Google and OAuth 2.0

Joshua Cranmer 🐧 Pidgeot18 at gmail.com
Wed Apr 30 18:47:18 UTC 2014


On 4/25/2014 10:52 AM, Gervase Markham wrote:
> http://googleonlinesecurity.blogspot.co.uk/2014/04/new-security-measures-will-affect-older.html
>
> Is this relevant to Thunderbird accessing Gmail?

This was brought up in the status meeting, and we resolved to reach out 
to Gmail to clarify some questions. Here's the status of as right now:
1. The clarification from GMail IMAP folks is:
> The bottom line is that GMail would really like Thunderbird to use 
> OAuth2 for imap/smtp/pop access. If it doesn't, there's an increased 
> possibility that GMail will suspect the login attempt is unauthorized. 
> If you keep using the same IP address, or have two factor auth turned 
> on, you'll most likely be OK. Otherwise, the users run the risk of 
> having to jump through some hoops to get imap access again (I don't 
> know the exact details of that...) 

2. I've made a post to the IMAP-protocol list about this topic (it felt 
more relevant there than the Kitten working group): 
<http://mailman13.u.washington.edu/pipermail/imap-protocol/2014-April/002243.html>. 
 From responses in the past 12 hours, it does seem like there is 
agreement by client implementers that some of these issues need to be 
resolved.

3. I've been told by both Bienvenu and Brandon that the OAuth people 
have been brought into the discussion, although they haven't responded 
publicly yet.

It looks to me that it will be possible to see many of the concerns I 
have about OAuth discussed and addressed.

As a side note, it also looks like other IMAP servers are planning on 
supporting OAuth 2.0. Outlook.com recently rolled out support for it as 
well, and I think there was another server the name of which I don't 
recall right now.

-- 
Joshua Cranmer
Thunderbird and DXR developer
Source code archæologist




More information about the tb-planning mailing list