[kwlug-disc] Using mutt with oauth2

Paul Nijjar paul_nijjar at yahoo.ca
Thu Aug 27 15:53:16 EDT 2020 

On Wed, Aug 26, 2020 at 02:17:34PM -0400, Chris Irwin wrote:
> On Tue, Aug 25, 2020 at 02:22:05PM -0400, Paul Nijjar via kwlug-disc wrote:
> > 
> > Welp, it looks like Yahoo! is disabling username/password
> > authentication on October 20. Guess who is freaking out now?
> 

> Not a Yahoo user, and had to do some searching to find the
> annoucment (and still only found it second-hand), but it looks like
> they're only disabling access with an account password, but that the
> app-password functionality would still exist and work?

That is correct, but they say that the app password works only so long
as you are logged in? I do not know what this means. Do I have to keep
the terrible web client open in my browser, and then load mutt so I
can actually read my mail?

Here is the help page that was linked to from the email. I can
reproduce the email as well if that is helpful. They go out of their
way to avoid mentioning any technology names, which makes
understanding what exactly is happening even more difficult. 

https://ca.help.yahoo.com/kb/new-mail-for-desktop/SLN27791.html
 
> I'd just use an app password if possible because it is equally as
> secure for a user, and compatible with existing IMAP clients. Oauth,
> on the other hand, is a user-hating anti-feature, and you're going
> to have a lot of problems with it, particularly with niche software
> like neomutt.

I am an idiot. I probably said I wanted to use IMAP to access my mail,
but in fact I use POP3. 

I am sure that Oauth is fine, but it seems both really convenient and
really inconvenient. For some reason I can use gcalcli to access
Google calendars without ever logging in, because it is doing some
Oauth2 magic. So that is nice? As no long as nobody steals my laptop?
(If you see a bunch of bizarre spammy links in Watcamp, maybe you will
know why.) 

> I've always found mutt/neomutt's IMAP functionality annoying, so I
> use mbsync to a local maildir, then run neomutt directly on the
> local maildirs. 

I had not heard of mbsync before. Maybe I should investigate.

> 
> To support OAuth, *every* IMAP provider now needs to be updated to
> support OAuth workflow (including the annoying bits like token
> renewal, etc).
> 
> However, the client supporting OAuth is only half the battle. The
> provider must also support the client. Your local mail client now
> requires an API key to identify that the *application* is
> authorized, in addition to credentials to identify yourself.

Oh wow. This sounds bad. 

Honestly, I do not like Yahoo as a mail provider, but I like Google
even less, and I have had this address for over 15 years now, and been
using it as my primary address for 13. The transition cost is going to
be high.

> 
> https://gitlab.gnome.org/GNOME/gnome-online-accounts/-/issues/89

Oh wow. This also sounds bad.

- Paul

-- 
Events: https://feeds.off-topic.kwlug.org 
Blog: http://pnijjar.freeshell.org

More information about the kwlug-disc mailing list