

On Mon, 7 Mar 2022, Roderick wrote:

> (1) I added /auth=xoauth2 also on the smtp server:
>
> smtp-server=smtp.gmail.com:587/tls/auth=xoauth2/user=xxx
>
> Is it OK?

Dear Rodrigo,

According to
https://alpine.x10host.com/alpine/alpine-info/misc/AuthorizeAlpineGmail.html
the best setting is

smtp-server=smtp.gmail.com/ssl/user=your@id.com/auth=xoauth2

but the one you mentioned should also work.

> (2) Can I run multiple instances of alpine in the same computer
> with the same Configuration file (and same same ID and Key)?

Yes. This is the same question as asking if you can login multiple times
with the same username/password, and since Gmail allows that, then this is
allowed too.

> (3) Can I run different instances of alpine on different computers
> with the same Configuration file (and same same ID and Key)?

Yes. You can use the same client-id and client-secret to login from
anywhere in the world and from any device that supports XOAUTH2. However,
each device will get its own refresh token and access token.

> (4) ID and Key are saved in the configuration file.
> Where does alpine save the temporary tokens?

In the password file, or in a Mac in the keychain, or in Windows in the
Windows Credentials. There are two things that are saved. A token called
the refresh token, which is valid for life, and another called the access
token which only lasts for a small amount of time, an hour typically. Both
are saved locally in your computer.

Say you went to sleep, closed Alpine and came back the next day. When you
open Alpine for the first time Alpine will see that it has been over an
hour since the access token was generated, so it wil not use it and will
use the refresh token to get a new access token. With that access token
alpine will login to your account. Now, if you were to open another
session, say 15 minutes later, in the same computer, then Alpine would
notice that the access token is still valid, and would create a new
session with that access-token and it would not try to get a new
access-token from the server.

Does this answer the questions?

--
Eduardo
https://tinyurl.com/yc377wlh (web)
http://repo.or.cz/alpine.git (Git)

Re: On Xoauth

<f650e821-7fb3-9ea0-6db0-fe70d144f7d7@gmail.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=358&group=comp.mail.pine#358

 copy link   Newsgroups: comp.mail.pine
Path: i2pn2.org!i2pn.org!aioe.org!news.mb-net.net!open-news-network.org!.POSTED.ip5f5bd1bc.dynamic.kabel-deutschland.de!not-for-mail
From: hru...@gmail.com (Roderick)
Newsgroups: comp.mail.pine
Subject: Re: On Xoauth
Date: Mon, 7 Mar 2022 20:16:08 +0000
Organization: MB-NET.NET for Open-News-Network e.V.
Message-ID: <f650e821-7fb3-9ea0-6db0-fe70d144f7d7@gmail.com>
References: <7afba082-4e31-989f-dc5a-84f5714d176b@gmail.com> <ee4be94b-129c-d09f-5843-7a29369193da@washington.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Injection-Info: gwaiyur.mb-net.net; posting-host="ip5f5bd1bc.dynamic.kabel-deutschland.de:95.91.209.188";
logging-data="4081964"; mail-complaints-to="abuse@open-news-network.org"
Cancel-Lock: sha1:uFh6mGc4lLaYDMReXBKKEBoMCYY=
X-User-ID: U2FsdGVkX18fkBR3PMKxXwjq+inpmVm+ak1qTouOQDhlUASfqXTpRA==
In-Reply-To: <ee4be94b-129c-d09f-5843-7a29369193da@washington.edu>
 by: Roderick - Mon, 7 Mar 2022 20:16 UTC

On Mon, 7 Mar 2022, Eduardo Chappa wrote:

> Does this answer the questions?

Yes. Thanks.

The reason for the last questios was the tokens. I feared
intereferences between many instances. Or that running in
a new computer needs tokens from the old computer. Do I
need to copy also the passfile, or is the configuration file
enough?

Well, soon I will be forced to use xoauth, the experience will tell.

