Thunderbird:Autoconfiguration:ConfigFileFormat: Difference between revisions

Jump to navigation Jump to search

Thunderbird:Autoconfiguration:ConfigFileFormat (view source)

Revision as of 03:26, 2 January 2021

782 bytes added ,  2 January 2021
Document OAuth2, status quo and where we should be, and limitations of the OAuth2 spec
(Link the other documents with more link text, making them more prominent)
(Document OAuth2, status quo and where we should be, and limitations of the OAuth2 spec)
Line 51: Line 51:
                 "TLS-client-cert":
                 "TLS-client-cert":
                           On the SSL/TLS layer, the server requests a client certificate and the client sends one (possibly after letting the user select/confirm one), if available. (Not yet supported by Thunderbird)
                           On the SSL/TLS layer, the server requests a client certificate and the client sends one (possibly after letting the user select/confirm one), if available. (Not yet supported by Thunderbird)
                "OAuth2":
                          OAuth2. Works only on specific hardcoded servers, please see below. Should be added only as second alternative.
                 "none":
                 "none":
                           No authentication
                           No authentication
Line 230: Line 232:
The system is generic, so that it can in theory be used for other values as well. No other such purpose is currently known, apart from a separate POP and SMTP username maybe. It should not be used to let the user supply hostnames, as that would defeat the purpose of the autoconfig and be worse than the manual config UI provided by the client.
The system is generic, so that it can in theory be used for other values as well. No other such purpose is currently known, apart from a separate POP and SMTP username maybe. It should not be used to let the user supply hostnames, as that would defeat the purpose of the autoconfig and be worse than the manual config UI provided by the client.


= TODO =
= OAuth2 =
 
Due to a defficiency in the OAuth2 spec, the client is usually required to send a client credential key, which in turn requires the client to be registered and approved by the email provider. Unfortunately, this not only allows email providers to block specific email clients (which is contrary to the idea of Open-Source), but also makes it impossible to support arbitrary OAuth2 servers. That's why Thunderbird is forced to hardcode the servers that it supports and the respecive client keys. That means that you cannot use OAuth2 for your own server. Only the servers listed on [https://searchfox.org/comm-central/source/mailnews/base/src/OAuth2Providers.jsm OAuth2Providers.jsm] will work.


* Values specific to IMAP, e.g. bug 558659 (special folders), bug 572465 (subfolders) etc.. However, most of these can and should be done as IMAP extensions.
A server using OAuth2 auth looks this:
* All settings and enum values
* In bug 849540 and bug 1166625, a new authentication type was added to support OAuth2 in gmail.com domains. This looks like:
<pre>
<pre>
     <incomingServer type="imap">
     <incomingServer type="imap">
       <hostname>imap.googlemail.com</hostname>
       <hostname>imap.gmail.com</hostname>
       <port>993</port>
       <port>993</port>
       <socketType>SSL</socketType>
       <socketType>SSL</socketType>
Line 243: Line 245:
       <authentication>OAuth2</authentication>
       <authentication>OAuth2</authentication>
       <authentication>password-cleartext</authentication>
       <authentication>password-cleartext</authentication>
      <oauth>
        <issuer>login.yahoo.com<issuer>
        <scope>mail-w<scope>
        <authURL>https://api.login.yahoo.com/oauth2/request_auth</authURL>
        <tokenURL>https://api.login.yahoo.com/oauth2/get_token</tokenURL>
      <oauth>
     </incomingServer>
     </incomingServer>
</pre>
</pre>


In Thunderbird 38 and later, this will choose OAuth2 as the preferred authentication method, supported in both imap and smtp. For Thunderbird prior to version 38, the OAuth2 entry will be ignored, and the fallback password-cleartext used instead.  
Note that the `<oauth>` contents are not yet supported by Thunderbird. They are planned to be supported later, removing the need to hardcode these parameters. As of today, `<authentication>OAuth2</authentication>` is supported.


The current status of OAuth2 does not allow this implementation to work for other providers, so additional parameters needed to specify this are hard-wired in Thunderbird. This mechanism will only work in gmail, other domains will fail if OAuth2 is specified. For the future, we would like to implement generic methods such that OAuth2 can be supported for arbitrary domains rather than requiring in-program customization for each supported domain.
Note that there are two `<authentication>` elements. This allows a fallback, in case a client does not support OAuth2 or does not have a client key for this OAuth2 issuer and therefore cannot authenticate with this issuer.
 
= TODO =
 
* Values specific to IMAP, e.g. bug 558659 (special folders), bug 572465 (subfolders) etc.. However, most of these can and should be done as IMAP extensions.
* All settings and enum values
BenB
Confirmed users
591

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1232886"

Navigation menu