Allow oauth2 for other services than google and fastmail

[iMartyn]

Problem scope

• I'm sure that this is a DAVx⁵ problem.

App version

• I'm using the latest available DAVx⁵ version.

Android version and device/firmware type

Android 14 (Lineage 22)

Steps to reproduce

1. Run a DAV server behind some kind of auth2 proxy (in my case Xandikos behind oauth2-proxy)
2. Attempt to use the dav server

Actual result

DavX5 claims there is no CalDAV or CardDAV server at the url

Expected result

An oauth flow to occur - open the embedded browser like google or fastmail (I assume, I don't connect these services to my phone) does.

Further info

I suspect this requires a separate login type in the list (url and username; email address; advanced login) or an option within the advanced login to trigger an oauth flow.

More and more services are going oauth2 so having the ability to manually configure as oauth rather than a fixed list would be good imo.

[devvv4ever]

A generic "OAUth2" login would be useful of course. However I'm not sure but wouldn't we need some kind of server-specific Client ID in DAVx5 to make that a safe "generic" authentication? I'm also not sure if OAuth2 is working the same on all implementations. Maybe @rfc2822 knows more, since they implemented this in DAVx5.

I also converted this issue into a discussion, since it is not a real issue.

[rfc2822]

More and more services are going oauth2 so having the ability to manually configure as oauth rather than a fixed list would be good imo.

But you would have to enter multiple URLs plus scopes plus a client ID (like the values defined for Fastmail). I suspect most users either don't have these data or it would be far more work than just logging in with user name / (app) password.

[iMartyn]

For anything that uses a proxy (e.g. oauth2-proxy, OAP), you don't need a client id, you just need to be able to open a browser and save the cookie to be passed on requests. The proxy handles the rest, it's the oath2 client, the only thing that DAVx5 needs to do is launch the browser and note the cookies for use by the http client later.

[RobinVanhove]

The current best practice on implementing OAuth for mobile apps is to use a public client.
So the user would indeed have to configure some information. Specifically: Token & Authorization urls client id, scopes.

Luckily the two url's can be retrieved form the OIDC well-known url which is based on the issuer url, so the user would only have to enter one.
Many OAuth authorization servers also support some kind of default scopes, where the server returns a set of scopes if none are requested by the client.

This is also how Google & Fastmail auth are implemented in Davx5, but there these are hard coded for those specific providers.

https://github.com/bitfireAT/davx5-ose/blob/main/core/src/main/kotlin/at/bitfire/davdroid/network/OAuthGoogle.kt

The could thing is that the OAuth code could be reused from those implementations.
We would only have to implement screens to provide the needed config details

• OIDC issuer url
• Client ID
• Advanced
  • scopes (optional)
  • Token & Authorization urls (then they should not be retrieved directly form the issuer)