GMail compatibility without app passwords

[Hal1512]

Is your feature request related to a problem? Please describe.

GMail considers the integration from this Mail app to be 'less secure'. They claim on their site that they will no longer support apps that log into your mail account with only user name and password.

https://support.google.com/accounts/answer/6010255?hl=en

Describe the solution you'd like

I believe that if the mail connector also asked for and presented an App Password to GMail, that qualifies as a more secure way to connect.

https://support.google.com/accounts/answer/185833

Describe alternatives you've considered

No response

Additional context

No response

[feutl]

This is an issue now! I have 2 accounts which do not work with nextcloud mail any more. The workaround to use 2FA and a app password is not a sufficient solution. Fairemail fixed the issue on Android and let me sync my mails without setting up 2FA.

How could something like this not being resolved in time? Gmail is sadly used by lots of NC users - I am quite sure.

Also interesting nobody made any statement so far. It took me quite long to even realize this too, but still - should have been addressed already

[ChristophWurst]

My personal account still works.

[feutl]

@ChristophWurst Have you setup 2FA with an app specific password ? If so, yes it works. If not, I am surprised, all 3 of my accounts without 2FA do not work any more.

[ChristophWurst]

Right, I'm using 2FA with an app password.

[feutl]

And this is the issue, if you have not setup 2FA (for whatever reason) there is no app password option in gmail. Therefor the authentication needs to be fixed for those accounts. As I said, Fairemal - the android client - has fixed this already some time ago.

[MrPresident2]

any news about that? I don't think we can use Gmail anymore

[enekonieto]

Until someone is assigned I think we should hope no movement.

[MrPresident2]

do you know about another way to connect Gmail to Nextcloud then?

[enekonieto]

No, I am also stuck with this issue :(

[ChristophWurst]

XOAUTH2 support will be added via https://github.com/nextcloud/mail/pull/6819.

I have figured out what it takes to register Mail as a Google OAuth application. We will need admin settings and an adapted setup dialogue.

Moreover there needs to be a mechanism to detect and replace expired access tokens using the refresh token. I haven not been able to trigger an expiration myself, but waiting until Monday morning could help. Simply removing the service from my Google accounts gives a generic failed authentication response

S: 2 NO [AUTHENTICATIONFAILED] Invalid credentials (Failure)
>> Command 2 took 0.8495 seconds.

\Horde_Imap_Client_Exception::LOGIN_EXPIRED https://www.rfc-editor.org/rfc/rfc5530.html is what Horde might throw. That would be great and we could trigger a token refresh when that specific error is thrown.

[ChristophWurst]

I causes a generic Invalid credentials. So we need to keep book about the token validity and do the refresh proactively.

[ChristophWurst]

POC is at https://github.com/nextcloud/mail/pull/6830. Linking the Nextcloud Mail account to Gmail works. Keeping the access token updated works.

The open todos are mostly about handling all possible conditions during the setup and making sure the app stays usable with this new auth option.

[ChristophWurst]

https://github.com/nextcloud/mail/pull/6830#issuecomment-1178964939 sneak preview

[feutl]

I have the feeling that also outlook.com or MS365 accounts cannot be added to Mail right now. I have an enterprise subscription which I wanted to add to Mail but I am struggeling. I assume the same issue. Right now I am stuck at "automatically" adding the account to Mail, but even if I add it manually authentication fails.

[ChristophWurst]

Related: https://github.com/nextcloud/mail/issues/6591

[Dvalin21]

Google no longer or at least it doesnt show up when I got there a way to add an "App" Password. I keep getting this setting is no longer available.

[feutl]

Any news when this is getting released ? Got quite silent the last days after the initial push by @ChristophWurst

[ChristophWurst]

I can't give an ETA at this point. It's ongoing work but there are lots of things happening at the time.

[feutl]

great, like to hear that lots of things are happening :D thanks

[feutl]

Any timeframe when this gets released, it is almost a year now.

[ChristophWurst]

2022-12-05

[feutl]

ok, I found the hint in the release notes but really struggling in getting this working. The information in the NC admin panel as well as https://github.com/nextcloud/mail/blob/main/doc/admin.md are very rudimentary - as a non DEV ;) Still struggling in finding the right api - app to get started.

[ChristophWurst]

OAuth is technical. We can't change that. Selfhosting and OAuth is always a bit painful.

[feutl]

Would be great to have more guidance, like how to setup the "OAuth-Zustimmungsbildschirm" correctly and so on Had a look at help.nextcloud.com but could not find anything more specific there either.

[digitalrevisor]

Hi, I have been trying to find the right place to write this, and here is my best bet I think. We have an issue with Google integration Oauth.

We have set up an OAuth consent screen and a client. And that works fine with @gmail.com accounts but Google email accounts with other domains do not, i.e. @digitalrevisor.no.

What happens when trying to log in with the @digitalrevisor.no domain I get a message below: IMAP username or password is wrong and the consent screen does not appear. This is a Google account and works with all other Google Oauth solutions. (Including Connected Accounts in Nextcloud)

Is the login for Mail just looking for @gmail.com before it opens the consent screen? If so, is there or can you add a possibility to add domains in the Google integration settings?

Should I create a new issue for this?

[ChristophWurst]

Gmail OAuth is only used for accounts hosted by Google. Yours does not seem to be

In any case, Github is for bugs. Please open a topic at https://help.nextcloud.com/c/apps/mail/35 for community support.

[digitalrevisor]

Noted. Only Google Oauth implementation we have ever seen not accepting Google accounts with a different domain than @gmail.com is not a bug, but a feature I guess then.

Note: I believe that this is the reason why one has a separate sign-in with a Google button: If the app had put Google.com instead of one.com it would work.

It is in no way uncommon for organizations to use their own domains for both Google and Microsoft accounts.

[tmrlvi]

Are you sure you email is hosted by gmail? If so, you can try to manually set up the connection with gmail's smtp and imap configuration (without password), and the authorization screen will pop up. However, connection (post oauth login) will fail if it isn't actually hosted on gmail.

[digitalrevisor]

https://github.com/nextcloud/mail/assets/59980626/da068d63-cc09-4871-8ca2-42963a416904

Her is a video logging in via Google Oauth to Google data migration app in Nextcloud with a @digitalrevisor.no domain. I can't believe that we are the only ones going to have issues with logging into the Mail app.

[ChristophWurst]

https://help.nextcloud.com/c/apps/mail/35