Bug 297499

Summary: MSN+XMPP auth doesn't request refresh token (used to get a new access token if the saved one has expired)
Product: [Unmaintained] telepathy Reporter: JR <zorael>
Component: auth-handlerAssignee: Daniele E. Domenichelli <ddomenichelli>
Status: RESOLVED INTENTIONAL    
Severity: normal CC: ddomenichelli, heri+kde, kde, mklapetek, zorael
Priority: HI    
Version: git-latest   
Target Milestone: 0.6-next   
Platform: Compiled Sources   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description JR 2012-04-04 23:00:51 UTC 
When you log in to an MSN account using KDE Telepathy, a web form opens displaying a Windows Live login screen. Upon entering your credentials you're lead to a page where you consent to letting KDE Telepathy use your account, and upon doing this ktp-auth-handler obtains an access token -- like a session ID. This is then saved in your wallet.

This access token can be used to connect to the account for a short period of time (3600 seconds or so, according to drdanz on #kde-telepathy) before it expires. The account may technically (?) still stay online indefinitely, but you cannot reconnect without having a fresh and valid token.

The XMPP authentication API supports several scopes[1] of permissions (think read/write/execute), and what level of access is granted to the client program when logging in (and consenting in the following window) depends on what scopes are specifed in the request URL in the code (ktp-auth-handler/x-messenger-oauth2-prompt.cpp). For the access token with which we're logging in with XMPP and need permission to send/receive messages etc, the scope is simply called wl.messenger.

As mentioned above the access token rapidly expires, and KDE Telepathy cannot reconnect without the user logging in (and consenting again) if connection is lost for whatever reason after token expiry. However, there exists another scope called wl.offline_access, with which we would obtain a refresh token. These can be used to automatically obtain new access tokens when needed, without requiring any user intervention.

> The wl.offline_access scope enables an app to read and update
> a user's info at any time. Without this scope, an app can access
> the user's info only while the user is signed in to Live Connect
> and is using the app.

KDE Telepathy's auth-handler should be requesting this token. This would prevent cases such as when the user comes home from work and returns to his machine, only to notice that his IM protocol has been offline since breakfast after a brief router hiccup.

Please see the following links for more information (largely gathered by googling "live xmpp refresh token");
https://trac.gajim.org/ticket/6978#comment:19
http://www.theleagueofpaul.com/messenger-over-xmpp-refresh-tokens


[1]: http://msdn.microsoft.com/en-us/library/live/hh243649.aspx
Comment 1 Daniele E. Domenichelli 2012-04-05 18:04:18 UTC 
I'm taking this
Comment 2 David Edmundson 2012-05-17 10:49:14 UTC 
Deferring to 0.5
Comment 3 Martin Klapetek 2013-04-11 11:31:13 UTC 
Is it still worth dealing with this given MSN is effectively dead?
Comment 4 David Edmundson 2013-04-11 11:34:24 UTC 
More importantly when we use Single Sign On Daemon, we get this fixed.
Comment 5 Martin Klapetek 2013-04-11 11:40:55 UTC 
Given DrDanz is now preoccupied with real life things and that SSO will happen soon and that MSN is no more, I'm closing this bug here.