[MlMt] OAuth2 support for Gmail and Outlook

[Steve Mayer]

Benny,

  When I attempt to go through the GMail validation, I get this message 
after entering in my GMail credentials:

__You've reached this page because we have detected that Javascript is 
disabled in your browser. The page you attempted to load cannot display 
properly if scripts are disabled.__

__Please enable scripts and retry the operation or go back in your 
browser.__

Any ideas? Is there an option for the embedded browser to enable 
Javascript that I missed?

Thanks,

-- 
Steve Mayer
smayer69 at me.com

On 21 Oct 2015, at 1:45, Benny Kjær Nielsen wrote:

> Hi MailMate users,
>
> if you use the latest test version of MailMate (r5150) with a Gmail or 
> an Outlook account then you should read this email.
>
> Google continues to push for the adoption of 
> [OAuth2](http://oauth.net/2/) via the 
> [XOAUTH2](https://developers.google.com/gmail/xoauth2_protocol) 
> protocol. In my opinion, they do that using a lot of FUD as seen in 
> [this support 
> article](https://support.google.com/accounts/answer/6010255?hl=en), 
> but that does not mean that XOAUTH2 is necessarily a bad idea. 
> Especially not for something like Google for which a single password 
> provides access to all kinds of services.
>
> A bit simplified, it works like this: Using an embedded web browser in 
> MailMate, the user is sent to a hardcoded Google address (using a 
> secure connection). The user is then asked by Google to allow MailMate 
> to access the emails of the Gmail account. If accepted then MailMate 
> receives a special code. Using this code MailMate can then obtain a 
> so-called access token. This access token can then be used when 
> authenticating via IMAP or SMTP. In other words, the real password is 
> never known to[^1] or used by MailMate itself. It is naturally also 
> not stored by MailMate. An access token expires, but MailMate can 
> obtain a new one when needed. The access token only provides access to 
> emails and the user can revoke the access at any time on [this 
> page](https://security.google.com/settings/security/permissions).
>
> Now, MailMate has had experimental support for XOAUTH2, but I think I 
> now have to make it the default behavior (at least for Gmail). This 
> made me change a few things:
>
> * Previously, MailMate used an external web browser, but this does not 
> work well and requires the user to copy/paste a code. An embedded 
> browser is now used instead.
> * Using OAuth2 is now an option in the IMAP account settings. It is 
> enabled by default, but it'll only be used when the corresponding IMAP 
> server is actually supported by MailMate.
> * MailMate also supports XOAUTH2 for Outlook email addresses.
> * Tokens are stored in the keychain similar to how OS X stores them. 
> Previously, a token was simply saved as if it was a password.
>
> The last item means that users of the experimental support are going 
> to be asked to authenticate MailMate again.
>
> I'm looking for feedback on how well this works, both for Gmail and 
> Outlook. I'm sure you'll tell me if it doesn't work at all.
>
> One known issue: I've seen the initial authentication fail for 
> Outlook, but it seems to be a temporary problem. At least I have not 
> been able to figure out what triggers it.
>
> Various other notes:
>
> * The old hidden preference is now obsolete.
> * XOAUTH2 requires me to register MailMate with the service provider 
> (Google/Microsoft). If the provider stops supporting other 
> authentication schemes (which is almost true for Google) then Google 
> has the power to decide which email clients are allowed to work with 
> Gmail. [I'm not 
> sure](https://en.wikipedia.org/wiki/Embrace,_extend_and_extinguish) 
> I'm quite comfortable with that. It reminds me of what happened to 
> [third party Twitter 
> clients](http://thenextweb.com/twitter/2012/08/17/twitter-4/).
> * Maybe this is a good time to reiterate that 
> [alternatives](http://blog.freron.com/2013/alternative-email-providers/) 
> do exist.
> * iCloud appears to have a similar authentication scheme, but it's 
> undocumented and cannot be used by third party email clients.
>
> -- 
> Benny
>
> [^1]: Since MailMate embeds the web browser itself then this is not 
> strictly true. This is also why OAuth2 doesn't provide as much 
> security for desktop applications as it does for web services.
> _______________________________________________
> mailmate mailing list
> mailmate at lists.freron.com
> http://lists.freron.com/listinfo/mailmate
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freron.com/pipermail/mailmate/attachments/20151021/4538e459/attachment.html>