Implement OAuth authorization for Inoreader

[Minoru]

Inoreader support (#22) uses ClientLogin for user authentication, but Inoreader developers themselves point out that OAuth should be preferred. Newsboat also needs OAuth for other remote APIs, so Inoreader might well become an API that leads the way.

Since we're probably going to have more OAuth APIs, I don't mind adding a dependency on a library that implements OAuth-specific tasks. I looked at liboauthcpp, but it only supports OAuth 1.0a (Inoreader uses 2.0). There are a few others that require Qt, and that seems to be it. A bit more time spent on search won't hurt.

[noctux]

There is also oauth2cpp. However, it is version 0.1 and the given status is "work in progress", with no commits since two years, so it looks dead.
For completeness: https://oauth.net/code/ lists different client libraries for Oauth2. The two recommended libraries both use Qt

[Minoru]

#61 unearthed a new constraint: Feedly issues OAuth tokens for apps, not users, so we can't bake them into our code like we do with Inoreader. Just something to keep in mind.

[seanh]

The Inoreader support as currently documented (requiring the user to register their own application with Inoreader to get an API key) is no longer usable. This is the response I got from Inoreader support:

There is no need to have an App ID and API key to use our service in 3rd party apps. The app you are willing to use (Newsboat) is not correctly using our API, and there is no need to ask you for that. Please refer to our API documentation which clarifies that. So please get in touch with the app developers and inform them about that.

[Minoru]

Thank you for the heads-up! The situation looks similar to Feedly: we can't embed secret tokens because the code is open, and nobody wants to operate a proxy that would keep the token.

I wrote to support asking if they can suggest any other schemes, or perhaps allow to authenticate with just the user's email and password. Let's see what happens.

[seanh]

For what it's worth Newsflash has seemingly working Inoreader integration, no idea how it's implemented: https://gitlab.com/news-flash/news_flash_gtk

[Minoru]

They embed secrets in the code: https://gitlab.com/news-flash/news_flash/-/blob/3de1cd46bcef56085a51374c86428f391d5704a7/src/feed_api_implementations/inoreader/oauth.rs#L16-17 =\

We used to do the same thing with Inoreader (with ClientLogin credentials), but moved away from this approach because of the rate limits. Newsboat is not really a client, it generates more traffic than a thin client would. So I don't think we can do this with OAuth2 (even if we forget about the security implications for a moment).

[Minoru]

Oops, I never updated this issue when I got a response from Inoreader! They did answer within 3 days as promised. I'm not sure I am allowed to quote in full, so I'll summarize their points:

• they found that API queries create too big of a load on their servers, so they disallowed Free users from getting API keys. Pro users can still get the keys, but rate limits were lowered (I wonder if Newsboat is useable with these new limits)
• they insist that OAuth2 is the only way to use their API
• they pointed out that the proxy I mentioned above only has to proxy the authentication calls; once we return a token, the rest of the calls can bypass the proxy (until the token expires)

I still don't want to operate the proxy.