OAuth2: Google

[benbucksch]

Thunderbird uses OAuth2 scope https://mail.google.com/ https://www.googleapis.com/auth/carddav https://www.googleapis.com/auth/calendar (see https://searchfox.org/comm-central/source/mailnews/base/src/OAuth2Providers.sys.mjs), but Google tells us that this is not necessary for IMAP:

"If your app uses IMAP protocol or joint IMAP/SMTP protocols, note that the https://mail.google.com/ scope should only be requested if your application also needs to immediately and permanently delete threads and messages, bypassing Trash; all other actions can be performed with less permissive scopes. If your app does not do this, you will need to migrate to the Gmail API and request less permissive scopes."

So, find our which scope is needed for IMAP, POP3, SMTP, CardDAV, CalDAV and the Google REST API for calendar (not CalDAV), and change the Google scope in OAuth2URLs.ts and in the Google client registration.

[jermy-c]

IMAP, POP3, SMTP

It seems like https://mail.google.com/ is the only scope available scope for IMAP, POP and SMTP. A combination of gmail.readonly, gmail.compose, gmail.labels and gmail.modify wouldn't work because we still can't delete an email. I didn't see anything about POP3 so I'm assuming the scope works for both IMAP and POP3.

Google says there's no way to downscope the https://mail.google.com/ scope for IMAP and STMP:

If your application uses the IMAP or SMTP protocol:

Full mail (mail.google.com) is the only authorization scope for IMAP and SMTP. Please provide a justification for why your application requires this scope. Please note that the https://mail.google.com/ scope should only be requested if your application also needs to immediately and permanently delete threads and messages, bypassing Trash; all other actions can be performed with less permissive scopes. If your app does not permanently delete threads and/or messages, you will need to migrate to the Gmail API and request less permissive scopes.

link: https://support.google.com/cloud/answer/13807380?hl=en&sjid=2818839467319206190-NA#zippy=%2Cdifferent-gmail-scopes

CardDav

CardDav scope is https://www.googleapis.com/auth/carddav. I created a test project and searched for it and also saw it on Stack Overflow. There's no information about it in the docs.

link: https://stackoverflow.com/questions/44975455/what-scopes-are-neccesary-to-access-gmail-contacts-via-carddav

CalDav

CalDav and Google REST API for calendar scope is https://www.googleapis.com/auth/calendar.

Changes

I think just removing the https://www.googleapis.com/auth/contacts should be enough and be less confusing because the consent screen shows duplicates.

And with the https://mail.google.com/ https://www.googleapis.com/auth/carddav https://www.googleapis.com/auth/calendar scope should be good it's seems like other apps use the same scope also. The narrower scopes don't seem to give the authorization to delete or share(in some cases).

[benbucksch]

Thanks, Jeremy. Indeed, the docs I found also state: "The scope for IMAP, POP, and SMTP access is https://mail.google.com/."

I asked Google for clarification which scopes they meant. I wrote to Google:

---

API OAuth Dev Verification wrote:

Hello Google Developer,

Thank you so much for your patience with the verification process.

If your app uses IMAP protocol or joint IMAP/SMTP protocols, note that the https://mail.google.com/ scope should only be requested if your application also needs to immediately and permanently delete threads and messages, bypassing Trash; all other actions can be performed with less permissive scopes. If your app does not do this, you will need to migrate to the Gmail API and request less permissive scopes.

Dear Google,

indeed, our application is inherently an IMAP and SMTP application. We do not need to "immediately and permanently delete threads and messages, bypassing Trash". Could you please tell us which "scope" we should request, given that you state "all other actions can be performed with less permissive scopes"? Which scopes are those? We would be happy to use those. However, we do need IMAP and SMTP.

This issue here is currently blocking the release of our software. Any help would be appreciated.

What if I don’t want to complete a CASA Assessment?

You can choose to remove the restricted scope(s) from your application and use the recommended Drive API scope https://www.googleapis.com/auth/drive.file, which doesn’t require a security assessment.

We can remove those scopes for now, if that avoids the CASA assessment process and makes the approval faster.

Thanks,

[benbucksch]

removing the https://www.googleapis.com/auth/contacts

Yes, we can do that. (However, that won't help with the approval.)

[benbucksch]

Google responded, suggesting that we use only scopes for sending, completely misunderstanding what IMAP is:

The Workspace API User Data and Developer Policy mandates that permission requests be limited to the critical information necessary to implement your application's services.

You requested the Restricted Gmail API scope https://mail.google.com/. Based on the information you provided, we believe the Sensitive Gmail API scope https://www.googleapis.com/auth/gmail.send—which allows users to compose and send email messages from the application—may be a better fit for your use case. You should only request the restricted gmail.compose scope if the app also needs to manage drafts within the source Gmail account.

Since gmail.send is not restricted, an additional third-party security assessment will also not be required before your project can be approved or to be reverified annually. This will result in a faster and more streamlined verification process for your application.

[benbucksch]

removing the https://www.googleapis.com/auth/contacts

Yes, we can do that. (However, that won't help with the approval.)

Done

[benbucksch]

Due to "restricted scopes", Google originally asked for an ADA CASA validation using a third party audit, which costs a lot of money. I've now paid for that and triggered the validation.

[benbucksch]

The auditor told us that we passed the audit and that they will write the Letter of Approval/Validation to Google.