1.6.0-BETA feedback thread

[jberkel]

This is a thread to discuss beta developments. I'd like to get some feedback on how to restructure the app so that it is still usable, even without XOAuth2.

• I've started by moving the IMAP settings to the main screen:

• For now, the old settings are still accessible from the "Advanced Settings" screen:

The UI probably needs some rethinking and should provide guidance on how to enable IMAP in the account, and how to generate app passwords.

[kurahaupo]

Research question: is it possible to link directly to the IMAP section in the account settings? (I've heard that there's something called "Intents".) If so, it would probably be necessary to choose a Google account first.

[kurahaupo]

I like where you're going with this approach.

If the user selects XOAuth2, would it be possible to probe immediately to see if access has been restored? (We can hope ...)

[jberkel]

@kurahaupo you mean in the Gmail account settings? For enabling IMAP, the URL seems to be https://mail.google.com/mail/u/0/#settings/fwdandpop

[mwisnicki]

Does anyone know how Thunderbird is able to use IMAP with OAuth? Can you just add setting to override Client Id?

[billybednar]

For now, the old settings are still accessible from the "Advanced Settings" screen:

OAuth is still working for me so definitely keep them for now.

The UI probably needs some rethinking and should provide guidance on how to enable IMAP in the account, and how to generate app passwords.

Any instructions should mention that G Suite users can't first enable non-OAuth IMAP after 2020-06-15 and that it will stop working on 2021-02-15.

Does anyone know how Thunderbird is able to use IMAP with OAuth? Can you just add setting to override Client Id?

I think it's technically possible, but I can't see Google being happy with us impersonating another client. To answer question, Google has some info on the flow for non-server clients. From what Google displays on the authorization page, it looks like Thunderbird uses http://localhost as the redirect_uri. It also appears (based on a quick check with Wireshark) that Thunderbird's internal web browser intercepts that request and it isn't actually listening on the loopback adapter.

[mwisnicki]

Thanks. Technically it wouldn't be you/the project doing the impersonation but the user who chooses to fiddle with advanced option :) Also one could use it to set his own development key. I'm kind of worried that Google will soon remove ability to login with passwords like they just did for GSuite users.

BTW I think OAuth option should be left in for people with Google Suite as that is exempt from the verification requirements.

[kurahaupo]

@mwisnicki I imagine that Thunderbird qualifies as a "native [...] email client that allow users to compose, send, read, and process email via a user interface" as per https://developers.google.com/terms/api-services-user-data-policy#additional-requirements-for-specific-api-scopes