Bug 354508 - Support GMail's XOAUTH authentication method
Summary: Support GMail's XOAUTH authentication method
Alias: None
Product: Akonadi
Classification: Frameworks and Libraries
Component: IMAP resource (show other bugs)
Version: 1.13.0
Platform: Debian stable Linux
: NOR wishlist with 20 votes (vote)
Target Milestone: ---
Assignee: Christian Mollekopf
Depends on:
Reported: 2015-10-28 15:37 UTC by totte
Modified: 2017-01-08 15:12 UTC (History)
6 users (show)

See Also:
Latest Commit:
Version Fixed In: 5.5.0


Note You need to log in before you can comment on or make changes to this bug.
Description totte 2015-10-28 15:37:23 UTC
When I try to sign in to my GMail account I get the error in the summary and this page:
https://support.google.com/accounts/answer/6010255?hl=en suggests that KMail (Akonadi/IMAP) doesn't support the new, preferred method which according to dvratil would be OAuth.

Reproducible: Always

Steps to Reproduce:
1. Configure GMail account to only use password authentication (not two-factor) at myaccount.google.com
2. Create an IMAP resource for a GMail account
3. Try to sign in

Actual Results:  
“Password incorrect” error displayed.

Expected Results:  
Log in without further ado.

This can be circumvented by lowering the requirements somewhere here: myaccount.google.com, but it's not ideal.
Comment 1 MCZP 2016-11-07 20:46:34 UTC
Any way OAUTH is being currently considered? Akonadi supports it already for contacts and calendars, however it is missing in KMail.
Comment 2 Daniel Vrátil 2017-01-07 12:17:47 UTC
We have a working code that implements support for Google's XOAUTH mechanism, but it needs integrating into the IMAP resource. Definitely something I'm planning in the future.
Comment 3 Daniel Vrátil 2017-01-08 15:12:45 UTC
Git commit ca4b3f0907b5cbf77a7f081bcd41f328ad066c54 by Daniel Vrátil.
Committed on 08/01/2017 at 15:11.
Pushed by dvratil into branch 'master'.

IMAP: add support for native GMail OAuth authentication

This change adds support for XOAUTH2 authentication method used by
Gmail to the IMAP resource. The XOAUTH2 support is implemented in
a custom SASL plugin. The token request/refresh is done via KGAPI.

When user sets imap.gmail.com as IMAP server in the resource config
dialog, the dialog automatically sets all the configuration to match
the one of Gmail and selects XOAUTH2 as authentication method. The
access and refresh tokens are stored in KWallet like a regular
password, but a special PasswordRequesterInterface implementation is
used to handle the tokens and pass the right data to KIMAP::LoginJob.

With this change it's no longer necessary to have the "Allow less
secure apps" option enabled in Google Account settings and it's no
longer necessary to use app-specific password for accounts with
two-step verification (2FA) enabled. The actual password is no longer
stored in KWallet and has only be typed into Google Auth form once.
FIXED-IN: 5.5.0
CHANGELOG: Implement native Gmail authentication into IMAP resource

M  +21   -1    resources/imap/CMakeLists.txt
A  +1    -0    resources/imap/config.h.cmake
A  +141  -0    resources/imap/gmailpasswordrequester.cpp     [License: LGPL (v2+)]
C  +20   -23   resources/imap/gmailpasswordrequester.h [from: resources/imap/settingspasswordrequester.h - 051% similarity]
M  +13   -1    resources/imap/imapresource.cpp
A  +67   -0    resources/imap/passwordrequester.cpp     [License: LGPL (v2+)]
A  +44   -0    resources/imap/passwordrequester.h     [License: LGPL (v2+)]
M  +1    -0    resources/imap/resourcestate.cpp
A  +24   -0    resources/imap/saslplugin/CMakeLists.txt
A  +579  -0    resources/imap/saslplugin/config.h     [License: GENERATED FILE]  *
A  +969  -0    resources/imap/saslplugin/plugin_common.c     [License: UNKNOWN]  *
A  +221  -0    resources/imap/saslplugin/plugin_common.h     [License: UNKNOWN]  *
A  +246  -0    resources/imap/saslplugin/xoauth2plugin.c     [License: LGPL (v2+)]
A  +53   -0    resources/imap/saslplugin/xoauth2plugin_init.c     [License: LGPL (v2+)]
M  +5    -27   resources/imap/settings.cpp
M  +1    -2    resources/imap/settings.h
M  +24   -1    resources/imap/settingspasswordrequester.cpp
M  +2    -0    resources/imap/settingspasswordrequester.h
M  +41   -6    resources/imap/setupserver.cpp
M  +1    -0    resources/imap/setupserver.h
A  +32   -0    resources/imap/utils.cpp     [License: LGPL (v2+)]
A  +32   -0    resources/imap/utils.h     [License: LGPL (v2+)]
M  +8    -2    resources/imap/wizard/imapwizard.es

The files marked with a * at the end have a non valid license. Please read: http://techbase.kde.org/Policies/Licensing_Policy and use the headers which are listed at that page.