Opened 3 years ago
Last modified 11 months ago
#17149 new enhancement
Implement oauth login for GMail and other modern providers
Reported by: | pulkomandy | Owned by: | axeld |
---|---|---|---|
Priority: | normal | Milestone: | Unscheduled |
Component: | Servers/mail_daemon | Version: | R1/beta3 |
Keywords: | Cc: | ||
Blocked By: | Blocking: | ||
Platform: | All |
Description
Apparently, simply sending your password to a server to login to it has fallen out of fashion.
For example GMail doesn't allow it by default and users need to enable some "insecure mode", resulting in much frustration when trying to set up GMail accounts with Haiku mail client.
The RFC documenting this: https://datatracker.ietf.org/doc/html/rfc7628
Documentation from Google: https://developers.google.com/gmail/imap/xoauth2-protocol
Change History (6)
comment:1 by , 3 years ago
comment:2 by , 3 years ago
For the record, I currently have my gmail account set up using https://support.google.com/accounts/answer/185833?hl=en
This is a separate password used only for imap. It requires your Google account to have two-factor authentication enabled.
This way there is no need anymore for the "unsecure apps" thing, but this still requires a bit of manual setup, so we still should implement this ticket.
comment:3 by , 3 years ago
This is a separate password used only for imap. It requires your Google account to have two-factor authentication enabled.
Does that entail having to pull out my phone and verify some message every time the mail_daemon checks the account?
comment:4 by , 3 years ago
No. It works like a normal password but it only allows to connect to IMAP/POP/SMTP. So an app knowing this password cannot access other parts of your Google account.
comment:6 by , 11 months ago
It should be noted that this workaround will be going away later this year:
AlienSoldier reported this in IRC today:
"To help keep your account secure, Google will no longer support the use of third-party apps or devices which ask you to sign in to your Google Account using only your username and password. Instead, you’ll need to sign in using Sign in with Google or other more secure technologies, like OAuth 2.0"
The falling date is May 30 (at least for me)