On Thu, Jul 02, 2020 at 01:37:00PM -0500, Alexander Perlis wrote:
With the attached mutt_oauth2.py script and a corresponding app registration I successfully connected mutt to:- Gmail account - Microsoft consumer account (e.g., outlook.com) - Microsoft work/school account (Office365 under an Azure organizational tenant)
Thank you Alexander. With your permission, I'll add this to the contrib directory and add a link in the manual.
Ideally the mutt maintainers create an official registration and hardcode it into the script distributed with mutt, but this is surely an unreasonable expectation once one considers all the different mail providers on the planet.
For now I'd like to stay out of that business.
Security considerations and roadmap for improvement:
You raise many interesting issues, but again for now I'm content to punt them to the script.
Ideally the tokens would be kept in an encrypted store
Many Mutt users invoke gpg for sensitive materials storage, and it might be worth allowing this for your token file too.
The Google oauth script, for instance, has the refresh token for a parameter, so one could simply store the invocation encrypted and use something like:
set imap_oauth_refresh_command="oauth2.py `gpg --batch -q --decrypt goauth.gpg`" to store the sensitive arguments. -- Kevin J. McCarthy GPG Fingerprint: 8975 A9B3 3AA3 7910 385C 5308 ADEF 7684 8031 6BDA
signature.asc
Description: PGP signature
