Google and OAuth 2.0

Gervase Markham gerv at
Fri Apr 25 16:44:33 UTC 2014

On 25/04/14 17:35, Joshua Cranmer 🐧 wrote:
> On 4/25/2014 10:52 AM, Gervase Markham wrote:
> Ugh. We've WONTFIX'd adding OAuth 2.0 support to IMAP in the past. The
> problem with OAuth is that the authorization steps are completely
> separate from the low-level SASL steps in IMAP and friends, and the SASL
> portion gives you no insight into how to perform the HTTP steps of
> authorization (i.e., it doesn't tell you which HTTP server to talk to).
> It's worse than GSSAPI in this regard because at least GSSAPI has a
> standardized platform C API that allows you to pass off the
> communication steps to the third party.
> Oh, and IIRC, OAuth requires you to provision a "secret" identifier for
> your application, which is rather hostile for open-source applications
> since checking it into our public repository is not likely to go over
> well. :-(

Would it make sense to comment on the blog post, raising these issues
(in particular, the problems for open source clients)?


More information about the tb-planning mailing list