Google and OAuth 2.0

Joshua Cranmer 🐧 Pidgeot18 at gmail.com
Fri Apr 25 16:35:27 UTC 2014


On 4/25/2014 10:52 AM, Gervase Markham wrote:
> http://googleonlinesecurity.blogspot.co.uk/2014/04/new-security-measures-will-affect-older.html
>
> Is this relevant to Thunderbird accessing Gmail?

Ugh. We've WONTFIX'd adding OAuth 2.0 support to IMAP in the past. The 
problem with OAuth is that the authorization steps are completely 
separate from the low-level SASL steps in IMAP and friends, and the SASL 
portion gives you no insight into how to perform the HTTP steps of 
authorization (i.e., it doesn't tell you which HTTP server to talk to). 
It's worse than GSSAPI in this regard because at least GSSAPI has a 
standardized platform C API that allows you to pass off the 
communication steps to the third party.

Oh, and IIRC, OAuth requires you to provision a "secret" identifier for 
your application, which is rather hostile for open-source applications 
since checking it into our public repository is not likely to go over 
well. :-(

OAuth 2.0 makes some amount of sense if your application only cares 
about talking to Google's server. For a generic IMAP client, it is 
really hostile to your userbase. I find Google's attempt to make 
traditional authentication steps (even relatively secure SASL steps?) 
more difficult for users to use to be rather hostile to users and clients.

[Granted, they also seem to like the idea of locking you out of your 
account if you try accessing it from a different country, as I found 
much to my chagrin when I tried checking email in Toronto... or was that 
Facebook? or both?]

-- 
Joshua Cranmer
Thunderbird and DXR developer
Source code archæologist




More information about the tb-planning mailing list