[Maildev] Google stopping IMAP and SMTP access an moving to proprietary protocols?
Joshua Cranmer 🐧
pidgeot18 at gmail.com
Fri Aug 30 17:05:40 EDT 2019
On 8/30/2019 10:44 AM, Ben Bucksch wrote:
> Joshua Cranmer 🐧 wrote on 30.08.19 01:26:
>> On 8/29/2019 3:50 PM, Ben Bucksch wrote:
>>> Concrete things that I'm missing in our case:
>>> * Definition of the specific SASL scheme, so that I can connect
>>> IMAP with OAUTH2. (As said, this must work 100% identical for
>>> all ISPs.)
>> ... Every protocol that implements SASL is required to list the
>> supported mechanisms, and OAUTHBEARER is the correct SASL scheme.
> Right. Just that Google, who we're talking about here, doesn't use it.
> 1 CAPABILITY:
> Google imap.google.com:
> |*CAPABILITY IMAP4rev1 UNSELECT LITERAL+IDLE NAMESPACE QUOTA ID XLIST
> CHILDREN X-GM-EXT-1|
|You're citing the capability list from the website. Using telnet -z ssl
|* OK Gimap ready for requests from <redacted>
* CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA ID XLIST CHILDREN
X-GM-EXT-1 XYZZY SASL-IR AUTH=XOAUTH2 AUTH=PLAIN AUTH=PLAIN-CLIENTTOKEN
1 OK Thats all she wrote!|
|Look, I know you're not stupid, so why didn't you attempt to actually
get the capability list from an IMAP session like you did for the other
servers you described? As a Thunderbird developer, you should be well
aware that any online documentation may not actually match the current
capabilities. :-) Running an AUTHENTICATE OAUTHBEARER manually shows
that the resulting struct on an error only has the scope and status
fields in the JSON struct, not the openid-configuration field.
>>> * Knowing how I get the JSON result, given that I'm in an
>>> interactive browser session.
>>> * Google says I should use the system web browser for their OAUTH2
>>> login. I can launch a URL there, but wouldn't know how to follow
>>> which URL we're at or get the JSON result from that, given that
>>> there is no defined API that works cross-browser. Obviously,
>>> we'd need an API for all of Windows, Mac, Linux, Android and iOS.
>>> * The "scope" is currently completely up to the ISP to define, yet
>>> I need to pass the right scope in. I'm dead already with this
>>> little detail. This would need to be defined in a standard.
>>> * Google, Microsoft and others want me to register my application
>>> and authenticate the calls from my app. That poses 3 concrete
>>> o ... It's practically impossible to get the secrets from all
>>> ISPs in the world, because there are thousands. Note that
>>> all app authors would need to get the secrets for all ISPs.
>>> Imagine I just want to make an open-source "mail check" app.
>>> That's practically impossible....
>> There are mechanisms to register the client ID dynamically, and
>> mechanisms for the authentication process to tell you where to find
>> the OAuth parameters to do the request (including endpoint
>> locations). However, these mechanisms are optional. We should have
>> made implementation in Thunderbird contingent on providers actually
>> supporting these flows as an incentive to get them to do the work.
> If Google requires OAuth2 and doesn't support these mechanisms (could
> you provide links, please?), that's not helping us, is it?
The links can be found in the references of RFC 7628, the specification
for OAuth SASL. Dynamic client regitration is RFC 7591, while the OpenID
discovery protocol is located at
Thunderbird and DXR developer
Source code archæologist
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Maildev