Recent

Author Topic: Integrating OAuth2 into email program  (Read 705 times)

QEnnay

  • Full Member
  • ***
  • Posts: 105
Integrating OAuth2 into email program
« on: June 24, 2022, 10:22:49 pm »
Hi, we have our own email client (Linux) developed in Lazarus (currently 2.2.2) over many years. It has been able to check our gmail accounts and download using the POP3/SMTP protocols.

As of May 30, gmail is using OAuth2 and blocking POP access. I been searching here and found some stuff on GitHub, but nothing so far that talks about converting from POP3 to OAuth2 for emails.

We may have to abandon gmail and that will suck. Our business originally used them and it would would be a mammoth task to inform a lot-lot-lot of customers of the new address via our own website URL.

When the POP3/SMTP was working we were able to wean them across no problem when we replied.

Can anyone point me in the right direction to try and get this changed over?

Thanks
Linux-Mint 20.1 x64 + Cinnamon; Lenovo Flex 5 Ryzen 5 4500, 16GB memory
FPC: 3.2.0-1, Lazarus 2.0.12-0, all 64bit

Soner

  • Sr. Member
  • ****
  • Posts: 280
Re: Integrating OAuth2 into email program
« Reply #1 on: June 25, 2022, 12:20:50 am »
Which components are you using for sending and receiving emails, synapse, lnet or indy?

Search at google for "oauth2 lazarus". The user rvk and beni bela has some entries here, it helped me to send testmail in gmail with oauth2.
I wanted to publish my results here but I had not the time for it, maybe this weekend.
rvk's code uses google+ which is depracated, beni bela's code helps to understand the whole gmail oauth2.




rvk

  • Hero Member
  • *****
  • Posts: 4812
Re: Integrating OAuth2 into email program
« Reply #2 on: June 25, 2022, 01:35:35 am »
As of May 30, gmail is using OAuth2 and blocking POP access.
Really? I'm not aware of that. POP3 still works (and will continue to work).
What's blocked is SMTP with your gmail password.
But you can still use App passwords (if you have 2FA enabled).
So there is no real need to switch to OAuth2.

Just create an app password here and use it in your program.

rvk's code uses google+ which is depracated,
My solution only uses the Gmail API.
So there is no need for the deprecated Google+.
My code still works (and is still in use).


Thaddy

  • Hero Member
  • *****
  • Posts: 11770
Re: Integrating OAuth2 into email program
« Reply #3 on: June 25, 2022, 10:03:26 am »
Rvk is right, he does not use G+. Also note that the OAUTH2 code in the google package should be enough and is default standard distribution.
You still need a - free - Key, though.
« Last Edit: June 25, 2022, 10:06:11 am by Thaddy »
Black themes should be banned.

QEnnay

  • Full Member
  • ***
  • Posts: 105
Re: Integrating OAuth2 into email program
« Reply #4 on: June 25, 2022, 07:30:43 pm »
Which components are you using for sending and receiving emails, synapse, lnet or indy?

Thanks for an answer that perfectly matches the questions asked. Somewhat of a rarity these days. :)

We used Synapse, from memory, the "synalist r209-trunk" for TLS-1.3.

I will check out the rvk GitHub. I will also do a search here for Beni Bela  as I could not find a mention of OAuth on his web-pages.

Thanks again.

Linux-Mint 20.1 x64 + Cinnamon; Lenovo Flex 5 Ryzen 5 4500, 16GB memory
FPC: 3.2.0-1, Lazarus 2.0.12-0, all 64bit

rvk

  • Hero Member
  • *****
  • Posts: 4812
Re: Integrating OAuth2 into email program
« Reply #5 on: June 25, 2022, 07:44:04 pm »
I will check out the rvk GitHub. I will also do a search here for Beni Bela  as I could not find a mention of OAuth on his web-pages.
You also saw my remark that you could use an app password and wouldn't need to change anything in your program?

Of course, if this is for third parties who you don't want to go through the trouble of creating an app password for themselves, OAuth2 is the way to go.

My github page https://github.com/rvk01/google-oauth2
(It's been awhile :) )

QEnnay

  • Full Member
  • ***
  • Posts: 105
Re: Integrating OAuth2 into email program
« Reply #6 on: June 25, 2022, 07:44:16 pm »
Really? I'm not aware of that.

