Re: [PATCH] b4: allow using xoauth2/bearer token to authenticate to SMTP servers

[Dmitry Torokhov <dmitry.torokhov@gmail.com>]

On Mon, Mar 09, 2026 at 11:50:40AM +0200, Tomas Melin wrote:
> Hi,
> 
> On 09/03/2026 09:49, Dmitry Torokhov wrote:
> > Hi Tomas,
> > 
> > On Mon, Mar 09, 2026 at 09:28:30AM +0200, Tomas Melin wrote:
> > > Hi,
> > > 
> > > On 06/03/2026 19:35, Dmitry Torokhov wrote:
> > > > On Fri, Mar 06, 2026 at 12:18:45PM -0500, Konstantin Ryabitsev wrote:
> > > > > On Fri, 06 Mar 2026 08:20:18 -0800, Dmitry Torokhov <dmitry.torokhov@gmail.com> wrote:
> > > > > > Allow using XOAUTH2 as an authentication protocol and assume that when
> > > > > > XOAUTH2 is specified the password is actually a bearer token (typically
> > > > > > not stored in the config but rather returned via "git credentials".
> > > > > > 
> > > > > > Recognize "oauth", "oauth2" as aliases for "xoauth2".
> > > > > Hmm... we do have another series already for XOAUTH2 support:
> > > > > https://lore.kernel.org/tools/20260205-smtp-oauth2-outlook-v2-2-6a5eb233b285@vaisala.com/
> > > > > 
> > > > > However, it's outstanding with a few requests. I wonder if we can take
> > > > > this one as a first patch and then build the other series on top of
> > > > > this.
> > > > > 
> > > > > Cc'ing Tomas on this.
> > > Perhaps I'm missing something but this approach looks to me more like a
> > > workaround. I'm not seeing how it handles the oauth2 lifecycle expiration
> > > which is typically within hours. The other series handles that with a helper
> > > that will update the token transparently as needed.
> > In my setup "git credential" returns bearer token that should last
> > enough for this b4 run. Next time b4 runs "git credential" will request
> > a new bearer token if previous one expired. It is not expected that the
> > token is stored in the configuration file. It looks like
> > git-credential-email behavior should also be compatible with this use.
> 
> In your case, how do you provide the new token to git credential?

git credential itself calls into configured helpers and the helper does
this. You do not need to replicate this logic in other places.

> 
> How does you .gitconfig for this look like?

global  sendemail.smtpserver smtp.gmail.com
global  sendemail.smtpserverport 587
global  sendemail.smtpencryption tls
global  sendemail.smtpuser dmitry.torokhov@gmail.com
global  sendemail.thread true
global  sendemail.bcc dmitry.torokhov@gmail.com
global  sendemail.suppresscc self
global  credential.helper cache --timeout=3000
global  credential.helper local-helper
local   sendemail.smtpuser dmitry.torokhov@gmail.com
local   sendemail.smtpauth XOAUTH2
local   sendemail.bcc dmitry.torokhov@gmail.com

The local-helper is a custom python script that behaves similarly to the
gmail credential helper, but the difference that it supports different
credential stores - either based on secret storage API or GPG-based so I
can move my configuration between a headless workstation, a VM, or my
laptop easily.

The beauty of credential helpers is that if they do not know how to
handle the request they simply skip it so that the next one might be
able to resolve it.

> 
> > However looking at your patch I do not understand why you want to parse
> > configuration and run the helpers directly instead of having "git
> > credential" return the data for you and rely on it to figure out what
> > helper to use and how. It gets protocol, username, and host and should
> > be able to figure out what should be returned. It is not b4's role to
> > interact directly with git helpers.
> 
> git-send-email also requires similar integration with external helpers
> https://git-scm.com/docs/git-send-email#_sending_patches

No, it says that git-send-email makes use of "git credential", it does
not say that it calls out directly to any helpers. In fact, this is
git-send-email code:

	$auth = Git::credential({
		'protocol' => 'smtp',
		'host' => smtp_host_string(),
		'username' => $smtp_authuser,
		# if there's no password, "git credential fill" will
		# give us one, otherwise it'll just pass this one.
		'password' => $smtp_authpass
	}, sub {
		my $cred = shift;
		my $result;
		my $error;

		# catch all SMTP auth error in a unified eval block
		eval {
			if ($smtp_auth) {
				my $sasl = Authen::SASL->new(
					mechanism => $smtp_auth,
					callback => {
						user     => $cred->{'username'},
						pass     => $cred->{'password'},
						authname => $cred->{'username'},
					}
				);
				$result = $smtp->auth($sasl);
			} else {
				$result = $smtp->auth($cred->{'username'}, $cred->{'password'});
			}
			1; # ensure true value is returned if no exception is thrown
		} or do {
			$error = $@ || 'Unknown error';
		};

		return ($error
			? handle_smtp_error($error)
			: ($result ? 1 : 0));
	});

As you can see it does exactly what my patch does: it calls to "git
credential" and expects something resolving a secret (password) in
return. Then XOAUTH2.pm SASL module takes that secret and produces
that "user=$username\001auth=Bearer $token\001\001" string that is
needed to authenticate.

BTW, I am not sure why you are using smtp.docmd() and not smtp.auth()...

Thanks.

-- 
Dmitry