Community Discussions and Support
Just so everyone understands what OAuth2 is really about ...

Please take a look at http://www.pmail.com/devnews.htm, you might enjoy reading it, here comes the starter:



According to the old joke, a camel is just a horse that was designed by a committee: when it came to OAUTH2, though, what the committee produced was more like a two-wheeled donkey.



Please take a look at http://www.pmail.com/devnews.htm, you might enjoy reading it, here comes the starter: > According to the old joke, a camel is just a horse that was designed by a committee: when it came to OAUTH2, though, what the committee produced was more like a two-wheeled donkey.

			Michael

--
PGP Key ID (RSA 2048): 0xC45D831B
IERenderer's Home: https://www.pmpgp.de/renderer/History.htm
S/MIME Fingerprint: 94C6B471 0C623088 A5B27701 742B8666 3B7E657C

Just so you don't miss the follow-up ...


Just so you don't miss [the follow-up](https://community.pmail.com/index.php?u=/topic/11631/oauth2-for-outlook/post-53826#post-53826) ...

			Michael

--
PGP Key ID (RSA 2048): 0xC45D831B
IERenderer's Home: https://www.pmpgp.de/renderer/History.htm
S/MIME Fingerprint: 94C6B471 0C623088 A5B27701 742B8666 3B7E657C

It is really crazy with this google costs. The throw sticks (or even tree trunks) between small developers legs just to expand their monopoly. smile
And there are not many exceptions to not need the Security assessment.
https://support.google.com/cloud/answer/9110914#exceptions-ver-reqts
https://www.nylas.com/blog/google-oauth-app-verification/


But I not sure if there are also such costs for use of Microsoft Oauth API, perhaps this is free or at least cheaper.


It is really crazy with this google costs. The throw sticks (or even tree trunks) between small developers legs just to expand their monopoly. :( And there are not many exceptions to not need the Security assessment. https://support.google.com/cloud/answer/9110914#exceptions-ver-reqts https://www.nylas.com/blog/google-oauth-app-verification/ But I not sure if there are also such costs for use of Microsoft Oauth API, perhaps this is free or at least cheaper.

Pegasus v4.8 DE - Win10 pro

edited May 9 at 7:39 am

That's just plain mean of Google - the cost of such 'security' inspections should be in large type on page 1, not at the end of an application.


Ian


That's just plain mean of Google - the cost of such 'security' inspections should be in large type on page 1, not at the end of an application. -- Ian

This is the end of it ...


This is [the end](https://community.pmail.com/index.php?u=/topic/11633/oauth2-support-for-gmail-turns-out-to-be-impossible) of it ...

			Michael

--
PGP Key ID (RSA 2048): 0xC45D831B
IERenderer's Home: https://www.pmpgp.de/renderer/History.htm
S/MIME Fingerprint: 94C6B471 0C623088 A5B27701 742B8666 3B7E657C

Is it predictable whether other mail providers will implement similar OAUTH mechanisms? Or is it, in this worst form, a Google problem only?


I'm also thinking about Mercury and hope that we don't running into a problem with e.g. german mail providers (in my case).


Is it predictable whether other mail providers will implement similar OAUTH mechanisms? Or is it, in this worst form, a Google problem only? I'm also thinking about Mercury and hope that we don't running into a problem with e.g. german mail providers (in my case).

I see Microsoft and Yahoo routinely included in OAuth2 related articles but not to the extent of Google and their restrictive access to their API. I don't have a sense into whether OAuth2 will spread.


I see Microsoft and Yahoo routinely included in OAuth2 related articles but not to the extent of Google and their restrictive access to their API. I don't have a sense into whether OAuth2 will spread.

In the (not so) long run I'm pretty sure all applications dealing with personal data will have to undergo some kind of certification, but I'm expecting something coming by legislation like from the EU in our cases here in Europe which already is doing this with regard to websites (the cookie resp. tracking stuff and hate speach or other abusive content control). But I can't imagine Ggl to become the one being contracted for applying it although the content providers (like fb and yt = Ggl) already are in the boat ...


In the (not so) long run I'm pretty sure all applications dealing with personal data will have to undergo some kind of certification, but I'm expecting something coming by legislation like from the EU in our cases here in Europe which already is doing this with regard to websites (the cookie resp. tracking stuff and hate speach or other abusive content control). But I can't imagine Ggl to become the one being contracted for applying it although the content providers (like fb and yt = Ggl) already are in the boat ...

			Michael

--
PGP Key ID (RSA 2048): 0xC45D831B
IERenderer's Home: https://www.pmpgp.de/renderer/History.htm
S/MIME Fingerprint: 94C6B471 0C623088 A5B27701 742B8666 3B7E657C

I am appalled (although not surprised) that Google is trying to use its dominant position as part of the email server oligopoly to break the POP/SMTP/IMAP standards and exert hegemonic control over all users and developers of third-party POP/IMAP/SMTP clients.


The best response would of course be to boycott Google, but I fear that won't be possible for many people. That's the nature of hegemony, and that's undoubtedly what Google is counting on.


I would have considered contributing (reluctantly) to the cost of verification for pmail, especially given that the OATH2 coding work has already been done. But I would rather my money go to David Harris than to Google. I have made a substantial contribution to help compensate David Harris for his wasted time on our behalf. I encourage other pmail users to do likewise.


