Tuesday, March 30, 2010 | 3:47 PM
In 2007, Google Mail introduced IMAP access for all users. The only way to login to IMAP was with a Google password. Meanwhile OAuth, an industry-standard authorization protocol, has been developed. Websites have used OAuth to securely access a user’s data via Google APIs (such as contacts, calendars, and docs) once access is granted by the user. Today we are announcing the ability to authenticate to Google Mail IMAP and SMTP with OAuth. To do this, we created an experimental SASL mechanism called “XOAUTH”.
The old way of logging in to Google Mail IMAP looked like this:
01 LOGIN firstname.lastname@example.org P4$$w0rdSimple, but it required every device and third-party application to have a copy of the user’s Google password. That’s bad for security, and everything breaks when the user changes his password. OAuth support for IMAP and SMTP allows web, mobile and desktop applications to securely access a user’s e-mail and send e-mail on their behalf with their permission. Users now only need to approve access to their e-mail on the traditional OAuth authorization page:
After access is approved, the app can connect via IMAP and send a request like this:
01 AUTHENTICATE XOAUTH R0VUIGh0dHBzOi8vbWFpbC5nb29nbGUuY
OK, it’s not pretty, but we’ve got lots of sample code to help you generate the magic string you need to send us. The nice thing is that OAuth tokens are independent of user passwords, so they keep working through password changes. And you can worry a little less about the nightmare of hackers stealing passwords out of your database. Each OAuth token has a limited scope, and can be individually revoked by the user.
We’re also working on an industry standard SASL mechanism for doing OAuth, and will roll that out as soon as it’s ready. We were so excited about the benefits of XOAUTH that we couldn’t wait to get it out there for people to use.
To get started with XOAUTH, check out the Gmail site on code.google.com, which has documentation, a tutorial, and sample code.