Implement "Online Accounts" Portal #19
Description
Problem
Flatpacked apps using EDS are not able to retrieve credentials from the host system.
Proposal
What we really want for this is a Flatpak Portal. Here's the corresponding discussion from Slack:
You need an authorization flow that would be like this:
- Have an "Add account…" on the app (that sends some settings to the portal like supported auth type (ex: password), account types (ex: imap+smtp or pop3+smtp for password)
- Then the portal process the querry,
- if you already have an account configured that is not yet allowed, show a dialog with a list of available accounts and a "Add new account…", clicking on an account would return it to the app, clicking on the "Add new account…" would go next case
- if you don't have an account configured (or you clicked "Add new account…"), then the online account plug is opened at the "Add account" page
So basically, that's not just a credential portal, we don't want to mimic libsecret on D-Bus which isn't exposed for reasons - because we need a way to tell if the credentials requesting app is authorized. Otherwise a malicious app could request any credentials and/or spoof another app's id to do so. So a simple DBus handing over whatever credentials are requested is a serious security hole. That's why it's a portal, you always know the origin of the request that way.
We should be able to start out with a minimal proof of concept: A portal supporting the full flow for CalDAV accounts only (since this is essentially only three properties uri, username and password) - and then build from there for IMAP/SMTP, OAuth, ... Also remember that for OAuth, each app will need to provide a different Client Secret, only elementary official apps can use the elementary one.