Thunderbird:Autoconfiguration:ConfigFileFormat: Difference between revisions

Thunderbird:Autoconfiguration:ConfigFileFormat (view source)

Revision as of 05:53, 2 January 2021

13 bytes added , 2 January 2021

→‎OAuth2: Scope

BenB

Confirmed users

591

edits

@@ Line 291: / Line 291: @@
 Note that there are two `<authentication>` elements. This allows a fallback, in case a client does not support OAuth2 or does not have a client key for this OAuth2 issuer and therefore cannot authenticate with this issuer.
-The scope is difficult. If we set up email, address book, calendar, and webdav, we do *not* want the user go have to go through 4 authentication processes. Yet, a provider might use different scopes for email and calendar, and that is in line with the OAuth2 spec. The solution is to combine several scopes, using [https://tools.ietf.org/html/rfc6749#section-3.3 spaces as separator], in a single auth request. However, it is reported that this fails for some providers. If really necessary, we could add it as optional parameter `<authentication scope="mail-w">OAuth2</authentication>`, while still defaulting to `<oAuth2>.<scope>`, but that would cause the above mentioned issue of requiring several authentication processes.
+Scope: If we set up email, address book, calendar, and webdav, we do *not* want the user go have to go through 4 authentication processes. Yet, a provider might use different scopes for email and calendar, and that is in line with the OAuth2 spec. The solution is to combine several scopes, using [https://tools.ietf.org/html/rfc6749#section-3.3 spaces as separator], in a single auth request. [https://stackoverflow.com/questions/8449544/multiple-scope-values-to-oauth2/51437063#51437063 The order is important]. That's why we deliberately do not make the scope specific to a service or server, but to the entire configuration. We don't want the user to have to authenticate several times in a row. This is a requirement from the end user.
 = TODO =