On Tue, Jun 12, 2018 at 8:32 PM Will Yardley <mutt-...@veggiechinese.net> wrote:
> On Mon, Jun 11, 2018 at 03:12:45PM -0700, Brandon Long wrote: > > Gmail supports RFC 7628 for using OAUTH with IMAP, and they really don't > > like you using password based auth. You can still enable "less secure > > apps" and then generate an application specific password, but I figured > it > > was time to support it. > > Awesome! Just curious, given the recent thread about 2FA, can this (and > does this) support 2 factor auth for IMAP as well? > Recent thread? Generally speaking, OAUTHBEARER is not a two-factor authentication. When it comes to Google and GSuite, it doesn't require you to enable "less secure apps" and it doesn't require an Application Specific Password (ASP) when you have 2FA enabled on your account. It works by requiring you to login to Google (with 2FA if that's enabled), and getting a long lived "refresh token". It then exchanges that for a short lived "access token", which is good for about one hour. It's also "scoped" in that when you request the refresh token, you're asking for access to specific resources, in this case read/write access to your Gmail account. It's also "scoped" in the sense that it's tied to a specific application. Other services may use it differently, for instance you may have a service where you have to use 2FA to get a computer specific token, and then exchange that token for an access token. So, in some sense, it's kind of a more generic, more restricted, more complicated, application specific password. It does allow you to access Google services if your GSuite admin doesn't let you enable "less secure apps", since those things make it more secure than Google's implementation of ASPs. Brandon
