297499 – MSN+XMPP auth doesn't request refresh token (used to get a new access token if the saved one has expired)

Bug 297499 - MSN+XMPP auth doesn't request refresh token (used to get a new access token if the saved one has expired)

Summary: MSN+XMPP auth doesn't request refresh token (used to get a new access token i...

Status:	RESOLVED INTENTIONAL

Alias:	None

Product:	telepathy
Classification:	Frameworks and Libraries
Component:	auth-handler (show other bugs)
Version:	git-latest
Platform:	Compiled Sources Linux

Importance:	HI normal
Target Milestone:	0.6-next
Assignee:	Daniele E. Domenichelli

URL:
Keywords:

Depends on:
Blocks:

Reported:	2012-04-04 23:00 UTC by JR
Modified:	2013-04-11 11:40 UTC (History)
CC List:	5 users (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description JR 2012-04-04 23:00:51 UTC

When you log in to an MSN account using KDE Telepathy, a web form opens displaying a Windows Live login screen. Upon entering your credentials you're lead to a page where you consent to letting KDE Telepathy use your account, and upon doing this ktp-auth-handler obtains an access token -- like a session ID. This is then saved in your wallet.

This access token can be used to connect to the account for a short period of time (3600 seconds or so, according to drdanz on #kde-telepathy) before it expires. The account may technically (?) still stay online indefinitely, but you cannot reconnect without having a fresh and valid token.

The XMPP authentication API supports several scopes[1] of permissions (think read/write/execute), and what level of access is granted to the client program when logging in (and consenting in the following window) depends on what scopes are specifed in the request URL in the code (ktp-auth-handler/x-messenger-oauth2-prompt.cpp). For the access token with which we're logging in with XMPP and need permission to send/receive messages etc, the scope is simply called wl.messenger.

As mentioned above the access token rapidly expires, and KDE Telepathy cannot reconnect without the user logging in (and consenting again) if connection is lost for whatever reason after token expiry. However, there exists another scope called wl.offline_access, with which we would obtain a refresh token. These can be used to automatically obtain new access tokens when needed, without requiring any user intervention.

> The wl.offline_access scope enables an app to read and update
> a user's info at any time. Without this scope, an app can access
> the user's info only while the user is signed in to Live Connect
> and is using the app.

KDE Telepathy's auth-handler should be requesting this token. This would prevent cases such as when the user comes home from work and returns to his machine, only to notice that his IM protocol has been offline since breakfast after a brief router hiccup.

Please see the following links for more information (largely gathered by googling "live xmpp refresh token");
https://trac.gajim.org/ticket/6978#comment:19
http://www.theleagueofpaul.com/messenger-over-xmpp-refresh-tokens


[1]: http://msdn.microsoft.com/en-us/library/live/hh243649.aspx

Comment 1 Daniele E. Domenichelli 2012-04-05 18:04:18 UTC

I'm taking this

Comment 2 David Edmundson 2012-05-17 10:49:14 UTC

Deferring to 0.5

Comment 3 Martin Klapetek 2013-04-11 11:31:13 UTC

Is it still worth dealing with this given MSN is effectively dead?

Comment 4 David Edmundson 2013-04-11 11:34:24 UTC

More importantly when we use Single Sign On Daemon, we get this fixed.

Comment 5 Martin Klapetek 2013-04-11 11:40:55 UTC

Given DrDanz is now preoccupied with real life things and that SSO will happen soon and that MSN is no more, I'm closing this bug here.