[Bug 297499] New: MSN+XMPP auth doesn't request refresh token (used to get a new access token if the saved one has expired)

[JR]

https://bugs.kde.org/show_bug.cgi?id=297499

            Bug ID: 297499
          Severity: normal
           Version: git-latest
          Priority: NOR
          Assignee: kde-telepathy-bugs at kde.org
           Summary: MSN+XMPP auth doesn't request refresh token (used to
                    get a new access token if the saved one has expired)
    Classification: Unclassified
                OS: Linux
          Reporter: zorael at gmail.com
          Hardware: Compiled Sources
            Status: UNCONFIRMED
         Component: auth-handler
           Product: telepathy

When you log in to an MSN account using KDE Telepathy, a web form opens
displaying a Windows Live login screen. Upon entering your credentials you're
lead to a page where you consent to letting KDE Telepathy use your account, and
upon doing this ktp-auth-handler obtains an access token -- like a session ID.
This is then saved in your wallet.

This access token can be used to connect to the account for a short period of
time (3600 seconds or so, according to drdanz on #kde-telepathy) before it
expires. The account may technically (?) still stay online indefinitely, but
you cannot reconnect without having a fresh and valid token.

The XMPP authentication API supports several scopes[1] of permissions (think
read/write/execute), and what level of access is granted to the client program
when logging in (and consenting in the following window) depends on what scopes
are specifed in the request URL in the code
(ktp-auth-handler/x-messenger-oauth2-prompt.cpp). For the access token with
which we're logging in with XMPP and need permission to send/receive messages
etc, the scope is simply called wl.messenger.

As mentioned above the access token rapidly expires, and KDE Telepathy cannot
reconnect without the user logging in (and consenting again) if connection is
lost for whatever reason after token expiry. However, there exists another
scope called wl.offline_access, with which we would obtain a refresh token.
These can be used to automatically obtain new access tokens when needed,
without requiring any user intervention.

> The wl.offline_access scope enables an app to read and update
> a user's info at any time. Without this scope, an app can access
> the user's info only while the user is signed in to Live Connect
> and is using the app.

KDE Telepathy's auth-handler should be requesting this token. This would
prevent cases such as when the user comes home from work and returns to his
machine, only to notice that his IM protocol has been offline since breakfast
after a brief router hiccup.

Please see the following links for more information (largely gathered by
googling "live xmpp refresh token");
https://trac.gajim.org/ticket/6978#comment:19
http://www.theleagueofpaul.com/messenger-over-xmpp-refresh-tokens


[1]: http://msdn.microsoft.com/en-us/library/live/hh243649.aspx

-- 
You are receiving this mail because:
You are the assignee for the bug.