Re: [PATCH] b4: allow using xoauth2/bearer token to authenticate to SMTP servers

[Tomas Melin <tomas.melin@vaisala.com>]

Hi,

On 06/03/2026 19:35, Dmitry Torokhov wrote:
> On Fri, Mar 06, 2026 at 12:18:45PM -0500, Konstantin Ryabitsev wrote:
>> On Fri, 06 Mar 2026 08:20:18 -0800, Dmitry Torokhov <dmitry.torokhov@gmail.com> wrote:
>>> Allow using XOAUTH2 as an authentication protocol and assume that when
>>> XOAUTH2 is specified the password is actually a bearer token (typically
>>> not stored in the config but rather returned via "git credentials".
>>>
>>> Recognize "oauth", "oauth2" as aliases for "xoauth2".
>> Hmm... we do have another series already for XOAUTH2 support:
>> https://lore.kernel.org/tools/20260205-smtp-oauth2-outlook-v2-2-6a5eb233b285@vaisala.com/
>>
>> However, it's outstanding with a few requests. I wonder if we can take
>> this one as a first patch and then build the other series on top of
>> this.
>>
>> Cc'ing Tomas on this.

Perhaps I'm missing something but this approach looks to me more like a 
workaround. I'm not seeing how it handles the oauth2 lifecycle 
expiration which is typically within hours. The other series handles 
that with a helper that will update the token transparently as needed.

I will return shortly with updates to my original series.

Thanks,

Tomas


>>
>>> diff --git a/src/b4/__init__.py b/src/b4/__init__.py
>>> index eab290b..9a5d25b 100644
>>> --- a/src/b4/__init__.py
>>> +++ b/src/b4/__init__.py
>>> @@ -4331,7 +4331,11 @@ def get_smtp(dryrun: bool = False) -> Tuple[Union[smtplib.SMTP, smtplib.SMTP_SSL
>>>                   raise smtplib.SMTPException('No password specified for connecting to %s', server)
>>>           if auser and apass:
>>>               # Let any exceptions bubble up
>>> -            smtp.login(auser, apass)
>>> +            if smtpauth in ('oauth', 'oauth2', 'xoauth2'):
>>> +                auth_str = f'user={auser}\x01auth=Bearer {apass}\x01\x01'
>>> +                smtp.auth('XOAUTH2', lambda: auth_str)
>> This is what the agent tells me about this, and it seems valid.
>>
>> smtplib.SMTP.auth() calls authobject(challenge) with a positional
>> bytes argument when the server replies 334 (the XOAUTH2 error-detail
>> challenge). Because this lambda accepts no arguments, that call
>> raises TypeError, masking the real authentication error.
> Right, I guess because of implicit initial_response_ok argument to
> smtp.auth() when I tested it the lambda was called without arguments and
> the authentication went through (with gmail).
>
>> Suggest:
>>      smtp.auth('XOAUTH2', lambda x=None: auth_str if x is None else '')
>>
>> This way the initial response (no args) returns the auth string, and
>> a 334 challenge returns an empty string so the server sends its real
>> error code.
>>
>> I'm happy to take this with this fix, but I'm also going to wait on
>> Tomas's thoughts.
> Totally fine with me.
>
> Thanks.
>