On Tue, Jun 12, 2018, 9:42 PM Will Yardley <mutt-...@veggiechinese.net> wrote:
> On Tue, Jun 12, 2018 at 09:36:34PM -0700, Brandon Long wrote: > > On Tue, Jun 12, 2018 at 8:32 PM Will Yardley <mutt-...@veggiechinese.net > > > > wrote: > > > > > On Mon, Jun 11, 2018 at 03:12:45PM -0700, Brandon Long wrote: > > > > Gmail supports RFC 7628 for using OAUTH with IMAP, and they really > don't > > > > like you using password based auth. You can still enable "less > secure > > > > apps" and then generate an application specific password, but I > figured > > > it > > > > was time to support it. > > > > > > Awesome! Just curious, given the recent thread about 2FA, can this (and > > > does this) support 2 factor auth for IMAP as well? > > > > Recent thread? > > Sorry, I meant: > http://lists.mutt.org/pipermail/mutt-users/Week-of-Mon-20180611/000250.html > > > Generally speaking, OAUTHBEARER is not a two-factor authentication. When > > it comes to Google and GSuite, it doesn't require you to enable "less > > secure apps" and it doesn't require an Application Specific Password > (ASP) > > when you have 2FA enabled on your account. It works by requiring you to > > login to Google (with 2FA if that's enabled), and getting a long lived > > "refresh token". It then exchanges that for a short lived "access > token", > > which is good for about one hour. It's also "scoped" in that when you > > request the refresh token, you're asking for access to specific > resources, > > in this case read/write access to your Gmail account. It's also "scoped" > > in the sense that it's tied to a specific application. > > So with that, do you have to click through to a web browser to login? Or > does the Python script you're using allow terminal input for 2FA (and if > so, does it work correctly from within Mutt)? > Getting the refresh token with Google means clicking through to a web browser. It's a one time thing, however. Theoretically, some system could prompt for your OTP before issuing an OAUTH access token every time, but that's not the current model that Google uses. It would be awesome if (either now or later), you could both avoid using > an application specific password, _and_ enter your 2 FA auth via console > prompts, vs. copying / pasting or clicking on a link. > As I said, OAUTH is not a 2FA. It's basically a more limited ASP with some other security benefits. There's nothing particularly complicated about having a SASL mechanism which took a password and OTP, the SECURID mechanism is basically that. That said, I don't know of any imap servers which support that off the top of my head. Ie, the normal PLAIN SASL mechanism is basically sending the username/password separated by chr(1) you could just have one that has another field. I think being prompted for your 2FA every time you have a new connection has just been considered too annoying and not what users want. Even on the web, you login with 2FA and exchange it for a longer lasting cookie. That's more the model that OAUTH is trying to emulate, use whatever 2FA or whatever authentication mechanism you want, and exchange it for a limited auth cookie to use longer term. Brandon
