OAuth Authentication for Google Mail IMAP and SMTP

Tuesday, March 30, 2010 | 3:47 PM

Labels: ,

In 2007, Google Mail introduced IMAP access for all users. The only way to login to IMAP was with a Google password. Meanwhile OAuth, an industry-standard authorization protocol, has been developed. Websites have used OAuth to securely access a user’s data via Google APIs (such as contacts, calendars, and docs) once access is granted by the user. Today we are announcing the ability to authenticate to Google Mail IMAP and SMTP with OAuth. To do this, we created an experimental SASL mechanism called “XOAUTH”.

The old way of logging in to Google Mail IMAP looked like this:

01 LOGIN username@googlemail.com P4$$w0rd
Simple, but it required every device and third-party application to have a copy of the user’s Google password. That’s bad for security, and everything breaks when the user changes his password. OAuth support for IMAP and SMTP allows web, mobile and desktop applications to securely access a user’s e-mail and send e-mail on their behalf with their permission. Users now only need to approve access to their e-mail on the traditional OAuth authorization page:



After access is approved, the app can connect via IMAP and send a request like this:
01 AUTHENTICATE XOAUTH R0VUIGh0dHBzOi8vbWFpbC5nb29nbGUuY
29tL21haWwvYi91c2VybmFtZUBnb29nbGVtYWlsLmNvbS9pbWFwLyBvY
XV0aF9jb25zdW1lcl9rZXk9ImFub255bW91cyIsb2F1dGhfbm9uY2U9I
jEzMDQwNzM0Nzc4MTA1MDA2NTQzIixvYXV0aF9zaWduYXR1cmU9ImNhd
WdodHlvdXBlZWtpbmciLG9hdXRoX3NpZ25hdHVyZV9tZXRob2Q9IkhNQ
UMtU0hBMSIsb2F1dGhfdGltZXN0YW1wPSIxMjY5Mzc3NzU5IixvYXV0a
F90b2tlbj0ibm90cmVhbGx5IixvYXV0aF92ZXJzaW9uPSIxLjAiCg==

OK, it’s not pretty, but we’ve got lots of sample code to help you generate the magic string you need to send us. The nice thing is that OAuth tokens are independent of user passwords, so they keep working through password changes. And you can worry a little less about the nightmare of hackers stealing passwords out of your database. Each OAuth token has a limited scope, and can be individually revoked by the user.

We’re also working on an industry standard SASL mechanism for doing OAuth, and will roll that out as soon as it’s ready. We were so excited about the benefits of XOAUTH that we couldn’t wait to get it out there for people to use.

To get started with XOAUTH, check out the Gmail site on code.google.com, which has documentation, a tutorial, and sample code.

4 comments:

brousky said...

Great news. Just as we're releasing the IMAP import functionality for DokDok, we'll make sure it uses OAuth instead of standard credentials in time for the public beta!

PhL said...

We implemented it atKwaga for our smart notifier - it's really powerfull and easy to integrate.

Mohammad Nezarati said...

Great News. We at Esna implemented it also for Unified Communications integration to all Google services. It's simple and elegant.

Saqib Ali said...

OAuth for IMAP is awesome, the question is when are we going to have OAuth support for GTalk/ActiveSync?

GTalk/ActiveSync with OAuth is key for enterprises using googleapps with SAML SSO and don't wanna give out the Google Password Store passwords to their users.