remove gmail's oauth2

[r10s]

oauth2 for gmail stopped working, at least partially.

we decided that we do not want to spend additional development resources and extra money for that (we would need a yearly "CASA Tier 2/3 sth. security assessment" only for that - despite we have much better security reviews already passed, that alone would require quite some bureaucracy effort, which would result in other things not being done).

gmails oauth2 was annoying all the time, it seems a waste of resources for a provider that is not even playing well together. also, there are comparable few users using gmail oauth2 with Delta Chat. finally, with 2FA and app passwords, user can still use gmail.

• for existing gmail oauth2 users, add a device message how they can "exit"

• do not offer oauth2 for new gmail users, instead, use the normal hint, "With 2FA and an app password set for Delta Chat, logging in works fine." (gmail dc user)

this may require adapting provider database

[gerryfrancis]

We should aim to support OAuth 2.0 in the long term. Thunderbird has already done so for two years: https://support.mozilla.org/en-US/kb/automatic-conversion-google-mail-accounts-oauth20

And if I interpret this correctly, currently less secure applications that use a simple login that consists of a username and a password will no longer be supported by the end of Sep 2024:

Starting on September 30, 2024, less secure apps, third-party apps, or devices that have you sign in with only your username and password will no longer be supported for Google Workspace accounts.

(Source: https://support.google.com/accounts/answer/6010255 )

I can be wrong, of course, but if not, Delta Chat users with Gmail accounts might face a real issue in the future, not mentioning the Microsoft 365 account users who are already having it. ;)

[r10s]

it is not about removing oauth2, but removing gmail-oauth2.

gmail-oauth2 requires increasing amounts of ridiculous, probably ai-managed, bureaucracy.

our small team is just not being able to handle this. nor wants to at the cost of improvements with larger impact.

[gerryfrancis]

@r10s I understand, but what about the deadline (Sep 30th) that I have mentioned before? Do you think Google will decline access to all apps that do not use the featured Google API?

[r10s]

Do you think Google will decline access to all apps that do not use the featured Google API?

i do not know in detail, so research on that is welcome :)

however, in my understanding, i expect "App Password" generated with google's 2FA enabled will continue to work, at least in the past, this was not what Google called "Less Secure Apps" or "sign in with only your username and password". But logging in with your google main account password will stop working.

[r10s]

for K-9, having similar issues, a user posted in the K-9 forum expects App-Password to continue working as well: https://forum.k9mail.app/t/using-gmail-with-k9-mail-5-600-in-2024-using-app-passwords-not-oauth/8536

original sources of google stay vague, at least to me. i did not find somethings clear.

[iequidoo]

App passwords work well for me with all my Gmail accounts, with Delta Chat and Thunderbird. But yesterday my friend reported to me that Delta Chat can't log in anymore after they changed the Gmail account password (but not the app password for Delta Chat), and changing the app password after that didn't help. It's not the first time i see people struggling with Delta Chat + Gmail, but for most of them it works :)

[gerryfrancis]

i do not know in detail, so research on that is welcome :)

@r10s In the document linked above, they also state:

To continue to use a specific app with your Google Account, you’ll need to use a more secure type of access that doesn’t share password data. Learn how to use Sign in with Google.

I would interpret this statement as a sign that logging in with an app password is not going to work anymore by Sep 30th.

[iequidoo]

I would interpret this statement as a sign that logging in with an app password is not going to work anymore by Sep 30th.

Sign in with app passwords

Important: App passwords aren’t recommended and are unnecessary in most cases. To help keep your account secure, use "Sign in with Google" to connect apps to your Google Account.

An app password is a 16-digit passcode that gives a less secure app or device permission to access your Google Account. App passwords can only be used with accounts that have 2-Step Verification turned on.

When to use app passwords

Tip: iPhones and iPads with iOS 11 or up don’t require app passwords. Instead use “Sign in with Google.”

If the app doesn’t offer “Sign in with Google,” you can either:

• Use app passwords
• Switch to a more secure app or device

Create & use app passwords

Important: To create an app password, you need 2-Step Verification on your Google Account.

If you use 2-Step-Verification and get a "password incorrect" error when you sign in, you can try to use an app password.

Create and manage your app passwords. You may need to sign in to your Google Account.

If you’ve set up 2-Step Verification but can’t find the option to add an app password, it might be because:

• Your Google Account has 2-Step Verification set up only for security keys.
• You’re logged into a work, school, or another organization account.
• Your Google Account has Advanced Protection.

Tip: Usually, you’ll need to enter an app password once per app or device.

**EDIT:** I copy-pasted this from https://myaccount.google.com/apppasswords. It doesn't look like they are going to drop support for app passwords.

• © Githubissues.
• Githubissues is a development platform for aggregating issues.