I would like to add also, that there are a bunch of projects out now that implement Oauth2/OpenID for self-hosted identity providers (ory.sh / keycloak / nextcloud/gitea/gitlab/…).
This makes it possible to secure your services with a proper newer workflow to handle access of resources.
A solution to add first Google only or a static list is fine for me, only wanted to mention, that there is also need for a decentralizes solution.
I think currently there is no RFC how to get information about the responsible oauth provider in caldav/carddav, probably worth to think about a standard.
With google you have predefined information
But there you need to registrar an app, before it can use the API, what is than shipped statically with the app, and not works for decentralized systems.
A solution would be a
.well-known url for where to go to get a access token with a predefined API, this would make it flexibel for different use cases, not sure if this in the thinking of OAuth2 standard.
Normally OAuth2 wants a separate
client_id for each “App” (Webservice, Phoneapp, Desktopapp, …), there is the workflow for a Mobile App what, is more or less, what google recommends.
for reference the corresponding RFC:
A solution would be “dynamic client registration management” mention here: https://tools.ietf.org/html/rfc7592
To create a new client_id on demand at the oauth2 server.
I started research not so long ago,
probably I can give you in the future some more feedback.
Implementation in the APP:
The implementation itself should be not so much, use a lib for OAuth2 add configs for provider (
token_endpoint) create an request,
redirect use to a browser, a bit back and fore, in the and you get a access token, with what you can access the resources by adding the header
Authorization: Bearer <token>. Normally the OAuth2 library does that for you, in this case need probably other adjustments in the app in the network API layer.
If you have any question I open yo help, also to test something except google services
For the test server I currently wait until some other project have more progress ( https://www.ory.sh/oathkeeper ).
Otherwise I could setup a quick and dirty setup for testing if needed.