Rodrigo

Re: On Xoauth

<24f3b8c3-d3c1-a703-191e-1bf2c3db131f@washington.edu>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=359&group=comp.mail.pine#359

 copy link   Newsgroups: comp.mail.pine
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: cha...@washington.edu (Eduardo Chappa)
Newsgroups: comp.mail.pine
Subject: Re: On Xoauth
Date: Mon, 7 Mar 2022 21:09:04 -0700
Organization: A noiseless patient Spider
Lines: 36
Message-ID: <24f3b8c3-d3c1-a703-191e-1bf2c3db131f@washington.edu>
References: <7afba082-4e31-989f-dc5a-84f5714d176b@gmail.com> <ee4be94b-129c-d09f-5843-7a29369193da@washington.edu> <f650e821-7fb3-9ea0-6db0-fe70d144f7d7@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Injection-Info: reader02.eternal-september.org; posting-host="af7f41162acfd3e18d8e4534c576ce0e";
logging-data="8432"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/Bcgi71vvZ7zayuvU0epIk"
Cancel-Lock: sha1:u/lVouPdFBpIVdoy3P3kLVCvK88=
In-Reply-To: <f650e821-7fb3-9ea0-6db0-fe70d144f7d7@gmail.com>
 by: Eduardo Chappa - Tue, 8 Mar 2022 04:09 UTC

On Mon, 7 Mar 2022, Roderick wrote:

>
> On Mon, 7 Mar 2022, Eduardo Chappa wrote:
>
>> Does this answer the questions?
>
> Yes. Thanks.
>
> The reason for the last questios was the tokens. I feared intereferences
> between many instances. Or that running in a new computer needs tokens
> from the old computer. Do I need to copy also the passfile, or is the
> configuration file enough?

Dear Rodrigo,

all you need to be able to set up xoauth2 is the client-id and
client-secret, so the same .pinerc moved from one computer to another will
work well. Once you start alpine in different devices with the same
configuration (same client-id and client-secret) alpine will help you get
your own access and refresh tokens for that device.

My experience is that these tokens are not transferable between
computers (that is, the tokens know in which computer they live, so the
verifying server will cancel your authentication if you transfer the
tokens - or password file - from one computer to another.)

In summary: transfer the client-id and client-secret between computers
and go through the authorization process in each device to get your
refresh and access tokens, and do not transfer your password file. It
serves no much purpose.

--
Eduardo
https://tinyurl.com/yc377wlh (web)
http://repo.or.cz/alpine.git (Git)

Re: On Xoauth

<5bfbcb8-82b9-8cd4-5ebd-2d4afafbe4f@gmail.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=404&group=comp.mail.pine#404

 copy link   Newsgroups: comp.mail.pine
Path: i2pn2.org!i2pn.org!aioe.org!news.mb-net.net!open-news-network.org!.POSTED.ip5f5bd1bc.dynamic.kabel-deutschland.de!not-for-mail
From: hru...@gmail.com (Roderick)
Newsgroups: comp.mail.pine
Subject: Re: On Xoauth
Date: Sat, 26 Mar 2022 17:49:48 +0000
Organization: MB-NET.NET for Open-News-Network e.V.
Message-ID: <5bfbcb8-82b9-8cd4-5ebd-2d4afafbe4f@gmail.com>
References: <7afba082-4e31-989f-dc5a-84f5714d176b@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
Injection-Info: gwaiyur.mb-net.net; posting-host="ip5f5bd1bc.dynamic.kabel-deutschland.de:95.91.209.188";
logging-data="359432"; mail-complaints-to="abuse@open-news-network.org"
Cancel-Lock: sha1:QAVsgdTV3+OLbdxKHtlNavyktyQ=
X-User-ID: U2FsdGVkX18rJMMy/wsdklHgMAEBteCrKGQ/BVa6T5i351KUApQ/1g==
In-Reply-To: <7afba082-4e31-989f-dc5a-84f5714d176b@gmail.com>
 by: Roderick - Sat, 26 Mar 2022 17:49 UTC

I have just read a little from:

https://datatracker.ietf.org/doc/html/rfc6749

I did not found a better explanation of oauth2 on the Web.

