Implement "Online Accounts" Portal

[marbetschar]

Problem

Flatpacked apps using EDS are not able to retrieve credentials from the host system.

Proposal

What we really want for this is a Flatpak Portal. Here's the corresponding discussion from Slack:

You need an authorization flow that would be like this:

• Have an "Add account…" on the app (that sends some settings to the portal like supported auth type (ex: password), account types (ex: imap+smtp or pop3+smtp for password)
• Then the portal process the querry,
  • if you already have an account configured that is not yet allowed, show a dialog with a list of available accounts and a "Add new account…", clicking on an account would return it to the app, clicking on the "Add new account…" would go next case
  • if you don't have an account configured (or you clicked "Add new account…"), then the online account plug is opened at the "Add account" page

So basically, that's not just a credential portal, we don't want to mimic libsecret on D-Bus which isn't exposed for reasons - because we need a way to tell if the credentials requesting app is authorized. Otherwise a malicious app could request any credentials and/or spoof another app's id to do so. So a simple DBus handing over whatever credentials are requested is a serious security hole. That's why it's a portal, you always know the origin of the request that way.

We should be able to start out with a minimal proof of concept: A portal supporting the full flow for CalDAV accounts only (since this is essentially only three properties uri, username and password) - and then build from there for IMAP/SMTP, OAuth, ... Also remember that for OAuth, each app will need to provide a different Client Secret, only elementary official apps can use the elementary one.

Related Issues

• Provide way for Flatpak to retrieve credentials switchboard-plug-onlineaccounts#209
• Password not found tasks#263
• Added in Online Accounts: But still prompt for password mail#591