Forget the elephants - there's a donkey in the room!
by David Harris, May 2nd 2022
- https://www.pmail.com/devnews.htm

"According to the old joke, a camel is just a horse that was
designed by a committee: when it came to OAUTH2, though, what the
committee produced was more like a two-wheeled donkey.
OAUTH2 is a suite of documents that defines an authentication and
authorization process - a set of rules and procedures that allows a
user to control how a program can login to a service (for instance,
to send mail), and what it can do while it is logged in. Many of
its goals are entirely admirable:
* Allows the user to specify narrow areas of information that
programs can access - for example, users might grant a mail program
access to just their mail, but not to other things like their
calendar or browsing history. Using older password-based approaches
essentially allowed any application knowing the password to access
all the user's data, and potentially do anything it wanted with it.
* Protects users from themselves by somewhat reducing their
vulnerability when they use the same password on multiple sites,
use weak passwords, or never change their passwords.
* Theoretically allows a better "user experience" by doing the
actual login to the site using the site's own login facility, which
is presumably more familiar to the user than a mail program's
generic one. [Note - I currently dispute this one, and will explain
why later on].
There are other more minor benefits that the developers of the
framework make reference to, but these are the main ones the user
will see. But you only get benefits from something like this if it
is well-designed and implemented.
Very annoyingly, sites like GMail and Microsoft's outlook.com site
have taken to calling OAUTH2 "modern authentication", as if this
somehow marks it as a well-thought-out, balanced mechanism:
unfortunately, neither is true.
OAUTH2 has had a very checkered history: originally a rather more
complex framework called OAUTH 1, the process of developing OAUTH2
was so internally fraught that the lead author of the specification
resigned and removed his name from the process before it was
released. If you'd like to see a little history of OAUTH2,
Wikipedia has an article here:
https://en.wikipedia.org/wiki/OAuth#OAuth_2.0
So why am I so critical of OAUTH2? Let me count the ways...

Before I start, though, I have to be clear up front about one
thing: many of the goals of OAUTH2 are valid and worthwhile: my
problems with it are exclusively to do with how it has been
implemented. In my nearly thirty-five years of writing software in
service of the Internet, OAUTH2 is the worst-conceived piece of
software design I have ever encountered. More troublingly, it shows
the increasing levels of control and power exercised by large,
usually American corporations over the Internet, and the almost
complete disregard they have for its historical openness and
inclusiveness. OAUTH2 is a major step on the way to an Internet
where the only players are large corporations, serving their own
interests in the name of profit and power." ...

--
__ __
#_ < |\| |< _#

On 2022-05-30, Computer Nerd Kev <not@telling.you.invalid> wrote:
> Forget the elephants - there's a donkey in the room!
> by David Harris, May 2nd 2022
<snip>
> service of the Internet, OAUTH2 is the worst-conceived piece of
> software design I have ever encountered. More troublingly, it shows
> the increasing levels of control and power exercised by large,
> usually American corporations over the Internet, and the almost
> complete disregard they have for its historical openness and
> inclusiveness. OAUTH2 is a major step on the way to an Internet
> where the only players are large corporations, serving their own
> interests in the name of profit and power." ...

Great article. I'd tolerate OAuth2 a bit if I could get CLI mail
software like mutt to work with it at all. The criticism about this
technology further placing formerly open systems squarely in the hands
of profit-seeking companies is legitimate.

We're already practically down to O365, gmail, and Apple Mail for most
Americans - I hate it, as I also hate people telling me where to put my
'gmail' on some form. Ain't got no gmail, pardner.

Retrograde wrote:

> I'd tolerate OAuth2 a bit if I could get CLI mail
> software like mutt to work with it

There are mail proxy programs available that will do the oauth2 work for clients
that can't handle it ...

On Wed, 1 Jun 2022 16:37:10 +0100
Andy Burns <usenet@andyburns.uk> wrote:

> Retrograde wrote:
>
> > I'd tolerate OAuth2 a bit if I could get CLI mail
> > software like mutt to work with it
>
> There are mail proxy programs available that will do the oauth2 work for clients
> that can't handle it ...

Glad to hear it. Any recommendations? I'm looking around and the
best-looking article seems to be behind a RedHat paywall. But to my
surprise it also appears mutt 2.0.7 and up now has oath2 support - will
have to try again.

Retrograde wrote:

> Andy Burns wrote:
>
>> Retrograde wrote:
>>
>>> I'd tolerate OAuth2 a bit if I could get CLI mail
>>> software like mutt to work with it
>>
>> There are mail proxy programs available that will do the oauth2 work for clients
>> that can't handle it ...
>
> Glad to hear it. Any recommendations?

Not a recommendation as such, just what I found when looking for other people

<https://github.com/simonrob/email-oauth2-proxy>

> I'm looking around and the
> best-looking article seems to be behind a RedHat paywall. But to my
> surprise it also appears mutt 2.0.7 and up now has oath2 support - will
> have to try again.

Retrograde <fungus@amongus.com.invalid> wrote:
> On Wed, 1 Jun 2022 16:37:10 +0100
> Andy Burns <usenet@andyburns.uk> wrote:
>> Retrograde wrote:
>>
>> > I'd tolerate OAuth2 a bit if I could get CLI mail
>> > software like mutt to work with it
>>
>> There are mail proxy programs available that will do the oauth2 work for clients
>> that can't handle it ...
>
> Glad to hear it. Any recommendations? I'm looking around and the
> best-looking article seems to be behind a RedHat paywall. But to my
> surprise it also appears mutt 2.0.7 and up now has oath2 support - will
> have to try again.

I've seen mention of GMail still allowing you to set up
application-specific passwords for software that doesn't support
OAUTH2, though of course it's "not recommended" and as such might
not last forever either.

I'm feeling quite smug about having personally avoided ever setting
up a GMail account. GMail did recently stop delivering emails sent
via my ISP's mail server though, without any "mail delivery failed"
error of course, which caused me some pain. Though as always with
Email it's never entirely clear whether they just started going
into junk folders that the recipients never check. That's the
trouble with avoiding GMail and other major email services, you
avoid the Google enemy only for every idiot-user and their spam
filter to become your new opponents.

Another silent failure is with GMail blocking incoming emails with
attachments of compressed files or some other binary data. It only
happens sometimes, but it's a pain. Technically they do send an
SMTP error back, but that only helps if you can see the mail
server's error log.
https://support.google.com/mail/?p=BlockedMessage

--
__ __
#_ < |\| |< _#