You (and another) assume way too much.

In order for our email client to access gmail and download new email it had to be via the POP3 option in gmail. That then mandated "use less secure apps" to be checked. The gmail "less secure" has now been blocked as an option. See here: https://support.google.com/accounts/answer/6010255?hl=en

Next assumption: Not everyone in the US has a cell phone. We are out in the boonies and nearest cell tower is 152 miles away. Why would we buy a cell phone when we have good old copper-wire DSL?. To set up OAuth2 on google-account requires a cell phone to validate the app-password about to be generated or entered. I entered our landline number and got a message "enter a real phone number." or something like that and FU to google.  %)

I should not have to give lengthy descriptions of our living situations in an OP when a simple answer to the question asked would suffice as kindly proffered by @Soner.

Perhaps I could have been a little more specific with the POP3 statement, but figured since I also mentioned POP3/SMTP and gmail, an alert reader would tie those two together.

Dare I suggest a little less "glib" and a little more "help." This is after all, a Help forum, no?

I have not yet looked at your GitHub but may get to it later as a last resort. <-- Joking OK?
Linux-Mint 20.1 x64 + Cinnamon; Lenovo Flex 5 Ryzen 5 4500, 16GB memory
FPC: 3.2.0-1, Lazarus 2.0.12-0, all 64bit

rvk

  • Hero Member
  • *****
  • Posts: 4812
Re: Integrating OAuth2 into email program
« Reply #7 on: June 25, 2022, 07:56:14 pm »
In order for our email client to access gmail and download new email it had to be via the POP3 option in gmail. That then mandated "use less secure apps" to be checked. The gmail "less secure" has now been blocked as an option. See here: https://support.google.com/accounts/answer/6010255?hl=en
I thought POP3 didn't need an app password. I was wrong. It does from now on.

Quote
Sending of password for user zzzz did not succeed. Mail server pop.gmail.com responded: Application-specific password required: https://support.google.com/accounts/answer/185833

Next assumption: Not everyone in the US has a cell phone. We are out in the boonies and nearest cell tower is 152 miles away. Why would we buy a cell phone when we have good old copper-wire DSL?. To set up OAuth2 on google-account requires a cell phone to validate the app-password about to be generated or entered. I entered our landline number and got a message "enter a real phone number." or something like that and FU to google.  %)
There are other methods of 2FA authentication (like Google authenticator on your phone or tablet without the need for a phone number).
See: https://foxnomad.com/2014/09/11/enable-use-two-factor-authentication-without-phone
How To Enable And Use Two Factor Authentication Without A Phone Number

I should not have to give lengthy descriptions of our living situations in an OP when a simple answer to the question asked would suffice as kindly proffered by @Soner.
Perhaps I could have been a little more specific with the POP3 statement, but figured since I also mentioned POP3/SMTP and gmail, an alert reader would tie those two together.
Dare I suggest a little less "glib" and a little more "help." This is after all, a Help forum, no?
I'm not sure why you typed this?

Was my post not helpful?
I just mentioned that you can still use app passwords without changing anything in your program.
I think that would be perfect for you (no need for OAuth2 code and no need to change any code at all).

Otherwise you could use my code for OAuth2 on github.
So, I'm not sure how my answer was anything but helpful.

Edit: For OAuth2 you will need to setup your own project to get a client_id and client_secret.
You can create an project for Internal use (so no need for submitting it for verification). For External use you will need to submit it for verification.
If you need help with that just let us know.

Edit #2: I also see the code on my github isn't updates in 5 or 6 years.
It doesn't work flawlessly anymore. I do use some of this code in Delphi where it still works so if you need OAuth2, let me know so I can figure out what to do to make it work.
« Last Edit: June 25, 2022, 08:46:22 pm by rvk »

Remy Lebeau

  • Hero Member
  • *****
  • Posts: 1129
    • Lebeau Software
Re: Integrating OAuth2 into email program
« Reply #8 on: June 25, 2022, 09:23:01 pm »
In order for our email client to access gmail and download new email it had to be via the POP3 option in gmail.

