Closed favonia closed 10 months ago
I looked into doing this about a year ago when I was getting the OAuth2 dance working again. The showstopper was not code complexity, but the requirement to support the browser being on another machine. My (extremely) layman's understanding is that using PKCE suffices to mitigate the risk if oauth2.dance
gets hijacked.
@junyer Thanks for the information. I was not aware that we need to support the browser on another machine...
I propose setting up a local HTTP server to grab the OAuth2 authorization token directly (instead of going through https://oauth2.dance). There are a few reasons:
oauth2.dance
is not Google (though maybe it was) and I prefer not to trust one more company.I understand that many non-Google OAuth2 services seem to have issues about HTTP even for
localhost
, and there were security concerns when you don't trust all the local programs (e.g., Android), but none of these concerns seem to apply to the primary use case ofsendgmail
.Related issue: #49 (OOB no longer works)