GNOME Gmail

Gnome-Gmail should use OAuth instead of asking for password

Bug #991679 reported by Jorge E. Gómez on 2012-04-30

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	GNOME Gmail	Fix Released	Undecided	Unassigned

Bug Description

Modern desktop apps that interact with web-based ones, should not ask directly for user/password, and instead should use OAuth authentication, directing the user to the Gmail page where authorization can be granted to the app.

Revision history for this message

Adam Johnson (adam-a-johnson) wrote on 2012-05-20:

I disagree. OAuth has benefits when used between websites: Streamlined account creation at OAuth subscriber sites, reduced amount of trust a user has to extend to subscribers sites, fewer passwords to memorize, one place to change those passwords (though once changed, users probably have to re-authenticate subscriber sites). I could see a benefit in having the desktop be an OAuth provider - you'd never have to send your password across the wire again, as long as you only used OAuth subscriber services, and each OAuth provider (your own machine) would have a limited number of subscribers it would have to trust at all (the services you use). Unfortunately, the DNS domain requirements for doing so are probably beyond what most users would be able to/want to do. If a distribution wanted to set up a DNS domain and appropriate home router firewall workarounds (reverse proxy, or some such) that would allow users of that distribution to easily set up their own OAuth provider for their own accounts, that might work...

Using a desktop as an OAuth subscriber does not seem to provide any of the benefits OAuth is designed to provide when used between websites. You kind of have to trust the software running on your own desktop, since it has access to your keystrokes, mouse movements, and even any encrypted data (if you ever decrypt it to use it), so you're not really reducing the trust requried to be extended to the OAuth subscriber. Streamlined account creation, well, the desktop is the only OAuth subscriber being considered, so that's a moot point you need an OAuth provider to do that for other sites anyway. The number of trust relationships between OAuth providers and OAuth subscribers instantly becomes unmanageably large, as each desktop becomes a subscriber. Google for one doesn't appear willing to take on that management nightmare, as it warns that the OAuth logins performed by GNOME 3 on Fedora 16 "claim to be from GNOME", but that Google can't verify that fact because it's running on your desktop...

I disagree.  OAuth has benefits when used between websites:  Streamlined account creation at OAuth subscriber sites, reduced amount of trust a user has to extend to subscribers sites, fewer passwords to memorize, one place to change those passwords (though once changed, users probably have to re-authenticate subscriber sites).  I could see a benefit in having the desktop be an OAuth provider - you'd never have to send your password across the wire again, as long as you only used OAuth subscriber services, and each OAuth provider (your own machine) would have a limited number of subscribers it would have to trust at all (the services you use).  Unfortunately, the DNS domain requirements for doing so are probably beyond what most users would be able to/want to do.  If a distribution wanted to set up a DNS domain and appropriate home router firewall workarounds (reverse proxy, or some such) that would allow users of that distribution to easily set up their own OAuth provider for their own accounts, that might work...

Using a desktop as an OAuth subscriber does not seem to provide any of the benefits OAuth is designed to provide when used between websites.  You kind of have to trust the software running on your own desktop, since it has access to your keystrokes, mouse movements, and even any encrypted data (if you ever decrypt it to use it), so you're not really reducing the trust requried to be extended to the OAuth subscriber.  Streamlined account creation, well, the desktop is the only OAuth subscriber being considered, so that's a moot point you need an OAuth provider to do that for other sites anyway. The number of trust relationships between OAuth providers and OAuth subscribers instantly becomes unmanageably large, as each desktop becomes a subscriber.  Google for one doesn't appear willing to take on that management nightmare, as it warns that the OAuth logins performed by GNOME 3 on Fedora 16 "claim to be from GNOME", but that Google can't verify that fact because it's running on your desktop...

Revision history for this message

Dave Steele (dsteele-gmail) wrote on 2017-06-20:

It has been using OAuth2 for some time now.

Changed in gnome-gmail:
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.