I am appalled (although not surprised) that Google is trying to use its dominant position as part of the email server oligopoly to break the POP/SMTP/IMAP standards and exert hegemonic control over all users and developers of third-party POP/IMAP/SMTP clients. The best response would of course be to boycott Google, but I fear that won't be possible for many people. That's the nature of hegemony, and that's undoubtedly what Google is counting on. I would have considered contributing (reluctantly) to the cost of verification for pmail, especially given that the OATH2 coding work has already been done. But I would rather my money go to David Harris than to Google. I have made a substantial contribution to help compensate David Harris for his wasted time on our behalf. I encourage other pmail users to do likewise.

Well, there were problems for me with the Google implementation of Oauth2 for Gmail anyway, in particular that it cuts off POP access. As already pointed out by many users, downloading your entire mail from years ago, especially if you are in a rural area with poor Internet access, which could happen with IMAP, was not great to begin with.


If they really just want to cut out anything except apps from the big spenders in the long run, I'll just have to look at alternative email service providers.


For the time being anyway, I can at least report that POP access for Gmail still works fine if you enable 2-factor authentication and create an app password for Pegasus Mail. No need for Oauth2 for as long as app passwords are still an option at least.


Sad to read how much effort David put in for nothing in the end. Shameful practice to hide these annual costs until after one has done all this work for nothing.


I believe "Do no evil" was retired at Google quite some time back...


Thanks for Pegasus Mail, my mail client for decades now!


Well, there were problems for me with the Google implementation of Oauth2 for Gmail anyway, in particular that it cuts off POP access. As already pointed out by many users, downloading your entire mail from years ago, especially if you are in a rural area with poor Internet access, which could happen with IMAP, was not great to begin with. If they really just want to cut out anything except apps from the big spenders in the long run, I'll just have to look at alternative email service providers. For the time being anyway, I can at least report that POP access for Gmail still works fine if you enable 2-factor authentication and create an app password for Pegasus Mail. No need for Oauth2 for as long as app passwords are still an option at least. Sad to read how much effort David put in for nothing in the end. Shameful practice to hide these annual costs until **after** one has done all this work for nothing. I believe "Do no evil" was retired at Google quite some time back... Thanks for Pegasus Mail, my mail client for decades now!

For the time being anyway, I can at least report that POP access for Gmail still works fine if you enable 2-factor authentication and create an app password for Pegasus Mail. No need for Oauth2 for as long as app passwords are still an option at least.



That's good to know. Thank you for this report.


But:


(1) For companies or organizations that have outsourced mail to and form their domains to Google, 2-factor authentication is an option they can enable or disable at the domain level. Especially with large organizations, individual users may not have enough clout to persuade their domain administrator to enable this option just so they can use pmail or other email clients.


(2) It's not clear if this will remain an option. (It could change at Google's whim.)


(3) If you use this option, how often do you get prompted to reauthenticate with 2FA and/or change the "app password"? Once a month might be tolerable, although annoying. Weekly would be too much.


Regards,


Edward


> For the time being anyway, I can at least report that POP access for Gmail still works fine if you enable 2-factor authentication and create an app password for Pegasus Mail. No need for Oauth2 for as long as app passwords are still an option at least. That's good to know. Thank you for this report. But: (1) For companies or organizations that have outsourced mail to and form their domains to Google, 2-factor authentication is an option they can enable or disable at the domain level. Especially with large organizations, individual users may not have enough clout to persuade their domain administrator to enable this option just so they can use pmail or other email clients. (2) It's not clear if this will remain an option. (It could change at Google's whim.) (3) If you use this option, how often do you get prompted to reauthenticate with 2FA and/or change the "app password"? Once a month might be tolerable, although annoying. Weekly would be too much. Regards, Edward

(3) If you use this option, how often do you get prompted to reauthenticate with 2FA and/or change the "app password"? Once a month might be tolerable, although annoying. Weekly would be too much.


Regarding the app password, based on my research and a post on the PM-Win listserv list, it doesn't appear that they bug you about it. A post on the PM-Win list stated twice in two years. Other sources mention an alert on Google login recommending disabling an app password if you no longer need it. Regarding the 2FA, mine has been in place for 2 months without a peep from Google. I haven't logged in to Google since I first enabled it so I don't know what they might do after a set period of dormancy. If they do anything, at least it is longer than 2 months.


[quote="pid:53848, uid:3076"] (3) If you use this option, how often do you get prompted to reauthenticate with 2FA and/or change the "app password"? Once a month might be tolerable, although annoying. Weekly would be too much.[/quote] Regarding the app password, based on my research and a post on the PM-Win listserv list, it doesn't appear that they bug you about it. A post on the PM-Win list stated twice in two years. Other sources mention an alert on Google login recommending disabling an app password if you no longer need it. Regarding the 2FA, mine has been in place for 2 months without a peep from Google. I haven't logged in to Google since I first enabled it so I don't know what they might do after a set period of dormancy. If they do anything, at least it is longer than 2 months.
live preview
enter atleast 10 characters
WARNING: You mentioned %MENTIONS%, but they cannot see this message and will not be notified
Saving...
Saved
With selected deselect posts show selected posts
All posts under this topic will be deleted ?
Pending draft ... Click to resume editing
Discard draft