I do recognize some advantages, but they are in the context of how I
use my Email account not worth of the more complicated authentication.

Rodrigo

Re: On Xoauth

<d1210d11-c374-adaf-a5ef-5bc0b3bb373f@washington.edu>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=405&group=comp.mail.pine#405

 copy link   Newsgroups: comp.mail.pine
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: cha...@washington.edu (Eduardo Chappa)
Newsgroups: comp.mail.pine
Subject: Re: On Xoauth
Date: Sun, 27 Mar 2022 10:16:21 -0600
Organization: A noiseless patient Spider
Lines: 42
Message-ID: <d1210d11-c374-adaf-a5ef-5bc0b3bb373f@washington.edu>
References: <7afba082-4e31-989f-dc5a-84f5714d176b@gmail.com> <5bfbcb8-82b9-8cd4-5ebd-2d4afafbe4f@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Injection-Info: reader02.eternal-september.org; posting-host="bc58f0adfe84de2f3f5200a4cbb72031";
logging-data="2771"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18YontIvhepPNG6426Az2ZP"
Cancel-Lock: sha1:d/EMDvTeaxHPXsWUl0ByCFAwXVA=
In-Reply-To: <5bfbcb8-82b9-8cd4-5ebd-2d4afafbe4f@gmail.com>
 by: Eduardo Chappa - Sun, 27 Mar 2022 16:16 UTC

On Sat, 26 Mar 2022, Roderick wrote:

>
> I have just read a little from:
>
> https://datatracker.ietf.org/doc/html/rfc6749
>
> I did not found a better explanation of oauth2 on the Web.
>
> I do recognize some advantages, but they are in the context of how I use
> my Email account not worth of the more complicated authentication.

The "advantage" is seen from the perspective of the service provider. A
password allows access to all resources of the provider, xoauth2 allows
access to those resources that you authorize, not all automatically. In
theory, this allows you to have different passwords (access tokens) for
different services. It increases security from that perspective.

However, my experience is different. All the services that I use through
the web keep cookies with my login information, and so if anyone were
going to take control of my computer they would have access to my account
until that cookie expires, which it typically a month since it was
generated. I do not see the point of this. It seems that the gained
security is completely lost because users do not want to authenticate (or
double authenticate) every time they login. I think the theorey is bettern
than the practice in this case. There are ways to counter attack (say by
changing the password of the account) but lots of damage could have been
done in between the unauthorized access and the realization of the
hacking. I do not see much point in that. The added security is an
illusion until you get hacked.

In particular, I recommend that yo ukeep your password file encrypted and
use a key to unlock it. That way the only way to get into your account
will be through Alpine, and no one will be able to steal your refreah
token and use it to login through Alpine.

Security is an illusion. Don't fall for it.

--
Eduardo
https://tinyurl.com/yc377wlh (web)
http://repo.or.cz/alpine.git (Git)

Re: On Xoauth

<c7e63d34-3e1e-d0a6-c758-9d334b46962a@gmail.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=406&group=comp.mail.pine#406

