* Expansion of the configuration screen for XOAUTH2 to include

     username, and tenant.

   * If a user has more than one client-id for a service, Alpine tries to
     asks the user which client-id to use and associates that client-id to
     the credentials in the XOAUTH2 configuration screen.

6 files changed, 137 insertions, 47 deletions

diff --git a/imap/src/c-client/auth_bea.c b/imap/src/c-client/auth_bea.c
index bf5c9c1..66604a3 100644
--- a/imap/src/c-client/auth_bea.c
+++ b/imap/src/c-client/auth_bea.c
@@ -121,21 +121,9 @@ long auth_oauthbearer_client (authchallenge_t challenger,authrespond_t responder
 		+ strlen(BEARER_HOST) + strlen(mb->orighost) + 1
 		+ strlen(BEARER_PORT) + strlen(ports) + 1
 		+ strlen(OAUTH2_BEARER) + strlen(oauth2.access_token) + 2;
-      t = response = (char *) fs_get (rlen);
-      for (u = BEARER_ACCOUNT; *u; *t++ = *u++);
-      for (u = user; *u; *t++ = *u++);
-      *t++ = ',';
-      *t++ = '\001';		/* delimiting ^A */
-      for (u = BEARER_HOST; *u; *t++ = *u++);
-      for (u = mb->orighost; *u; *t++ = *u++);
-      *t++ = '\001';		/* delimiting ^A */
-      for (u = BEARER_PORT; *u; *t++ = *u++);
-      for (u = ports; *u; *t++ = *u++);
-      *t++ = '\001';		/* delimiting ^A */
-      for (u = OAUTH2_BEARER; *u; *t++ = *u++);
-      for (u = oauth2.access_token; *u; *t++ = *u++);
-      *t++ = '\001';		/* delimiting ^A */
-      *t++ = '\001';		/* delimiting ^A */
+      response = (char *) fs_get (rlen+1);
+      sprintf(response, "%s%s,\001%s%s\001%s%s\001%s%s\001\001", BEARER_ACCOUNT, user,
+		BEARER_HOST, mb->orighost, BEARER_PORT, ports, OAUTH2_BEARER, oauth2.access_token);
       if ((*responder) (stream,base,response,rlen)) {
 	if ((challenge = (*challenger) (stream,&clen)) != NULL)
 	  fs_give ((void **) &challenge);
@@ -159,6 +147,9 @@ long auth_oauthbearer_client (authchallenge_t challenger,authrespond_t responder
       fs_give ((void **) &response);
     }
   }
+  if(oauth2.param[OA2_Id].value) fs_give((void **) &oauth2.param[OA2_Id].value);
+  if(oauth2.param[OA2_Secret].value) fs_give((void **) &oauth2.param[OA2_Secret].value);
+  if(oauth2.param[OA2_Tenant].value) fs_give((void **) &oauth2.param[OA2_Tenant].value);
   if (!ret || !oauth2.name)
       *trial = 65535; 			/* don't retry if bad protocol */
   return ret;
diff --git a/imap/src/c-client/auth_oa2.c b/imap/src/c-client/auth_oa2.c
index 6998755..f5345bf 100644
--- a/imap/src/c-client/auth_oa2.c
+++ b/imap/src/c-client/auth_oa2.c
@@ -140,15 +140,8 @@ long auth_oauth2_client (authchallenge_t challenger,authrespond_t responder, cha
     else {
       unsigned long rlen = strlen(OAUTH2_USER) + strlen(user)
 			+ strlen(OAUTH2_BEARER) + strlen(oauth2.access_token) + 1 + 2;
-      char *response = (char *) fs_get (rlen);
-      char *t = response;	/* copy authorization id */
-      for (u = OAUTH2_USER; *u; *t++ = *u++);
-      for (u = user; *u; *t++ = *u++);
-      *t++ = '\001';		/* delimiting ^A */
-      for (u = OAUTH2_BEARER; *u; *t++ = *u++);
-      for (u = oauth2.access_token; *u; *t++ = *u++);
-      *t++ = '\001';		/* delimiting ^A */
-      *t++ = '\001';		/* delimiting ^A */
+      char *response = (char *) fs_get (rlen + 1);
+      sprintf(response, "%s%s\001%s%s\001\001", OAUTH2_USER, user, OAUTH2_BEARER, oauth2.access_token);
       if ((*responder) (stream,base,response,rlen)) {
 	if ((challenge = (*challenger) (stream,&clen)) != NULL)
 	  fs_give ((void **) &challenge);
@@ -172,6 +165,9 @@ long auth_oauth2_client (authchallenge_t challenger,authrespond_t responder, cha
       fs_give ((void **) &response);
     }
   }
+  if(oauth2.param[OA2_Id].value) fs_give((void **) &oauth2.param[OA2_Id].value);
+  if(oauth2.param[OA2_Secret].value) fs_give((void **) &oauth2.param[OA2_Secret].value);
+  if(oauth2.param[OA2_Tenant].value) fs_give((void **) &oauth2.param[OA2_Tenant].value);
   if (!ret || !oauth2.name)
       *trial = 65535; 			/* don't retry if bad protocol */
   return ret;
diff --git a/imap/src/c-client/http.h b/imap/src/c-client/http.h
index 621e7c4..41b1684 100644
--- a/imap/src/c-client/http.h
+++ b/imap/src/c-client/http.h
@@ -73,6 +73,7 @@ typedef struct http_header_data_s {
 #define HTTP_1_1_VERSION	"HTTP/1.1"
 #define HTTP_OK			200
 #define HTTP_BAD		400
+#define HTTP_UNAUTHORIZED	401
 
 #define GET_HTTPPORT (long) 490
 #define SET_HTTPPORT (long) 491
diff --git a/imap/src/c-client/mail.h b/imap/src/c-client/mail.h
index f74d889..eb8f013 100644
--- a/imap/src/c-client/mail.h
+++ b/imap/src/c-client/mail.h
@@ -1929,6 +1929,7 @@ int PFLUSH (void);
 
 typedef enum {OA2_Id = 0,
 	      OA2_Secret,
+	      OA2_Tenant,
 	      OA2_Code,
 	      OA2_RefreshToken,
 	      OA2_Scope,
@@ -1986,10 +1987,21 @@ typedef struct deviceproc_s {
   char code_wait;		/* code to say keep waiting */
 } OAUTH2_DEVICEPROC_S;
 
+typedef struct xoauth_default_s {
+   unsigned char *name;
+   char *client_id;
+   char *client_secret;
+   char *tenant;
+   char *users;
+} XOAUTH2_INFO_S;
+
 /* Supporting external functions for XOAUTH2 and OAUTHBEARER */
 typedef char *(*oauth2getaccesscode_t) (unsigned char *, char *, OAUTH2_S *, int *);
-typedef void (*oauth2clientinfo_t)(unsigned char *name, char **id, char **secret);
+typedef XOAUTH2_INFO_S *(*oauth2clientinfo_t)(unsigned char *name, char *user);
 typedef void (*oauth2deviceinfo_t)(OAUTH2_S *, char *method);
 void mm_login_oauth2_c_client_method (NETMBX *, char *, char *, OAUTH2_S *, unsigned long, int *);
 char *oauth2_generate_state(void);
 void oauth2deviceinfo_get_accesscode(void *, void *);
+XOAUTH2_INFO_S *new_xoauth2_info(void);
+void    free_xoauth2_info(XOAUTH2_INFO_S **);
+XOAUTH2_INFO_S *copy_xoauth2_info(XOAUTH2_INFO_S *);
diff --git a/imap/src/c-client/oauth2_aux.c b/imap/src/c-client/oauth2_aux.c
index a23f7c2..88ee52a 100644
--- a/imap/src/c-client/oauth2_aux.c
+++ b/imap/src/c-client/oauth2_aux.c
@@ -53,6 +53,7 @@ char *oauth2_generate_state(void)
 
 
 JSON_S *oauth2_json_reply(OAUTH2_SERVER_METHOD_S, OAUTH2_S *, int *);
+char *xoauth2_server(char *, char *);
 
 #define LOAD_HTTP_PARAMS(X, Y)	{				\
      int i;							\
@@ -64,20 +65,60 @@ JSON_S *oauth2_json_reply(OAUTH2_SERVER_METHOD_S, OAUTH2_S *, int *);
      (Y)[i].name = (Y)[i].value = NULL;				\
 }
 
+char *xoauth2_server(char *server, char *tenant)
+{
+    char *rv = NULL;
+    char *s;
+
+    if (server == NULL) return NULL;
+
+    s = cpystr(server);
+    if(tenant){
+	char *t = s, *u;
+	int i;
+	for(i = 0; t != NULL; i++){
+	   t = strchr(t, '\001');
+	   if(t != NULL) t++;
+	}
+	rv = fs_get((strlen(s) + i*(strlen(tenant)-1) + 1)*sizeof(char));
+	*rv = '\0';
+	for(u = t = s; t != NULL; i++){
+	   t = strchr(t, '\001');
+	   if (t != NULL) *t = '\0';
+	   strcat(rv, u);
+	   if(t != NULL){
+	      strcat(rv, tenant);
+	      *t++ = '\001';
+	   }
+	   u = t;
+	}
+
+    }
+    else
+      rv = cpystr(server);
+
+    return rv;
+}
+
 JSON_S *oauth2_json_reply(OAUTH2_SERVER_METHOD_S RefreshMethod, OAUTH2_S *oauth2, int *status)
 {
     JSON_S *json = NULL;
     HTTP_PARAM_S params[OAUTH2_PARAM_NUMBER];
     unsigned char *s;
+    char *server = NULL;
 
     LOAD_HTTP_PARAMS(RefreshMethod, params);
     *status = 0;
+    server = xoauth2_server(RefreshMethod.urlserver, oauth2->param[OA2_Tenant].value);
     if(strcmp(RefreshMethod.name, "POST") == 0
-	&& ((s = http_post_param(RefreshMethod.urlserver, params, status)) != NULL)){
+	&& ((s = http_post_param(server, params, status)) != NULL)){
 	unsigned char *u = s;
 	json = json_parse(&u);
 	fs_give((void **) &s);
     }
+    if(server)
+	fs_give((void **) &server);
+
     return json;
 }
 
@@ -92,11 +133,16 @@ mm_login_oauth2_c_client_method (NETMBX *mb, char *user, char *method,
 
    if(oauth2->param[OA2_Id].value == NULL
 	|| (oauth2->require_secret && oauth2->param[OA2_Secret].value == NULL)){
+     XOAUTH2_INFO_S *x;
      oauth2clientinfo_t ogci =
 		(oauth2clientinfo_t) mail_parameters (NIL, GET_OA2CLIENTINFO, NIL);
 
-     if(ogci) (*ogci)(oauth2->name, &oauth2->param[OA2_Id].value,
-				&oauth2->param[OA2_Secret].value);
+     if(ogci && (x = (*ogci)(oauth2->name, user)) != NULL){
+	 oauth2->param[OA2_Id].value = cpystr(x->client_id);
+	 oauth2->param[OA2_Secret].value = x->client_secret ? cpystr(x->client_secret) : NULL;
+	 oauth2->param[OA2_Tenant].value = x->tenant ? cpystr(x->tenant) : NULL;
+	 free_xoauth2_info(&x);
+     }
    }
 
    if(oauth2->param[OA2_Id].value == NULL
@@ -157,24 +203,34 @@ mm_login_oauth2_c_client_method (NETMBX *mb, char *user, char *method,
    /* else check if we have a refresh token, and in that case use it */
 
    if(oauth2->param[OA2_RefreshToken].value){
-
      json = oauth2_json_reply(oauth2->server_mthd[OA2_GetAccessTokenFromRefreshToken], oauth2, &status);
 
      if(json != NULL){
 	JSON_X *jx;
 
-	jx = json_body_value(json, "access_token");
-	if(jx && jx->jtype == JString)
-	   oauth2->access_token = cpystr((char *) jx->value);
+	switch(status){
+	   case HTTP_UNAUTHORIZED:
+			mm_log("Client not authorized (wrong client-id?)", ERROR);
+			break;
+	   case HTTP_OK: jx = json_body_value(json, "access_token");
+			 if(jx && jx->jtype == JString)
+			   oauth2->access_token = cpystr((char *) jx->value);
 
-	if((jx = json_body_value(json, "expires_in")) != NULL)
-	   switch(jx->jtype){
-	      case JString: oauth2->expiration = time(0) + atol((char *) jx->value);
-			    break;
-	      case JLong  : oauth2->expiration = time(0) + *(long *) jx->value;
-			    break;
-	   }
+			 if((jx = json_body_value(json, "expires_in")) != NULL)
+			 switch(jx->jtype){
+			      case JString: oauth2->expiration = time(0) + atol((char *) jx->value);
+				    break;
+			      case JLong  : oauth2->expiration = time(0) + *(long *) jx->value;
+				    break;
+			 }
+			 break;
 
+	     default :  { char tmp[100];
+			    sprintf(tmp, "Oauth2 client Received Code %d", status);
+			    mm_log (tmp, ERROR);
+			}
+			break;
+	}
 	json_free(&json);
      }
      return;
@@ -190,12 +246,15 @@ mm_login_oauth2_c_client_method (NETMBX *mb, char *user, char *method,
      LOAD_HTTP_PARAMS(RefreshMethod, params);
 
      if(strcmp(RefreshMethod.name, "GET") == 0){
-	char *url = http_get_param_url(RefreshMethod.urlserver, params);
+	char *server = xoauth2_server(RefreshMethod.urlserver, oauth2->param[OA2_Tenant].value);
+	char *url = http_get_param_url(server, params);
 	oauth2getaccesscode_t ogac = 
 	(oauth2getaccesscode_t) mail_parameters (NIL, GET_OA2CLIENTGETACCESSCODE, NIL);
 
 	if(ogac)
 	  oauth2->param[OA2_Code].value = (*ogac)(url, method, oauth2, tryanother);
+
+	if(server) fs_give((void **) &server);
      }
 
      if(oauth2->param[OA2_Code].value){
@@ -230,7 +289,7 @@ mm_login_oauth2_c_client_method (NETMBX *mb, char *user, char *method,
 	     case HTTP_BAD :  break;
 
 		default   :  { char tmp[100];
-			       sprintf(tmp, "Oauth Client Received Code %d", status);
+			       sprintf(tmp, "Oauth2 Client Received Code %d", status);
 			       fatal (tmp);
 			     }
 	  }
@@ -240,8 +299,6 @@ mm_login_oauth2_c_client_method (NETMBX *mb, char *user, char *method,
      }
      return;
    }
-
-   /* Else, does this server use the /devicecode method? */
 }
 
 void oauth2deviceinfo_get_accesscode(void *inp, void *outp)
@@ -304,9 +361,9 @@ void oauth2deviceinfo_get_accesscode(void *inp, void *outp)
 			break;
 
 	     default :  { char tmp[100];
-			    sprintf(tmp, "Oauth device Received Code %d", status);
-			    fatal (tmp);
-			  }
+			  sprintf(tmp, "Oauth device Received Code %d", status);
+			  mm_log (tmp, ERROR);
+			 }
      }
 
      json_free(&json);
@@ -314,3 +371,36 @@ void oauth2deviceinfo_get_accesscode(void *inp, void *outp)
 
   *(int *)outp = rv;
 }
+
+XOAUTH2_INFO_S *new_xoauth2_info(void)
+{
+  XOAUTH2_INFO_S *rv = fs_get(sizeof(XOAUTH2_INFO_S));
+  memset((void *) rv, 0, sizeof(XOAUTH2_INFO_S));
+  return rv;
+}
+
+void free_xoauth2_info(XOAUTH2_INFO_S **xp)
+{
+  if(xp == NULL || *xp == NULL) return;
+
+  if((*xp)->name) fs_give((void **) &(*xp)->name);
+  if((*xp)->client_id) fs_give((void **) &(*xp)->client_id);
+  if((*xp)->client_secret) fs_give((void **) &(*xp)->client_secret);
+  if((*xp)->tenant) fs_give((void **) &(*xp)->tenant);
+  if((*xp)->users) fs_give((void **) &(*xp)->users);
+  fs_give((void **) xp);
+}
+
+XOAUTH2_INFO_S *copy_xoauth2_info(XOAUTH2_INFO_S *x)
+{
+  XOAUTH2_INFO_S *y;
+
+  if(x == NULL) return NULL;
+  y = new_xoauth2_info();
+  if(x->name) y->name = cpystr(x->name);
+  if(x->client_id) y->client_id = cpystr(x->client_id);
+  if(x->client_secret) y->client_secret = cpystr(x->client_secret);
+  if(x->tenant) y->tenant = cpystr(x->tenant);
+  if(x->users) y->users = cpystr(x->users);
+  return y;
+}
diff --git a/imap/src/osdep/nt/makefile.nt b/imap/src/osdep/nt/makefile.nt
index 83e7482..283d86a 100644
--- a/imap/src/osdep/nt/makefile.nt
+++ b/imap/src/osdep/nt/makefile.nt
@@ -29,7 +29,7 @@
 EXTRAAUTHENTICATORS =
 EXTRADRIVERS = 
 EXTRACFLAGS =
-AUTHENTICATORS = ext md5 pla bea oa2 log
+AUTHENTICATORS = ext md5 pla log bea oa2
 DRIVERS = imap nntp pop3 mbx mtx tenex unix
 CREATEDRIVER = mbx
 APPENDDRIVER = unix