Google and OAuth 2.0

Joshua Cranmer 🐧 Pidgeot18 at gmail.com
Fri Apr 25 20:11:19 UTC 2014


On 4/25/2014 2:31 PM, Andrew Sutherland wrote:
> On 04/25/2014 02:47 PM, Joshua Cranmer 🐧 wrote:
>> I don't disagree that external authorization mechanisms are 
>> necessarily a bad thing. However, I think that OAuth fails to be an 
>> effective mechanism:
>> 1. The mechanism is trivial to internalize: you need to be able to 
>> control an HTML form and http[s] calls manually, which isn't a 
>> terribly hard task for many applications [e.g., Thunderbird's current 
>> OAuth 2 accesses do this]. Once you internalize the authorization, 
>> you still get the username and password and effectively complete access.
>
> You receive a scoped-to-email access credential that is different from 
> the user's normal site-wide Google login credentials. Compromise of 
> the token is a pretty big deal given the importance of email, but it's 
> less bad than compromise of the entire account.  But if it is compromised:

What I mean is that the page which Google uses to ask you for your 
username and password is effectively under the control of the 
application, so it can still be possible to intercept the password.

> If you're talking about Thunderbird being careless with URIs, then 
> that sounds like a Thunderbird problem, not an oauth problem.

Thunderbird itself isn't impacted by this problem, but it is a potential 
security hole in websites if they aren't careful.

> 1) It makes sense to work with Google to avoid anyone having to 
> hardcode Google-specific paths in their app.  They provide SRV records 
> for _imaps._tcp.gmail.com, so they clearly are already trying to do this.

I'd rather see Google's documentation indicate how to discover the OAuth 
information to use instead of giving you the hard-coded strings, and I 
would like to see a solution rolled out before adding support for SASL 
OAuth2 to Thunderbird. I've been made cynical so that I don't believe 
it's going to get done until I see it get done.

-- 
Joshua Cranmer
Thunderbird and DXR developer
Source code archæologist




More information about the tb-planning mailing list