Quick reply: 1. The service provider can't connect back to the client. The service provider is passed a URL to which it connects to pass the token. With Gmail it's an implicit flow where they pass 'localhost' so that's a custom implementation
With other e-mail clients, eM Client for example, they have their own server that accepts tokens back from the provider. So the flow is Mail Client -> Provider -> mail app creator URL and separately: Mail Client -> mail app creator URL , from where it waits and reads the token that the Provider generated 2. https://login.microsoftonline.com/domain.com/.well-known/openid-configuration It's not hardcoded, I was just using it as an example. MS substitutes domain.com for whatever domain the client is looking up, for example https://login.microsoftonline.com/gmail.com/.well-known/openid-configuration Cheers, Scott On Wednesday, 31/07/2024 at 10:49 Andrew C Aitchison via mailop wrote: On Sun, 14 Jul 2024, Scott Q. via mailop wrote: > My question wasn't geared in that direction. It's up to each > provider to create their own custom interfaces for integrating all > that. It's not rocket science. > > My question was geared towards the clients used to access mail. > > Outlook uses hardcoded integration with Gmail, Yahoo too I think from > the strings I saw in a dll. > > But that integration doesn't have anything special, it's basically > Outlook making a post like this: > > 'client_id': > 445112211283-61c9mrk8i55mfr882g61p37m8j2nga3q.apps.googleusercontent.com > > 'login_hint': > u...@gmail.com > > 'redirect_uri': > http://localhost:8011 > > 'response_type': > code > > 'scope': > profile email https://mail.google.com > > 'rs': > en-US > > 'build': > 16.0.17726 > > 'platform': > Win32 > > 'app': > Outlook > > That looks like a custom implicit flow where Outlook has that > client_id and it goes to URL > : https://accounts.google.com/o/oauth2/v2/auth > Mind you, that URL can be derived > from https://accounts.google.com/.well-known/openid-configuration since > it's nothing more than the authorization endpoint. > > Taking another example, eM Client. They seem to use Authorization Flow > with Yahoo. Pretty straightforward. > User adds a Yahoo account, eM Client opens the Yahoo oauth login page, > if login is successful Yahoo posts the token to eM Client's oauth > server which in turn passes it over to the eM Client app. > > Again, I'm not oauth expert but I can't figure out why this can't be > done with all providers. I agree that it would be good if this worked for all providers. Thinking about adding this to alpine and fetchmail, which are not apps and don't have active servers for Yahoo to do an oauth login. I assume that the provider can pass the token directly to the client making the connection ? Currently this step is quite ragged and not easy for users. GMail particularly makes it hard. There are T&Cs and a contract which requires details of the non-existant web service providing the backend to the non-existant App. There are stories of the authorization dying after a week, and users winding up at instructions which request a licence in the hundred dollar range. The developer of one of these apps has got close to giving up and abandoning OAuth. If there are other providers out there and a universal discovery method, maybe the effort would be worthwhile ? > 1. Look-up domain.com/.well-known/openid-configuration and get the > authorization endpoint Hmm. As A. Schulze says: >> MS & Google and Keycloak both offer this URL: >> >> https://login.microsoftonline.com/domain.com/.well-known/openid-configuration >> https://accounts.google.com/.well-known/openid-configuration I'll have to read https://openid.net/specs/openid-connect-discovery-1_0.html to see why the literal domain.com in one but not the other (and the other version doesn't work for MS or Google). I don't see this openid-configuration in mutt, alpine or fetchmail. Alpine has GMail, Outlook, Yandex and Yahoo hardcoded. -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
