Support for OAuth 2.0 Authentication for SMTP

[RinorRafuna]

As Google is enhancing its security settings and plans to deprecate the "Allow less secure apps" feature, GoAlert needs to support OAuth 2.0 for SMTP authentication to ensure continued compatibility with Gmail and G Suite email services.

Context: Google has announced that they will no longer support "Less secure apps" starting from a specified date, as detailed in their documentation: https://support.google.com/a/answer/14114704?hl=en. This change is part of their efforts to enhance security and protect user accounts.

Currently, GoAlert's SMTP configuration relies on the "Allow less secure apps" setting for Gmail accounts, which uses basic authentication (username and password). With the upcoming changes, this method will no longer be viable, and users will face issues sending email notifications from GoAlert through Gmail's SMTP server.

Impact: If GoAlert does not support OAuth 2.0 for SMTP authentication, users who rely on Gmail for email notifications will experience the following issues:

• Inability to Authenticate: Gmail will reject authentication attempts using basic authentication, leading to failed email deliveries.
• Service Disruptions: Critical alerts and notifications that depend on email delivery will be disrupted, potentially impacting business operations and response times.
• User Inconvenience: Users will need to seek alternative email providers or workarounds, which may not be as convenient or reliable as Gmail.

Request: To ensure that GoAlert remains functional and compliant with Google's security policies, we request the addition of OAuth 2.0 support for SMTP authentication. This will involve:

• OAuth 2.0 Integration: Implementing OAuth 2.0 authentication flow within GoAlert to obtain and refresh access tokens for Gmail's SMTP server.
• Configuration Options: Providing configuration options in GoAlert for users to enter their OAuth 2.0 Client ID, Client Secret, and Refresh Token.
• Backward Compatibility: Ensuring backward compatibility with existing SMTP configurations to support other email providers that still use basic authentication.

[mastercactapus]

At first glance, it looks like they are only removing the ability to use your account username/password, which is understandable.

It looks like you can create credentials specific to an application:

For scanners or other devices using SMTP or less secure apps to send emails, use one of the following options:

• Configure the device to use OAuth.
• Use an alternative way to scan or send an email from the device.
• Configure an app password for use with the device.

Tip: If you replace your device, look for one that sends email using OAuth.

It's still not ideal, as this is still associated with full account access.

Are other SMTP providers (e.g., sendgrid, mailgun, etc...) following suit, or is this a Google-specific requirement? I'm not familiar with an established standard for OAuth -> SMTP

I found some info here:

• https://developers.google.com/gmail/imap/xoauth2-protocol
• https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth#smtp-guidance

It doesn't feel like it's as well-defined as something like OIDC where we can just feed it a URL, but I could be wrong.