Is OAuth2 Support a Good Thing?
MailMate now supports the OAuth2 authentication method for Gmail (and Outlook) accounts. This is a good thing for MailMate users with Gmail accounts, but I don’t really feel good about it… More about that further below.
How does it work?
A bit simplified, it works like this: Using an embedded web browser in MailMate, the user is sent to a hardcoded Google address (using a secure connection). The user is then asked by Google to allow MailMate to access the emails of the Gmail account. If accepted then MailMate receives a special code. Using this code MailMate can then obtain a so-called access token. This access token is then used when authenticating via IMAP or SMTP. In other words, the real password is never known to1 or used by MailMate itself. It is naturally also not stored by MailMate. An access token expires, but MailMate can obtain a new one when needed without interrupting the user. The access token only provides access to emails and the user can revoke the access at any time on this page. That part is a nice feature of OAuth2.
Note that the above is just one of many ways to implement OAuth2 in a desktop email client — none of them being perfect.
What’s the problem?
The main problem is that OAuth2 requires me to register MailMate with the service provider (Google/Microsoft). If the provider stops supporting other authentication schemes (which is almost true for Google) then the provider has the power to decide which email clients are allowed to access Gmail. I’m probably too old to trust big companies, but it also reminds me of what happened to third party Twitter and (more recently) Instagram clients.
In other words, after implementing OAuth2 I’m now part of the problem. I’ve made it a little bit easier for Google/Microsoft to stop supporting other authentication schemes and if they do that they can hit the kill switch on MailMate whenever they want to. They might even have a good reason to do so since a desktop email client cannot protect its so-called client identity. An evil app can easily pretend to be MailMate when requesting access to an account.
Of course, a niche email client like MailMate doesn’t really matter in the big picture, but it’s not the only email client feeling the pressure to support OAuth2.
What about Apple? Well, iCloud has an authentication scheme similar to OAuth2 (I assume), but it can only be used by Apple’s own email clients. I’m not sure if that is better or worse…
Why support OAuth2?
Google continues to push for the adoption of OAuth2 via the XOAUTH2 protocol. In my opinion, they do that using a lot of FUD as seen in this support article, but that does not mean that OAuth2 is necessarily a bad thing to use. Especially not for something like Google for which a single password provides access to all kinds of services.
And I don’t really have a choice here. When using other authentication methods then Gmail users are often rejected. The exact behavior appears to depend on how long the Google account has existed and whether it has been accessed via IMAP in the past. In particular, I believe new Gmail accounts are rejected by default if not using OAuth2. The best user experience is simply with OAuth2 enabled.
This is what it boils down to: MailMate supports Gmail (and Outlook) and I’ll do whatever I can to make it work well. This already includes working around the highly non-standard behavior of Gmail and the many bugs of Outlook IMAP. I do recommend though that all desktop email client users consider the alternatives.
-
Since MailMate embeds the web browser itself then this is not strictly true. This also shows that OAuth2 doesn’t provide as much security for desktop applications as it does for web services. ↩