From fbcb47ee9d9b15bd01247e3f2404f025534e0739 Mon Sep 17 00:00:00 2001 From: Tarick Bedeir Date: Sun, 10 Apr 2022 23:22:00 -0700 Subject: [PATCH] Update README.md to suggest using Gmail token script. --- README.md | 35 +++++++++++++++++++++++++++++------ 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 74cb62e..adcad40 100644 --- a/README.md +++ b/README.md @@ -178,13 +178,36 @@ We'll also need these credentials in the next step. #### Initial Access Token -Use the [Gmail OAuth2 developer tools](https://github.com/google/gmail-oauth2-tools/) -to obtain an OAuth token by following the [Creating and Authorizing an OAuth -Token](https://github.com/google/gmail-oauth2-tools/wiki/OAuth2DotPyRunThrough#creating-and-authorizing-an-oauth-token) -instructions. +The sasl-xoauth2 +[repository](https://github.com/tarickb/sasl-xoauth2/blob/master/scripts/get-initial-gmail-tokens.py) +and pre-built packages include a script to assist in the generation of Gmail +OAuth tokens. Run the script as follows: -Save the resulting tokens in the file specified in `/etc/postfix/sasl_passwd`. -In our example that file will be either `/etc/tokens/username@domain.com` or +```shell +$ python3 /usr/share/sasl-xoauth2/get-initial-gmail-tokens.py \ + --client_id=CLIENT_ID_FROM_SASL_XOAUTH2_CONF \ + --client_secret=CLIENT_SECRET_FROM_SASL_XOAUTH2_CONF \ + --scope="https://mail.google.com/" \ + PATH_TO_TOKENS_FILE + +Please open this URL in a browser ON THIS HOST: + +https://accounts.google.com/o/oauth2/auth?client_id=&scope=&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A12345%2Foauth2_result +``` + +(This script must run on the same host that is opening the URL -- it's not +possible to copy the URL and paste it into a browser on another computer. This +is because [recent +changes](https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html) +to the OAuth2 authorization flow require that the browser pass the resulting +authorization code directly to the requesting application. If the Postfix +installation is running on a headless host, simply run the script on a host with +a usable browser then copy the resulting token file over to the headless host.) + +Opening the URL and authorizing the application should result in a new token in +`PATH_TO_TOKENS_FILE`, which should be the file specified in +`/etc/postfix/sasl_passwd`. In our example that file will be either +`/etc/tokens/username@domain.com` or `/var/spool/postfix/etc/tokens/username@domain.com` (see [A Note on chroot](#a-note-on-chroot)):