Re: [PATCH 2/2] imap-send: add support for OAuth2.0 authentication

Aditya Garg <gargaditya08@xxxxxxxx> · Fri, 23 May 2025 01:19:21 +0530

On 23-05-2025 01:15 am, brian m. carlson wrote:
> On 2025-05-22 at 17:27:16, Aditya Garg wrote:
>> +static char *xoauth2_base64(const char *user, const char *access_token)
>> +{
>> +	int raw_len, b64_len;
>> +	char *raw, *b64;
>> +
>> +	/* Compose the XOAUTH2 string
>> +	 * "user=" {User} "^Aauth=Bearer " {Access Token} "^A^A"
>> +	 * https://developers.google.com/workspace/gmail/imap/xoauth2-protocol#initial_client_response
>> +	 */
>> +	raw_len = strlen(user) + strlen(access_token) + 20;
>> +	raw = xmallocz(raw_len + 1);
>> +	snprintf(raw, raw_len + 1, "user=%s\001auth=Bearer %s\001\001", user, access_token);
>> +
>> +	/* Base64 encode */
>> +	b64 = xmallocz(ENCODED_SIZE(strlen(raw)));
>> +	b64_len = EVP_EncodeBlock((unsigned char *)b64, (unsigned char *)raw, strlen(raw));
>> +	free(raw);
>> +
>> +	if (b64_len < 0) {
>> +		free(b64);
>> +		return NULL;
>> +	}
>> +	return b64;
>> +}
>> +
>>  #else
>>  
>>  static char *cram(const char *challenge_64 UNUSED,
>> @@ -895,6 +959,20 @@ static char *cram(const char *challenge_64 UNUSED,
>>  	    "you have to build git-imap-send with OpenSSL library.");
>>  }
>>  
>> +static char *oauthbearer_base64(const char *user UNUSED,
>> +		  const char *access_token UNUSED)
>> +{
>> +	die("If you want to use OAUTHBEARER authenticate method, "
>> +	    "you have to build git-imap-send with OpenSSL library.");
>> +}
> 
> I don't think this is a good idea.  Linux distros and other parties who
> distribute OpenSSL cannot legally distribute Git linked against it and
> we should not require people to use OpenSSL for this.  It looks like all
> you need here is a base64 encoder and it should be pretty easy to write
> such an encoder.  There's a minimal decoder as part of decode_b_segent
> in mailinfo.c and I'm pretty sure we could just add a suitable encoder
> that writes to a strbuf like we have for percent-encoding.
> 
> Alternatively, you could just push this into the credential helper with
> the new credential helper extensions by adding support for that to git
> imap-send and let the helper implement the base64 encoding.  That's kind
> of the reason I implemented it in the first place.

We can still use curl to use these. Curl has a dedicated API for OAuth2.0.

That is what I am doing with v2.