glorang
October 6, 2022, 6:04pm
1
Microsoft and Google are (or already have) dropped basic auth (username + password) support in their POP and IMAP servers.
Instead you are now supposed to use OAuth2 which authenticates in a base64 encoded auth token.
This is described in more detail here :
O365 : Authenticate an IMAP, POP or SMTP connection using OAuth | Microsoft Learn
Gmail: OAuth 2.0 Mechanism | IMAP for Gmail | Google Developers
For e.g. POP all we would need in poplib.py is something like:
def oauth(self, token):
"""Send oauth2 authentication token, return response
"""
return self._shortcmd('AUTH XOAUTH2 %s' % token)
It looks like we need two different implementations unfortunately. Google expects it on a single line, e.g.:
> AUTH XOAUTH2 <token>
While Microsoft expects it on 2 lines, e.g.
> AUTH XOAUTH2
< +
> <token>
Is this something we could add tot poplib and imaplib ?
Thanks,
I personally would rather drop poplib and imaplib if it’s auth approach is no longer good enough and instead encourage the community to provide projects that provide OAuth2 support. I wouldn’t want us to have to handle the CVEs that would come up because our OAuth2 implementation had a bug in it.
4 Likes
glorang
October 6, 2022, 8:13pm
3
I only see now imaplib can actually already do this via the authenticate function, e.g[1].
imap_conn.authenticate('XOAUTH2', lambda x: auth_string)
But poplib is missing such function.
Microsoft already provides the MSAL library[2] that takes care of all OAuth2 stuff. Google also has google-auth-library-python-oauthlib[3] which presumably does the same. We just need a method to be able to provide the “final” token to poplib.
[1] gmail-oauth2-tools/oauth2.py at master · google/gmail-oauth2-tools · GitHub GitHub - AzureAD/microsoft-authentication-library-for-python: Microsoft Authentication Library (MSAL) for Python makes it easy to authenticate to Azure Active Directory. These documented APIs are stable https://msal-python.readthedocs.io. If you have questions but do not have a github account, ask your questions on Stackoverflow with tag "msal" + "python".
malemburg
October 7, 2022, 11:07am
4
As I understand Geert’s suggestion, the two modules would simply receive
It’s unfortunate, though, that MS and GMail are using different
1 Like
ajendrex
August 1, 2024, 2:44am
5
Hi
I’m sharing a question that I posted in a google’s repo with test code that’s not working to me, maybe someone here knows?
opened 02:38AM - 01 Aug 24 UTC
Hi!
I have an access token with scope `https://www.googleapis.com/auth/gmail.… modify` and which I validated with SMTP to send emails. The same token used to try `oauth2.py` from this repository seems to be invalid:
```bash
python oauth2.py --test_imap_authentication --access_token=<access_token> --user=<email_address>
18:48.35 > b'ILPK1 AUTHENTICATE XOAUTH2'
18:48.50 < b'+ '
18:48.50 write literal size 364
18:49.49 < b'+ eyJzdGF0dXMiOiI0MDAiLCJzY2hlbWVzIjoiQmVhcmVyIiwic2NvcGUiOiJodHRwczovL21haWwuZ29vZ2xlLmNvbS8ifQ=='
18:49.49 write literal size 364
18:49.64 < b'ILPK1 NO [AUTHENTICATIONFAILED] Invalid credentials (Failure)'
Traceback (most recent call last):
File "/Users/hurbina/src/gmail-oauth2-tools/python/oauth2.py", line 353, in <module>
main(sys.argv)
File "/Users/hurbina/src/gmail-oauth2-tools/python/oauth2.py", line 338, in main
TestImapAuthentication(
File "/Users/hurbina/src/gmail-oauth2-tools/python/oauth2.py", line 282, in TestImapAuthentication
imap_conn.authenticate('XOAUTH2', lambda x: auth_string)
File "/Users/hurbina/opt/anaconda3/lib/python3.9/imaplib.py", line 444, in authenticate
raise self.error(dat[-1].decode('utf-8', 'replace'))
imaplib.IMAP4.error: [AUTHENTICATIONFAILED] Invalid credentials (Failure)
```
I'd appreciate very much some help to understand what is wrong.
Hector.