Google introduces OAuth authentication for IMAP and SMTP GMail access

By Kshitij Sobti Published Date
31 - Mar - 2010
| Last Updated
31 - Mar - 2010
Google introduces OAuth authentication for IMAP and SMTP GMail ac...

In an effort to improve the way we use email protocols across devices, Google is offering support for OAuth for its GMail IMAP and SMTP servers. Their new authentication mechanism which they are calling XOAuth implements OAuth support for the IMAP and SMTP email protocols which traditionally do not support it.

Today, one can easily imagine having access to their email from multiple different devices and applications. Imagine using your email account on your mobile, on an email application on your laptop (such as Thunderbird, or Outlook), and desktop. You might have a host of other applications which use IMAP access to provide notifications or aggregation applications such as Threadsy and Inbox2. You might even have GMail configured to check an external account. What happens then if you change one lowly password?

Web authentication systems have already begun supporting OAuth authentication as an alternative to the aging practice of handing out your login details to every other application which asks for them.

With OAuth, you can grant access to your private data to third party websites or applications which you trust. You never need to share your password with a third party application, instead you authenticate external application by granting privileges to them using a shared key. Essentially, the websites / applications which need your data a given a "password" of their own, which gets them access to your data. This shared key remains the same even if your password changes. 

You can then think (within limits)  of your login details as providing you administrative access to your data, while OAuth authenticated applications accessing your data have mere user accounts, which you can individually control or revoke.

If at any point you feel that you no longer wish to use a service, or are not comfortable with giving it access, you can block it at the source without affecting other application or services you may be using.

In GMail's new XOAuth mechanism, authentication is performed by native IMAP AUTHENTICATE, and SMTP AUTH commands. As such XOAuth can be used with any SASL (Simple Authentication and Security Layer) capable client or server. 

As always Google is providing developers sample code and libraries, and has put up enough documentaion of the protocol that you can being using it immediately.