Google and OAuth 2.0
Joshua Cranmer 🐧
Pidgeot18 at gmail.com
Fri Apr 25 16:35:27 UTC 2014
On 4/25/2014 10:52 AM, Gervase Markham wrote:
> Is this relevant to Thunderbird accessing Gmail?
Ugh. We've WONTFIX'd adding OAuth 2.0 support to IMAP in the past. The
problem with OAuth is that the authorization steps are completely
separate from the low-level SASL steps in IMAP and friends, and the SASL
portion gives you no insight into how to perform the HTTP steps of
authorization (i.e., it doesn't tell you which HTTP server to talk to).
It's worse than GSSAPI in this regard because at least GSSAPI has a
standardized platform C API that allows you to pass off the
communication steps to the third party.
Oh, and IIRC, OAuth requires you to provision a "secret" identifier for
your application, which is rather hostile for open-source applications
since checking it into our public repository is not likely to go over
OAuth 2.0 makes some amount of sense if your application only cares
about talking to Google's server. For a generic IMAP client, it is
really hostile to your userbase. I find Google's attempt to make
traditional authentication steps (even relatively secure SASL steps?)
more difficult for users to use to be rather hostile to users and clients.
[Granted, they also seem to like the idea of locking you out of your
account if you try accessing it from a different country, as I found
much to my chagrin when I tried checking email in Toronto... or was that
Facebook? or both?]
Thunderbird and DXR developer
Source code archæologist
More information about the tb-planning