OAuth Authentication for Google Mail IMAP and SMTP

Tuesday, March 30, 2010 | 3:47 PM

Labels: ,

In 2007, Google Mail introduced IMAP access for all users. The only way to login to IMAP was with a Google password. Meanwhile OAuth, an industry-standard authorization protocol, has been developed. Websites have used OAuth to securely access a user’s data via Google APIs (such as contacts, calendars, and docs) once access is granted by the user. Today we are announcing the ability to authenticate to Google Mail IMAP and SMTP with OAuth. To do this, we created an experimental SASL mechanism called “XOAUTH”.

The old way of logging in to Google Mail IMAP looked like this:

01 LOGIN username@googlemail.com P4$$w0rd
Simple, but it required every device and third-party application to have a copy of the user’s Google password. That’s bad for security, and everything breaks when the user changes his password. OAuth support for IMAP and SMTP allows web, mobile and desktop applications to securely access a user’s e-mail and send e-mail on their behalf with their permission. Users now only need to approve access to their e-mail on the traditional OAuth authorization page:

After access is approved, the app can connect via IMAP and send a request like this:

OK, it’s not pretty, but we’ve got lots of sample code to help you generate the magic string you need to send us. The nice thing is that OAuth tokens are independent of user passwords, so they keep working through password changes. And you can worry a little less about the nightmare of hackers stealing passwords out of your database. Each OAuth token has a limited scope, and can be individually revoked by the user.

We’re also working on an industry standard SASL mechanism for doing OAuth, and will roll that out as soon as it’s ready. We were so excited about the benefits of XOAUTH that we couldn’t wait to get it out there for people to use.

To get started with XOAUTH, check out the Gmail site on code.google.com, which has documentation, a tutorial, and sample code.


brousky said...

Great news. Just as we're releasing the IMAP import functionality for DokDok, we'll make sure it uses OAuth instead of standard credentials in time for the public beta!

PhL said...

We implemented it atKwaga for our smart notifier - it's really powerfull and easy to integrate.

Mohammad Nezarati said...

Great News. We at Esna implemented it also for Unified Communications integration to all Google services. It's simple and elegant.

Saqib Ali said...

OAuth for IMAP is awesome, the question is when are we going to have OAuth support for GTalk/ActiveSync?

GTalk/ActiveSync with OAuth is key for enterprises using googleapps with SAML SSO and don't wanna give out the Google Password Store passwords to their users.