Is there a particular reason why you settled on POP3 and not IMAP for that?


That then mandated "use less secure apps" to be checked. The gmail "less secure" has now been blocked as an option. See here: https://support.google.com/accounts/answer/6010255?hl=en

That is not true. It is not blocked, it is merely turned off by default. You can still turn it back on if you want. The page you linked to even says so.
Remy Lebeau
Lebeau Software - Owner, Developer
Internet Direct (Indy) - Admin, Developer (Support forum)

rvk

  • Hero Member
  • *****
  • Posts: 4812
Re: Integrating OAuth2 into email program
« Reply #9 on: June 25, 2022, 09:42:36 pm »

That then mandated "use less secure apps" to be checked. The gmail "less secure" has now been blocked as an option. See here: https://support.google.com/accounts/answer/6010255?hl=en

That is not true. It is not blocked, it is merely turned off by default. You can still turn it back on if you want. The page you linked to even says so.
Are you sure? I can't check because I have 2FA. But I thought so called “less secure apps” will no longer be able to access your Gmail as of May 30, 2022.

From that page
Quote
To help keep your account secure, from May 30, 2022, ​​Google no longer supports the use of third-party apps or devices which ask you to sign in to your Google Account using only your username and password.

The only method now for accessing gmail via pop/smtp/imap is an app password or Google OAuth2.

Edit: yup. It's definitely not available anymore.
« Last Edit: June 25, 2022, 10:06:46 pm by rvk »

Remy Lebeau

  • Hero Member
  • *****
  • Posts: 1129
    • Lebeau Software
Re: Integrating OAuth2 into email program
« Reply #10 on: June 27, 2022, 07:44:39 pm »
Are you sure? I can't check because I have 2FA. But I thought so called “less secure apps” will no longer be able to access your Gmail as of May 30, 2022.

Per the page in question:

Quote
- If "Less secure app access" is on for your account

Because less secure apps can make your account more vulnerable, Google will automatically turn this setting off if it’s not being used.

If "Less secure app access" is still on for your account, we recommend turning it off now and switching to more secure apps.

Turn off "Less secure app access"

To help keep your account secure, we recommend that you keep this setting off and use more secure apps.

1. Go to the Less secure app access section of your Google Account. You might need to sign in.
2. Turn Allow less secure apps off.

- If "Less secure app access" is off for your account

If "Less secure app access" is turned off for your account, you can turn it back on. We recommend switching to more secure apps instead.

The only method now for accessing gmail via pop/smtp/imap is an app password or Google OAuth2.

Or, turning "Less secure apps" back on, if you don't have 2FA enabled.

Edit: yup. It's definitely not available anymore.

Only if you have 2FA enabled:

https://myaccount.google.com/lesssecureapps

Quote
Some apps and devices use less secure sign-in technology, which makes your account vulnerable. You can turn off access for these apps, which we recommend, or turn it on if you want to use them despite the risks. Google will automatically turn this setting OFF if it’s not being used.

This setting is not available for accounts with 2-Step Verification enabled. Such accounts require an application-specific password for less secure apps access.
Remy Lebeau
Lebeau Software - Owner, Developer
Internet Direct (Indy) - Admin, Developer (Support forum)

rvk

  • Hero Member
  • *****
  • Posts: 4812
Re: Integrating OAuth2 into email program
« Reply #11 on: June 27, 2022, 07:54:16 pm »
Only if you have 2FA enabled:

https://myaccount.google.com/lesssecureapps
Sorry I wasn't clear. The screenshot above was from a dummy account of mine where 2FA was NOT enabled.

"Less secure" option is definitely removed from ALL accounts since May 30.
(And that's the problem TS is having)

Just as a curiosity, could you still enable it on your account (without 2FA)??

Note: The whole page mentioned is out if date. Only the red part (warning) is applicable. So the parts you quoted are no longer valid.

Ps. One extra note, if you have a workspace account this option might still be available. But for normal free accounts it's gone.

Quote
Important: This deadline does not apply to Google Workspace or Google Cloud Identity customers. The enforcement date for these customers will be announced on the Workspace blog at a later date.
« Last Edit: June 27, 2022, 07:59:40 pm by rvk »

 

TinyPortal © 2005-2018