Community Discussions and Support
Just so everyone understands what OAuth2 is really about ...

Please take a look at http://www.pmail.com/devnews.htm, you might enjoy reading it, here comes the starter:



According to the old joke, a camel is just a horse that was designed by a committee: when it came to OAUTH2, though, what the committee produced was more like a two-wheeled donkey.



Please take a look at http://www.pmail.com/devnews.htm, you might enjoy reading it, here comes the starter: > According to the old joke, a camel is just a horse that was designed by a committee: when it came to OAUTH2, though, what the committee produced was more like a two-wheeled donkey.
			Michael
--
IERenderer's Homepage
PGP Key ID (RSA 2048): 0xC45D831B
S/MIME Fingerprint: 94C6B471 0C623088 A5B27701 742B8666 3B7E657C

Just so you don't miss the follow-up ...


Just so you don't miss [the follow-up](https://community.pmail.com/index.php?u=/topic/11631/oauth2-for-outlook/post-53826#post-53826) ...
			Michael
--
IERenderer's Homepage
PGP Key ID (RSA 2048): 0xC45D831B
S/MIME Fingerprint: 94C6B471 0C623088 A5B27701 742B8666 3B7E657C

It is really crazy with this google costs. The throw sticks (or even tree trunks) between small developers legs just to expand their monopoly. smile
And there are not many exceptions to not need the Security assessment.
https://support.google.com/cloud/answer/9110914#exceptions-ver-reqts
https://www.nylas.com/blog/google-oauth-app-verification/


But I not sure if there are also such costs for use of Microsoft Oauth API, perhaps this is free or at least cheaper.


It is really crazy with this google costs. The throw sticks (or even tree trunks) between small developers legs just to expand their monopoly. :( And there are not many exceptions to not need the Security assessment. https://support.google.com/cloud/answer/9110914#exceptions-ver-reqts https://www.nylas.com/blog/google-oauth-app-verification/ But I not sure if there are also such costs for use of Microsoft Oauth API, perhaps this is free or at least cheaper.

Pegasus v4.81 Beta

edited May 9 '22 at 7:39 am

That's just plain mean of Google - the cost of such 'security' inspections should be in large type on page 1, not at the end of an application.


Ian


That's just plain mean of Google - the cost of such 'security' inspections should be in large type on page 1, not at the end of an application. -- Ian

This is the end of it ...


This is [the end](https://community.pmail.com/index.php?u=/topic/11633/oauth2-support-for-gmail-turns-out-to-be-impossible) of it ...
			Michael
--
IERenderer's Homepage
PGP Key ID (RSA 2048): 0xC45D831B
S/MIME Fingerprint: 94C6B471 0C623088 A5B27701 742B8666 3B7E657C

Is it predictable whether other mail providers will implement similar OAUTH mechanisms? Or is it, in this worst form, a Google problem only?


I'm also thinking about Mercury and hope that we don't running into a problem with e.g. german mail providers (in my case).


Is it predictable whether other mail providers will implement similar OAUTH mechanisms? Or is it, in this worst form, a Google problem only? I'm also thinking about Mercury and hope that we don't running into a problem with e.g. german mail providers (in my case).

I see Microsoft and Yahoo routinely included in OAuth2 related articles but not to the extent of Google and their restrictive access to their API. I don't have a sense into whether OAuth2 will spread.


I see Microsoft and Yahoo routinely included in OAuth2 related articles but not to the extent of Google and their restrictive access to their API. I don't have a sense into whether OAuth2 will spread.

In the (not so) long run I'm pretty sure all applications dealing with personal data will have to undergo some kind of certification, but I'm expecting something coming by legislation like from the EU in our cases here in Europe which already is doing this with regard to websites (the cookie resp. tracking stuff and hate speach or other abusive content control). But I can't imagine Ggl to become the one being contracted for applying it although the content providers (like fb and yt = Ggl) already are in the boat ...


