[Maildev] Google stopping IMAP and SMTP access an moving to proprietary protocols?

Joshua Cranmer 🐧 pidgeot18 at gmail.com
Fri Aug 30 17:05:40 EDT 2019


On 8/30/2019 10:44 AM, Ben Bucksch wrote:
>
>
> Joshua Cranmer 🐧 wrote on 30.08.19 01:26:
>> On 8/29/2019 3:50 PM, Ben Bucksch wrote:
>>> Concrete things that I'm missing in our case:
>>>
>>>   * Definition of the specific SASL scheme, so that I can connect
>>>     IMAP with OAUTH2. (As said, this must work 100% identical for
>>>     all ISPs.)
>>>
>> ... Every protocol that implements SASL is required to list the 
>> supported mechanisms, and OAUTHBEARER is the correct SASL scheme.
>
>
> Right. Just that Google, who we're talking about here, doesn't use it.
>
> 1 CAPABILITY:
>
> Google imap.google.com:
>
> |*CAPABILITY IMAP4rev1 UNSELECT LITERAL+IDLE NAMESPACE QUOTA ID XLIST 
> CHILDREN X-GM-EXT-1|

|You're citing the capability list from the website. Using telnet -z ssl 
imap.gmail.com 993:|

|* OK Gimap ready for requests from <redacted>
1 CAPABILITY
* CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA ID XLIST CHILDREN 
X-GM-EXT-1 XYZZY SASL-IR AUTH=XOAUTH2 AUTH=PLAIN AUTH=PLAIN-CLIENTTOKEN 
AUTH=OAUTHBEARER AUTH=XOAUTH
1 OK Thats all she wrote!|

|Look, I know you're not stupid, so why didn't you attempt to actually 
get the capability list from an IMAP session like you did for the other 
servers you described? As a Thunderbird developer, you should be well 
aware that any online documentation may not actually match the current 
capabilities. :-) Running an AUTHENTICATE OAUTHBEARER manually shows 
that the resulting struct on an error only has the scope and status 
fields in the JSON struct, not the openid-configuration field.
|

>
>>>   * Knowing how I get the JSON result, given that I'm in an
>>>     interactive browser session.
>>>   * Google says I should use the system web browser for their OAUTH2
>>>     login. I can launch a URL there, but wouldn't know how to follow
>>>     which URL we're at or get the JSON result from that, given that
>>>     there is no defined API that works cross-browser. Obviously,
>>>     we'd need an API for all of Windows, Mac, Linux, Android and iOS.
>>>   * The "scope" is currently completely up to the ISP to define, yet
>>>     I need to pass the right scope in. I'm dead already with this
>>>     little detail. This would need to be defined in a standard.
>>>   * Google, Microsoft and others want me to register my application
>>>     and authenticate the calls from my app. That poses 3 concrete
>>>     problems:
>>>       o ... It's practically impossible to get the secrets from all
>>>         ISPs in the world, because there are thousands. Note that
>>>         all app authors would need to get the secrets for all ISPs.
>>>         Imagine I just want to make an open-source "mail check" app.
>>>         That's practically impossible....
>>>
>> There are mechanisms to register the client ID dynamically, and 
>> mechanisms for the authentication process to tell you where to find 
>> the OAuth parameters to do the request (including endpoint 
>> locations). However, these mechanisms are optional. We should have 
>> made implementation in Thunderbird contingent on providers actually 
>> supporting these flows as an incentive to get them to do the work.
>
>
> If Google requires OAuth2 and doesn't support these mechanisms (could 
> you provide links, please?), that's not helping us, is it?
>
The links can be found in the references of RFC 7628, the specification 
for OAuth SASL. Dynamic client regitration is RFC 7591, while the OpenID 
discovery protocol is located at 
<http://openid.net/specs/openid-connect-discovery-1_0.html>.

-- 
Joshua Cranmer
Thunderbird and DXR developer
Source code archæologist

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thunderbird.net/pipermail/maildev_lists.thunderbird.net/attachments/20190830/d5b669c7/attachment.html>


More information about the Maildev mailing list