[MlMt] OAuth2 support for Gmail and Outlook

[Benny Kjær Nielsen]

Hi MailMate users,

if you use the latest test version of MailMate (r5150) with a Gmail or 
an Outlook account then you should read this email.

Google continues to push for the adoption of 
[OAuth2](http://oauth.net/2/) via the 
[XOAUTH2](https://developers.google.com/gmail/xoauth2_protocol) 
protocol. In my opinion, they do that using a lot of FUD as seen in 
[this support 
article](https://support.google.com/accounts/answer/6010255?hl=en), but 
that does not mean that XOAUTH2 is necessarily a bad idea. Especially 
not for something like Google for which a single password provides 
access to all kinds of services.

A bit simplified, it works like this: Using an embedded web browser in 
MailMate, the user is sent to a hardcoded Google address (using a secure 
connection). The user is then asked by Google to allow MailMate to 
access the emails of the Gmail account. If accepted then MailMate 
receives a special code. Using this code MailMate can then obtain a 
so-called access token. This access token can then be used when 
authenticating via IMAP or SMTP. In other words, the real password is 
never known to[^1] or used by MailMate itself. It is naturally also not 
stored by MailMate. An access token expires, but MailMate can obtain a 
new one when needed. The access token only provides access to emails and 
the user can revoke the access at any time on [this 
page](https://security.google.com/settings/security/permissions).

Now, MailMate has had experimental support for XOAUTH2, but I think I 
now have to make it the default behavior (at least for Gmail). This made 
me change a few things:

* Previously, MailMate used an external web browser, but this does not 
work well and requires the user to copy/paste a code. An embedded 
browser is now used instead.
* Using OAuth2 is now an option in the IMAP account settings. It is 
enabled by default, but it'll only be used when the corresponding IMAP 
server is actually supported by MailMate.
* MailMate also supports XOAUTH2 for Outlook email addresses.
* Tokens are stored in the keychain similar to how OS X stores them. 
Previously, a token was simply saved as if it was a password.

The last item means that users of the experimental support are going to 
be asked to authenticate MailMate again.

I'm looking for feedback on how well this works, both for Gmail and 
Outlook. I'm sure you'll tell me if it doesn't work at all.

One known issue: I've seen the initial authentication fail for Outlook, 
but it seems to be a temporary problem. At least I have not been able to 
figure out what triggers it.

Various other notes:

* The old hidden preference is now obsolete.
* XOAUTH2 requires me to register MailMate with the service provider 
(Google/Microsoft). If the provider stops supporting other 
authentication schemes (which is almost true for Google) then Google has 
the power to decide which email clients are allowed to work with Gmail. 
[I'm not 
sure](https://en.wikipedia.org/wiki/Embrace,_extend_and_extinguish) I'm 
quite comfortable with that. It reminds me of what happened to [third 
party Twitter 
clients](http://thenextweb.com/twitter/2012/08/17/twitter-4/).
* Maybe this is a good time to reiterate that 
[alternatives](http://blog.freron.com/2013/alternative-email-providers/) 
do exist.
* iCloud appears to have a similar authentication scheme, but it's 
undocumented and cannot be used by third party email clients.

-- 
Benny

[^1]: Since MailMate embeds the web browser itself then this is not 
strictly true. This is also why OAuth2 doesn't provide as much security 
for desktop applications as it does for web services.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freron.com/pipermail/mailmate/attachments/20151021/25a47e97/attachment.html>