In the (not so) long run I'm pretty sure all applications dealing with personal data will have to undergo some kind of certification, but I'm expecting something coming by legislation like from the EU in our cases here in Europe which already is doing this with regard to websites (the cookie resp. tracking stuff and hate speach or other abusive content control). But I can't imagine Ggl to become the one being contracted for applying it although the content providers (like fb and yt = Ggl) already are in the boat ...
			Michael
--
IERenderer's Homepage
PGP Key ID (RSA 2048): 0xC45D831B
S/MIME Fingerprint: 94C6B471 0C623088 A5B27701 742B8666 3B7E657C

I am appalled (although not surprised) that Google is trying to use its dominant position as part of the email server oligopoly to break the POP/SMTP/IMAP standards and exert hegemonic control over all users and developers of third-party POP/IMAP/SMTP clients.


The best response would of course be to boycott Google, but I fear that won't be possible for many people. That's the nature of hegemony, and that's undoubtedly what Google is counting on.


I would have considered contributing (reluctantly) to the cost of verification for pmail, especially given that the OATH2 coding work has already been done. But I would rather my money go to David Harris than to Google. I have made a substantial contribution to help compensate David Harris for his wasted time on our behalf. I encourage other pmail users to do likewise.


I am appalled (although not surprised) that Google is trying to use its dominant position as part of the email server oligopoly to break the POP/SMTP/IMAP standards and exert hegemonic control over all users and developers of third-party POP/IMAP/SMTP clients. The best response would of course be to boycott Google, but I fear that won't be possible for many people. That's the nature of hegemony, and that's undoubtedly what Google is counting on. I would have considered contributing (reluctantly) to the cost of verification for pmail, especially given that the OATH2 coding work has already been done. But I would rather my money go to David Harris than to Google. I have made a substantial contribution to help compensate David Harris for his wasted time on our behalf. I encourage other pmail users to do likewise.

Well, there were problems for me with the Google implementation of Oauth2 for Gmail anyway, in particular that it cuts off POP access. As already pointed out by many users, downloading your entire mail from years ago, especially if you are in a rural area with poor Internet access, which could happen with IMAP, was not great to begin with.


If they really just want to cut out anything except apps from the big spenders in the long run, I'll just have to look at alternative email service providers.


For the time being anyway, I can at least report that POP access for Gmail still works fine if you enable 2-factor authentication and create an app password for Pegasus Mail. No need for Oauth2 for as long as app passwords are still an option at least.


Sad to read how much effort David put in for nothing in the end. Shameful practice to hide these annual costs until after one has done all this work for nothing.


I believe "Do no evil" was retired at Google quite some time back...


Thanks for Pegasus Mail, my mail client for decades now!


Well, there were problems for me with the Google implementation of Oauth2 for Gmail anyway, in particular that it cuts off POP access. As already pointed out by many users, downloading your entire mail from years ago, especially if you are in a rural area with poor Internet access, which could happen with IMAP, was not great to begin with. If they really just want to cut out anything except apps from the big spenders in the long run, I'll just have to look at alternative email service providers. For the time being anyway, I can at least report that POP access for Gmail still works fine if you enable 2-factor authentication and create an app password for Pegasus Mail. No need for Oauth2 for as long as app passwords are still an option at least. Sad to read how much effort David put in for nothing in the end. Shameful practice to hide these annual costs until **after** one has done all this work for nothing. I believe "Do no evil" was retired at Google quite some time back... Thanks for Pegasus Mail, my mail client for decades now!

For the time being anyway, I can at least report that POP access for Gmail still works fine if you enable 2-factor authentication and create an app password for Pegasus Mail. No need for Oauth2 for as long as app passwords are still an option at least.



That's good to know. Thank you for this report.


But:


(1) For companies or organizations that have outsourced mail to and form their domains to Google, 2-factor authentication is an option they can enable or disable at the domain level. Especially with large organizations, individual users may not have enough clout to persuade their domain administrator to enable this option just so they can use pmail or other email clients.


(2) It's not clear if this will remain an option. (It could change at Google's whim.)


(3) If you use this option, how often do you get prompted to reauthenticate with 2FA and/or change the "app password"? Once a month might be tolerable, although annoying. Weekly would be too much.


Regards,


Edward


> For the time being anyway, I can at least report that POP access for Gmail still works fine if you enable 2-factor authentication and create an app password for Pegasus Mail. No need for Oauth2 for as long as app passwords are still an option at least. That's good to know. Thank you for this report. But: (1) For companies or organizations that have outsourced mail to and form their domains to Google, 2-factor authentication is an option they can enable or disable at the domain level. Especially with large organizations, individual users may not have enough clout to persuade their domain administrator to enable this option just so they can use pmail or other email clients. (2) It's not clear if this will remain an option. (It could change at Google's whim.) (3) If you use this option, how often do you get prompted to reauthenticate with 2FA and/or change the "app password"? Once a month might be tolerable, although annoying. Weekly would be too much. Regards, Edward

(3) If you use this option, how often do you get prompted to reauthenticate with 2FA and/or change the "app password"? Once a month might be tolerable, although annoying. Weekly would be too much.


Regarding the app password, based on my research and a post on the PM-Win listserv list, it doesn't appear that they bug you about it. A post on the PM-Win list stated twice in two years. Other sources mention an alert on Google login recommending disabling an app password if you no longer need it. Regarding the 2FA, mine has been in place for 2 months without a peep from Google. I haven't logged in to Google since I first enabled it so I don't know what they might do after a set period of dormancy. If they do anything, at least it is longer than 2 months.


[quote="pid:53848, uid:3076"] (3) If you use this option, how often do you get prompted to reauthenticate with 2FA and/or change the "app password"? Once a month might be tolerable, although annoying. Weekly would be too much.[/quote] Regarding the app password, based on my research and a post on the PM-Win listserv list, it doesn't appear that they bug you about it. A post on the PM-Win list stated twice in two years. Other sources mention an alert on Google login recommending disabling an app password if you no longer need it. Regarding the 2FA, mine has been in place for 2 months without a peep from Google. I haven't logged in to Google since I first enabled it so I don't know what they might do after a set period of dormancy. If they do anything, at least it is longer than 2 months.

For the time being anyway, I can at least report that POP access for Gmail still works fine if you enable 2-factor authentication and create an app password for Pegasus Mail. No need for Oauth2 for as long as app passwords are still an option at least.

Sorry... newbie here... I've been using PMail since 1994. Single user on a Windows PC, not part of any organisation, don't understand much about SMTP and POP and IMAP... PMail works for me as a way to access my GMail account. Horrified at the thought of having to find a new email program. Will I have to do that on Wednesday? Is this 2FA a solution and how do I implement it? Thanks!


[quote="pid:53847, uid:33763"]For the time being anyway, I can at least report that POP access for Gmail still works fine if you enable 2-factor authentication and create an app password for Pegasus Mail. No need for Oauth2 for as long as app passwords are still an option at least.[/quote] Sorry... newbie here... I've been using PMail since 1994. Single user on a Windows PC, not part of any organisation, don't understand much about SMTP and POP and IMAP... PMail works for me as a way to access my GMail account. Horrified at the thought of having to find a new email program. Will I have to do that on Wednesday? Is this 2FA a solution and how do I implement it? Thanks!

Yes, as far as we know based on what Google has stated. You should have received an email from them about it.


What we believe is that Pegasus Mail will continue to work with a Gmail account as long as you are using an app password for authentication. An app password is a password generated by Google at your request for a specific app. In order to request one you must first enable 2-Step Verification on your Google account. You can then go through the process of requesting an app password. Once you have it, you put it in place of your Google password in your Pegasus Mail host files for your gmail account (Tools > Internet options >
Receiving and Sending tabs), or in your gmail IMAP profile if you are using IMAP. Keep your Google password because you will still need it to log into your Google account. The app password will not work for that.


This is the URL to a Google document about their app password:
https://support.google.com/mail/answer/185833?hl=en


Yes, as far as we know based on what Google has stated. You should have received an email from them about it. What we believe is that Pegasus Mail will continue to work with a Gmail account as long as you are using an app password for authentication. An app password is a password generated by Google at your request for a specific app. In order to request one you must first enable 2-Step Verification on your Google account. You can then go through the process of requesting an app password. Once you have it, you put it in place of your Google password in your Pegasus Mail host files for your gmail account (Tools > Internet options > Receiving and Sending tabs), or in your gmail IMAP profile if you are using IMAP. Keep your Google password because you will still need it to log into your Google account. The app password will not work for that. This is the URL to a Google document about their app password: https://support.google.com/mail/answer/185833?hl=en

What we believe is that Pegasus Mail will continue to work with a Gmail account as long as you are using an app password for authentication. An app password is a password generated by Google at your request for a specific app. In order to request one you must first enable 2-Step Verification on your Google account. You can then go through the process of requesting an app password. Once you have it, you put it in place of your Google password in your Pegasus Mail host files for your gmail account (Tools > Internet options >
Receiving and Sending tabs), or in your gmail IMAP profile if you are using IMAP. Keep your Google password because you will still need it to log into your Google account. The app password will not work for that.
Thanks so much, Brian. I'll read up about it and try to implement it!


[quote="pid:53914, uid:28772"]What we believe is that Pegasus Mail will continue to work with a Gmail account as long as you are using an app password for authentication. An app password is a password generated by Google at your request for a specific app. In order to request one you must first enable 2-Step Verification on your Google account. You can then go through the process of requesting an app password. Once you have it, you put it in place of your Google password in your Pegasus Mail host files for your gmail account (Tools > Internet options > Receiving and Sending tabs), or in your gmail IMAP profile if you are using IMAP. Keep your Google password because you will still need it to log into your Google account. The app password will not work for that.[/quote]Thanks so much, Brian. I'll read up about it and try to implement it!

I implemented the app password and all still seems to be working...


I implemented the app password and all still seems to be working...

smile


I am hoping (just a little) that a forum member is still relying on the less secure apps option and will report whether it still works or confirm that Google has indeed stopped its support of it.


(mm) I am hoping (just a little) that a forum member is still relying on the less secure apps option and will report whether it still works or confirm that Google has indeed stopped its support of it.

Still works here with the old settings and without an app password.


Still works here with the old settings and without an app password.

Yup, still working fine both ways: with less secure apps and with app password (separate accounts of course).


Update: "less secure apps" stopped working as of Jun 07. App password works fine.


Yup, still working fine both ways: with less secure apps and with app password (separate accounts of course). Update: "less secure apps" stopped working as of Jun 07. App password works fine.
edited Jun 7 '22 at 4:05 pm

I have an organizational account hosted by Google but on the organization's domain, not on Gmail.com or a Google domain.


Two-factor authentication is not enabled for this domain, and I don't control the organizational-level settings to enable it. So I can't use an app password with this account.


As of now I can still access Google's servers for this account from any client (incluidng Pegasus Mail for Windows or K-9 Mail for Android) using the Google account password (not an app password) for POP, SMTP, and IMAP.


I have an organizational account hosted by Google but on the organization's domain, not on Gmail.com or a Google domain. Two-factor authentication is not enabled for this domain, and I don't control the organizational-level settings to enable it. So I can't use an app password with this account. *As of now* I can still access Google's servers for this account from any client (incluidng Pegasus Mail for Windows or K-9 Mail for Android) using the Google account password (not an app password) for POP, SMTP, and IMAP.
12
live preview
enter atleast 10 characters
WARNING: You mentioned %MENTIONS%, but they cannot see this message and will not be notified
Saving...
Saved
With selected deselect posts show selected posts
All posts under this topic will be deleted ?
Pending draft ... Click to resume editing
Discard draft