oauth: select auth scheme (XOAUTH2 vs OAUTHBEARER) (#9289)

composer.json

@@ -10,8 +10,8 @@
         "pear/auth_sasl": "~1.1.0",
         "pear/crypt_gpg": "~1.6.3",
         "pear/mail_mime": "~1.10.11",
-        "pear/net_sieve": "~1.4.5",
-        "pear/net_smtp": "~1.10.0",
+        "pear/net_sieve": "~1.4.7",
+        "pear/net_smtp": "~1.12.0",
         "pear/pear-core-minimal": "~1.10.1",
         "roundcube/plugin-installer": "~0.3.5",
         "roundcube/rtf-html-php": "^2.1"

program/include/rcmail_oauth.php

@@ -39,10 +39,8 @@ class rcmail_oauth
 
     public const JWKS_CACHE_TTL = 30; // TTL for JWKS (in seconds)
 
-    // prepare the OAUTHBEARER which is now the official protocol (rfc 7628)
-    // but currently implement mostly the formal XOAUTH2
-    /** @var string */
-    protected $auth_type = 'XOAUTH2';
+    /** @var string XOAUTH2, OAUTHBEAER, OAUTH=choose the supported method */
+    protected $auth_type = 'OAUTH';
 
     /** @var rcmail */
     protected $rcmail;
@@ -991,13 +989,11 @@ public function storage_init($options)
         }
 
         if ($this->login_phase) {
-            // enforce OAUTHBEARER/XOAUTH2 authorization type
             $options['auth_type'] = $this->auth_type;
         } elseif (isset($_SESSION['oauth_token'])) {
             if ($this->check_token_validity($_SESSION['oauth_token']) === self::TOKEN_REFRESHED) {
                 $options['password'] = $this->rcmail->decrypt($_SESSION['password']);
             }
-            // enforce OAUTHBEARER/XOAUTH2 authorization type
             $options['auth_type'] = $this->auth_type;
         }
 
@@ -1025,7 +1021,6 @@ public function smtp_connect($options)
             // check token validity
             $this->check_token_validity($_SESSION['oauth_token']);
 
-            // enforce OAUTHBEARER/XOAUTH2 authorization type
             $options['smtp_user'] = '%u';
             $options['smtp_pass'] = '%p';
             $options['smtp_auth_type'] = $this->auth_type;
@@ -1046,7 +1041,6 @@ public function managesieve_connect($options)
         if (isset($_SESSION['oauth_token'])) {
             // check token validity
             $this->check_token_validity($_SESSION['oauth_token']);
-            // enforce OAUTHBEARER/XOAUTH2 authorization type
             $options['auth_type'] = $this->auth_type;
         }
 

program/lib/Roundcube/rcube_imap_generic.php

@@ -931,14 +931,19 @@ public function connect($host, $user, $password, $options = [])
         $result = null;
 
         // check for supported auth methods
-        if (!$auth_method || $auth_method == 'CHECK') {
+        if (!$auth_method || $auth_method === 'CHECK' || $auth_method === 'OAUTH') {
             if ($auth_caps = $this->getCapability('AUTH')) {
                 $auth_methods = $auth_caps;
             }
 
             // Use best (for security) supported authentication method
             $all_methods = ['DIGEST-MD5', 'CRAM-MD5', 'CRAM_MD5', 'PLAIN', 'LOGIN'];
 
+            // special case of OAUTH, use the supported method
+            if ($auth_method === 'OAUTH') {
+                $all_methods = ['OAUTHBEARER', 'XOAUTH2'];
+            }
+
             if (!empty($this->prefs['gssapi_cn'])) {
                 array_unshift($all_methods, 'GSSAPI');
             }