 copy link   Newsgroups: comp.mail.pine
Path: i2pn2.org!i2pn.org!aioe.org!news.mb-net.net!open-news-network.org!.POSTED.ip5f5bd1bc.dynamic.kabel-deutschland.de!not-for-mail
From: hru...@gmail.com (Roderick)
Newsgroups: comp.mail.pine
Subject: Re: On Xoauth
Date: Mon, 28 Mar 2022 09:33:47 +0000
Organization: MB-NET.NET for Open-News-Network e.V.
Message-ID: <c7e63d34-3e1e-d0a6-c758-9d334b46962a@gmail.com>
References: <7afba082-4e31-989f-dc5a-84f5714d176b@gmail.com> <5bfbcb8-82b9-8cd4-5ebd-2d4afafbe4f@gmail.com> <d1210d11-c374-adaf-a5ef-5bc0b3bb373f@washington.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Injection-Info: gwaiyur.mb-net.net; posting-host="ip5f5bd1bc.dynamic.kabel-deutschland.de:95.91.209.188";
logging-data="268354"; mail-complaints-to="abuse@open-news-network.org"
Cancel-Lock: sha1:E14txv3eGFzzEQmvciGG+AbxJck=
In-Reply-To: <d1210d11-c374-adaf-a5ef-5bc0b3bb373f@washington.edu>
X-User-ID: U2FsdGVkX189hNfnrUvZ0mPpH0lJvnkZN6CY3m04QBHo97zf4kUyhw==
 by: Roderick - Mon, 28 Mar 2022 09:33 UTC

On Sun, 27 Mar 2022, Eduardo Chappa wrote:

> The "advantage" is seen from the perspective of the service provider. A

I find interesting the concept of separating authorization from
authentication, but that is also in frameworks like sasl.

One gives clients different paswords (access tickets) that are not the
same password to fully access the data on the service provider, and
one can revoke some of that passwords without changing the last general
password. This means other clients still has the (limited) access.

This of course makes more sense when the clients are third party
web plattforms. When we are in complete posession of the client
(alpine installed in the own personal computer), all this mechanism
turns to be a disadvantage also regarding security.

Rodrigo

Re: On Xoauth

<00ab1f4a-c85a-c421-3fd4-df9ae1c481c2@washington.edu>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=407&group=comp.mail.pine#407

 copy link   Newsgroups: comp.mail.pine
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: cha...@washington.edu (Eduardo Chappa)
Newsgroups: comp.mail.pine
Subject: Re: On Xoauth
Date: Mon, 28 Mar 2022 17:14:22 -0600
Organization: A noiseless patient Spider
Lines: 28
Message-ID: <00ab1f4a-c85a-c421-3fd4-df9ae1c481c2@washington.edu>
References: <7afba082-4e31-989f-dc5a-84f5714d176b@gmail.com> <5bfbcb8-82b9-8cd4-5ebd-2d4afafbe4f@gmail.com> <d1210d11-c374-adaf-a5ef-5bc0b3bb373f@washington.edu> <c7e63d34-3e1e-d0a6-c758-9d334b46962a@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Injection-Info: reader02.eternal-september.org; posting-host="6731d719640df39c16a27a4bb14b3e63";
logging-data="12495"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18c3+vkOsoInjQuVgPEEFmT"
Cancel-Lock: sha1:8/8ve4CXyGK95UNPn9QjlrGwlDY=
In-Reply-To: <c7e63d34-3e1e-d0a6-c758-9d334b46962a@gmail.com>
 by: Eduardo Chappa - Mon, 28 Mar 2022 23:14 UTC

On Mon, 28 Mar 2022, Roderick wrote:

> I find interesting the concept of separating authorization from
> authentication, but that is also in frameworks like sasl.
>
> One gives clients different paswords (access tickets) that are not the
> same password to fully access the data on the service provider, and one
> can revoke some of that passwords without changing the last general
> password. This means other clients still has the (limited) access.
>
> This of course makes more sense when the clients are third party web
> plattforms. When we are in complete posession of the client (alpine
> installed in the own personal computer), all this mechanism turns to be
> a disadvantage also regarding security.

Rodrigo,

when I have used passwords for apps, my experience has been that the
same password applies to the same app regardless of place, so in a way it
works like a password. Xoauth2 also depends on device. Different devices
get different passwords, and with a way to generate them, not like those
impossible to remember passwords per app that are generated by each
service that are difficult to carry among devices.

--
Eduardo
https://tinyurl.com/yc377wlh (web)
http://repo.or.cz/alpine.git (Git)

1
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor