Tuesday, March 30, 2010

OAuth access to IMAP/SMTP in Gmail

Google has long believed that users should be able to export their data and use it with whichever service they choose. For years, the Gmail service has supported standard API protocols like POP and IMAP at no extra cost to our users. These efforts are consistent with our broader data liberation efforts.

In addition to making it easier for users to export their data, we also enable them to authorize third party (non-Google developed) applications and websites to access their data at Google. One of the more common examples is allowing a social network to access your address book in order to send invitations to your friends.

While it is possible for a user to authorize this access by disclosing their Google Account password to the third party app, it is more secure for the app developer to use the industry standard protocol called OAuth which enables the user to give their consent for specific access without sharing their password. Most Google APIs support this OAuth standard, and starting today it is also available for the IMAP/SMTP feature of Gmail.

The feature is available in Google Code Labs and we have provided a site with documentation and sample code. In addition, Google has begun working with other companies like Yahoo and Mozilla on a formal Internet standard for using OAuth with IMAP/SMTP (learn more at the OAuth for IMAP mailing list).

One of the first companies using this feature is Syphir, in their SmartPush application for the iPhone, as shown in the screenshots below. Unlike other push apps, Sypher's SmartPush application never sees or stores the user’s Gmail password thanks to this new OAuth support.



We look forward to finalizing an Internet standard for using OAuth with IMAP/SMTP, and working with IMAP/SMTP mail clients to add that support.

32 comments:

  1. Will this provide any benefits to a desktop app that downloads mails using IMAP?

    ReplyDelete
  2. Yes, at Kwaga we are using OAUTH access to IMAP for our smart notifier (which notifies you only of relevant mails) and this is done from a desktop application.

    ReplyDelete
  3. Nice. One thing about the screenshots though: "Gmail" is really *not* a sufficient way of telling the user that the third party will be able to access all his email...

    ReplyDelete
  4. https://www.el5yal.com/vb/

    ReplyDelete
  5. OK. Let me elaborate my question on the benefits of OAuth in a desktop application.

    If the mails are not sent to a 3rd party server and are only downloaded by a desktop app and stored in the local hard disk, what are benefits of OAuth as compared to storing the password directly?

    Should a mail client like Thunderbird/Outlook start supporting OAuth? If yes, what will be the benefits?

    As per my understanding, OAuth is designed so a that a web-app need not store the actual password. For desktop/local apps it is OK to store the password in a local repository.

    Please correct me if I am missing something.

    ReplyDelete
  6. Will this provide access to google talk logs? So far I haven't been able to "liberate" those.

    ReplyDelete
  7. Not everyone wants to hear this on this particular post, but why on earth is the screenshot of an iPhone and NOT an Android?

    ReplyDelete
  8. @Rohit

    Nope OAuth is developed so that your password won't fall into the wrong hands. Yor password is only exposed tot Google, not the 3rd party uhsing oAuth

    ReplyDelete
  9. @Abhiroop … soo true … and why not a screenshot of my HTC Magic with an already outdated operating system?

    ReplyDelete
  10. hope granting third party apps to accessing feed inbox or imap through oAuth will logged in our logging Activity.like from where country IP's it's logged in.

    ReplyDelete
  11. @Baris,

    I understand that. I was asking whether there is any advantage for using OAuth for a desktop app instead of storing the credentials locally.

    ReplyDelete
  12. @Rohit,

    assuming they support this for the enterprise or education editions of Google apps, it's an advantage if you're using single sign on, since you no longer have to provision user passwords to Google for IMAP access.

    ReplyDelete
  13. Sweet!!!! This is totally awesome. :)

    Now the question is when are we gonna have GTalk client that supports OAuth????

    ReplyDelete
  14. + GTalk with OAuth is key for enterprises using googleapps with SAML SSO and don't wanna give out the Google Password Store passwords to their users.

    ReplyDelete
  15. I told you a good news! I passed the OG0-9AB exam, The score is 89%, it is surprised for me.
    With Ourexam OG0-9AB exam material, make me get successful!

    next goal is ST0-066 exam, my successful experice prove that choose a suitable piece of exam material is very necessary.

    The detail of ST0-066 and OG0-9AB exam:
    OG0-9AB:http://www.ourexam.com/OG0-9AB.html
    ST0-066:http://www.ourexam.com/ST0-066.html

    ReplyDelete
  16. How do users manage their oauth permissions (specifically for google apps)

    ReplyDelete
  17. For those wondering why you'd want to use OAuth for installed apps, one advantage for the user is that they can deauthorize your app without having to change their password and reauthorize all the other apps that access their Google accounts.

    It also creates a lower bar of trust you need from the customer because, although you're getting access to mail as if you had their ID and password, they can limit your access to mail and keep you out of their other Google services.

    ReplyDelete
  18. Nice to see this. Over here at NuevaSync we turned on IMAP and SMTP OAuth support for our GMail users earlier today. All seems to be working well.

    ReplyDelete
  19. Why the code samples are not working ?? I am getting a unable to select folder message??

    Zend_Mail_Storage_Exception' with message 'cannot change folder, maybe it does not exist

    ReplyDelete
  20. You know, this really only works properly if you forward the request to the system standard browser (Mobile Safari on the iPhone) instead of having the Google login form directly in the app. If the Google login form gets presented in the app, who's to say that it's not spoofed by the app? How do you know you're not actually sending your password to the app and they're just proxying the request on the backend?

    ReplyDelete
  21. Does IMAP Oauth support 2-legged Oauth via the Google Enterprise Consumer Key/Secret so applications can login to any mailbox in a Google App domain?

    ReplyDelete
  22. @Kevin,

    Can you please explain what you are trying to do?

    There is no login in OAuth, but client Authorization using OAuth works for GAPE users.

    Saqib

    ReplyDelete
  23. We are building application using IMAP to copy email from first gmail account into second gmail account and it takes as much time as the size of email by first donwlaoding from first gmail account and then uplaoding into second gmail account. This becomes issues when user has emails with large attachemnt say 4-5 MB each. Will OAuth help to reduce this time or can it even directly do copy between two accounts from server without donwload and then upload. Any comment will be helpful.

    ReplyDelete
  24. Does this mean we can give permission to third party apps to access our Google Reader accounts without giving them the password as well?

    ReplyDelete
  25. @shanmuga
    I get that too, with the two-legged.php the three-legged does work. Not sure yet why.

    ReplyDelete
  26. @Saqib_Ali
    I mean authenticating to IMAP using 2-legged authentication.

    x AUTHENTICATE X-OAUTH ...

    Using the Consumer Key and Consumer Secret provided by the Google Apps enterprise site.

    I should probably investigate using 3-legged authentication instead.

    ReplyDelete
  27. I'm really glad to see this being implemented, and I hope developers of Gmail apps out there realize that they best be switching to using OAuth soon (if feasible of course).

    I hate the idea of having to give my login details for my entire Google account to an application that just notifies me if I have new mail. I really can't wait to have OAuth support implemented so I no longer have to give out high-access credentials to a basic app.

    ReplyDelete
  28. why is the user email address is required. Can I simply get it from google once I have an access token?

    ReplyDelete
  29. It was working properly for me... until yesterday! Suddenly, it stopped connecting without notice. Did you change something in the API?

    ReplyDelete
  30. The sample code doesnt work with Google App Engine

    ReplyDelete
  31. Question: Does using OAuth change anything with regard to whether the user has to manually enable IMAP access before my third-party app can have access to the customer's email via IMAP? If not, is there any way to help the customer turn on IMAP support without making him/her go through these steps:

    http://mail.google.com/support/bin/answer.py?answer=77695

    In other words, I'd like to simply ask the user for permission to access his/her email via IMAP, period. The user can say yes or no. No other passwords or fiddling with gmail settings. Is this possible using OAuth?

    ReplyDelete