Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove XOAUTH2 support #18

Closed
emersion opened this issue May 9, 2020 · 11 comments
Closed

Remove XOAUTH2 support #18

emersion opened this issue May 9, 2020 · 11 comments

Comments

@emersion
Copy link
Owner

emersion commented May 9, 2020

XOAUTH2 is superseded by OAUTHBEARER. Gmail has switched to the new mechanism.
@foxcpp
Copy link
Collaborator

foxcpp commented May 9, 2020

Funny though, I have seen multiple clients offering XOAUTH2 support but not OAUTHBEARER. But I generally support getting rid of XOAUTH2.

@foxcpp foxcpp closed this as completed in 7bfe0ed May 9, 2020
@benjcal
Copy link

benjcal commented Jul 30, 2020

@emersion Would you mind giving a sample of how to use OAUTHBEARER instead of XOAUTH2?

I have something along the lines of this (taking out error checking for brevity)

c, _ := client.DialTLS(addr, nil)
c.Authenticate(sasl.NewXoauth2Client(email, token))

Would it be a matter of just switching what I pass to c.Authenticate()?

c, _ := client.DialTLS(addr, nil)
c.Authenticate(sasl.NewOAuthBearerClient(&sasl.OAuthBearerOptions{
		Username: email,
		Token:        token,
	}))

How about Host and Port?

Sorry if it's a dumb question 😃
Thanks!

@benjcal
Copy link

benjcal commented Jul 30, 2020

Quick update. Tested this with GMail and Outlook. My approach above works fine but Outlooks doesn't support OAUTHBEARER.

Is it possible to have XOAUTH2 and OAUTHBEARER, even if a warning is presented when using XOAUTH2 as it being deprecated?
Thx!

@emersion
Copy link
Owner Author

Hmm, indeed, it sounds like Outlook supports XOAUTH2 but not OAUTHBEARER:

001 CAPABILITY
* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS MOVE ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+
001 OK CAPABILITY completed.

There's definitely an argument to be made to bring back XOAUTH2, since we still support the non-standard LOGIN mechanism. I'd still prefer not to have to maintain these.

@benjcal
Copy link

benjcal commented Jul 31, 2020

I'd be fine looking after XOATH2 given that outlook support for IMAP is something that I need. If it was possible thought I'd rather contribute to this repo than having my own fork.

@emersion
Copy link
Owner Author

We discussed with @foxcpp on IRC and agreed that we'd prefer to remove all legacy mechanisms: LOGIN and XOAUTH2. It's not a lot of code to copy-paste into your own project if you really need them.

@emersion emersion mentioned this issue Aug 17, 2020
Open
@benjcal
Copy link

benjcal commented Aug 17, 2020 via email
edited
Loading

@sjawaji
Copy link

sjawaji commented Sep 7, 2020
edited
Loading

@benjcal - did you get xoauth2 working for outlook with client secret?

I am getting "AUTHENTICATION failed" with no much information.
@emersion - what is the best way to debug on the reason for failure?

I tested "tenent id", "client id" and "client secret" with python library and it is working fine. But, not able to get it working using "go-sasl" & "go-imap"

@benjcal
Copy link

benjcal commented Sep 7, 2020

@sjawaji I got it working but I'm not using the latest code, I'm using one commit before they deleted XOAUTH2.

One of the best ways to take a look at what is happening is to use func (c *Conn) SetDebug(w io.Writer) like c.SetDebug(os.Stdout)

The complicated part was not really getting xoauth2 working but to get the proper token with the correct scopes.

There are the scopes that I'm using:

Scopes: []string{
			"offline_access",
			"https://outlook.office.com/User.Read",
			"https://outlook.office.com/IMAP.AccessAsUser.All",
		}

and to actually use xoauth2 this is what I used:

c, _ := client.DialTLS(IMAP_ADDRESS, nil)
a := sasl.NewXoauth2Client(USER_EMAIL, USER_TOKEN)
c.Authenticate(a)

Hope this helps!

@sjawaji
Copy link

sjawaji commented Sep 7, 2020

@benjcal I have tried c.SetDebug(os.StdOut) but information regarding failure is still cryptic NO AUTHENTICATE failed.

When I use the scopes you have suggested, I am getting the following error.
The scope offline_access https://outlook.office.com/User.Read https://outlook.office.com/IMAP.AccessAsUser.All is not valid.

Following is the scope using which I am able to generate token.
https://graph.microsoft.com/.default

I can authenticate via c.Authenticate(sasl.NewPlainClient(username, username, password)) but not via c.Authenticate(sasl.NewXoauth2Client(username, token.AccessToken))

I don't want to use password based authentication.

@benjcal
Copy link

benjcal commented Sep 8, 2020

Make sure that the app (oauth client_id and client_secret) have access to request those scopes.

You don’t just need any token, you need a token that can be used to connect to IMAP.

So focus first in getting a token that can be used for IMAP. The scopes that I sent are the only one I was able to get working for IMAP and from my research graph I couldn’t use graph scopes for IMAP.

I’m not sure I’d be of much help without seeing your specific use case and your oauth flow. But my guess is that your issue is with the token and not with xoauth2

@shackra shackra mentioned this issue Jun 17, 2021
Closed
@atc0005 atc0005 mentioned this issue Nov 15, 2022
Closed
@emersion emersion mentioned this issue Oct 14, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sjawaji @emersion @benjcal @foxcpp