Bug 738995 – Unable to authenticat using access tokens

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 738995 - Unable to authenticat using access tokens


Summary:	Unable to authenticat using access tokens


Status:	RESOLVED WONTFIX

Product:	gnome-online-accounts
Classification:	Core
Component:	general
Version:	unspecified
Hardware:	Other All

Importance:	Normal major
Target Milestone:	---
Assigned To:	GNOME Online Accounts maintainer(s)
QA Contact:	GNOME Online Accounts maintainer(s)

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2014-10-22 08:59 UTC by ubuntumuntu
Modified:	2017-05-29 15:39 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description ubuntumuntu 2014-10-22 08:59:02 UTC

Stock Fedora 20 & Ubuntu 14.04

I've enabled 2-factor authentication (2FA) on as many online services as I could.

This now enables me to create per-application authentication tokens, and specify what resources the client has access to & selectively revoke in the case of a suspected breach or critical vuln in any client.

Google: https://support.google.com/accounts/answer/185833?hl=en
FaceBook: https://developers.facebook.com/docs/facebook-login/access-tokens
etc

Unfortunately I am unable to authenticate my "online accounts" with my actual online accounts, as this this requires me to actually provide my own 'master' authentication creds (at least it it asks for my 2FA), thereby potentially exposing my critical online services to any potential vulnerability or bugs clients.

I'm making a real effort to to apply best-practices (bordering on the paranoid), such as YubiKey HMAC-SHA1 challenge-response and/or GAuth for login, so simply dropping my 'master logins' is simply seems like a outdated method of ensuring good security hygiene.

Comment 1 Debarshi Ray 2017-05-29 15:39:08 UTC

It sounds as if you don't want to use OAuth2 access tokens to authenticate to your online accounts.

When you enter your username and master password in the embedded web view and go through the second factor authentication, the online service provider issues an OAuth2 access token. This is saved (encrypted if you don't use auto-login), not your master password. Later you can revoke access to GNOME by logging into the service provider's web UI.

I understand the desire to compartmentalize different applications. Unfortunately having application specific passwords aren't ideal. They require the user to actually generate and remember multiple passwords, which makes it is too cumbersome to use them.

I think the better way to deal with this is to work on an online-accounts portal for Flatpak. It will prevent applications from getting access to the common OAuth access token unless the user has explicitly permitted them. This has the advantage of being convenient while still being defensive against buggy and rogue applications.

Of course, if your computer is stolen, then you'd have to revoke access through the web UI.

Please feel free to re-open if you think that I have misunderstood your problem.