GMail compatibility without app passwords

Question

GMail compatibility without app passwords

Closed this issue 2 years ago · 30 comments

Is your feature request related to a problem? Please describe.

GMail considers the integration from this Mail app to be 'less secure'. They claim on their site that they will no longer support apps that log into your mail account with only user name and password.

https://support.google.com/accounts/answer/6010255?hl=en

Describe the solution you'd like

I believe that if the mail connector also asked for and presented an App Password to GMail, that qualifies as a more secure way to connect.

https://support.google.com/accounts/answer/185833

Describe alternatives you've considered

No response

Additional context

No response

Answer 1 · 2022-06-09T11:25:50.000Z

This is an issue now!
I have 2 accounts which do not work with nextcloud mail any more. The workaround to use 2FA and a app password is not a sufficient solution.
Fairemail fixed the issue on Android and let me sync my mails without setting up 2FA.

How could something like this not being resolved in time? Gmail is sadly used by lots of NC users - I am quite sure.

Also interesting nobody made any statement so far. It took me quite long to even realize this too, but still - should have been addressed already

Answer 2 · 2022-06-09T11:58:46.000Z

My personal account still works.

Answer 3 · 2022-06-09T12:06:52.000Z

@ChristophWurst
Have you setup 2FA with an app specific password ? If so, yes it works.
If not, I am surprised, all 3 of my accounts without 2FA do not work any more.

Answer 4 · 2022-06-09T12:16:09.000Z

Right, I'm using 2FA with an app password.

Answer 5 · 2022-06-09T12:18:04.000Z

And this is the issue, if you have not setup 2FA (for whatever reason) there is no app password option in gmail. Therefor the authentication needs to be fixed for those accounts.
As I said, Fairemal - the android client - has fixed this already some time ago.

Answer 6 · 2022-06-15T09:42:31.000Z

any news about that? I don't think we can use Gmail anymore

Answer 7 · 2022-06-15T15:06:18.000Z

Until someone is assigned I think we should hope no movement.

Answer 8 · 2022-06-15T21:17:16.000Z

do you know about another way to connect Gmail to Nextcloud then?

Answer 9 · 2022-06-20T09:29:42.000Z

No, I am also stuck with this issue :(

Answer 10 · 2022-07-01T13:33:31.000Z

XOAUTH2 support will be added via #6819.

I have figured out what it takes to register Mail as a Google OAuth application. We will need admin settings and an adapted setup dialogue.

Moreover there needs to be a mechanism to detect and replace expired access tokens using the refresh token. I haven not been able to trigger an expiration myself, but waiting until Monday morning could help. Simply removing the service from my Google accounts gives a generic failed authentication response

S: 2 NO [AUTHENTICATIONFAILED] Invalid credentials (Failure)
>> Command 2 took 0.8495 seconds.

\Horde_Imap_Client_Exception::LOGIN_EXPIRED https://www.rfc-editor.org/rfc/rfc5530.html is what Horde might throw. That would be great and we could trigger a token refresh when that specific error is thrown.

Answer 11 · 2022-07-01T14:05:02.000Z

I causes a generic Invalid credentials. So we need to keep book about the token validity and do the refresh proactively.

Answer 12 · 2022-07-04T15:14:20.000Z

POC is at #6830. Linking the Nextcloud Mail account to Gmail works. Keeping the access token updated works.

The open todos are mostly about handling all possible conditions during the setup and making sure the app stays usable with this new auth option.

Answer 13 · 2022-07-08T13:22:33.000Z

#6830 (comment) sneak preview

Answer 14 · 2022-07-11T12:18:42.000Z

I have the feeling that also outlook.com or MS365 accounts cannot be added to Mail right now.
I have an enterprise subscription which I wanted to add to Mail but I am struggeling. I assume the same issue.
Right now I am stuck at "automatically" adding the account to Mail, but even if I add it manually authentication fails.

Answer 15 · 2022-07-11T17:35:57.000Z

Related: #6591

Answer 16 · 2022-07-22T19:32:56.000Z

Google no longer or at least it doesnt show up when I got there a way to add an "App" Password. I keep getting this setting is no longer available.

Answer 17 · 2022-08-17T14:03:26.000Z

Any news when this is getting released ?
Got quite silent the last days after the initial push by @ChristophWurst

Answer 18 · 2022-08-17T14:26:35.000Z

I can't give an ETA at this point. It's ongoing work but there are lots of things happening at the time.

Answer 19 · 2022-08-18T06:54:40.000Z

great, like to hear that lots of things are happening :D thanks

Answer 20 · 2023-02-28T08:25:03.000Z

Any timeframe when this gets released, it is almost a year now.

Answer 21 · 2023-02-28T08:43:13.000Z

2022-12-05

Answer 22 · 2023-02-28T09:37:31.000Z

ok, I found the hint in the release notes but really struggling in getting this working.
The information in the NC admin panel as well as https://github.com/nextcloud/mail/blob/main/doc/admin.md are very rudimentary - as a non DEV ;)
Still struggling in finding the right api - app to get started.

Answer 23 · 2023-02-28T09:51:33.000Z

OAuth is technical. We can't change that. Selfhosting and OAuth is always a bit painful.

Answer 24 · 2023-02-28T09:53:59.000Z

Would be great to have more guidance, like how to setup the "OAuth-Zustimmungsbildschirm" correctly and so on
Had a look at help.nextcloud.com but could not find anything more specific there either.

Answer 25 · 2023-06-07T15:11:04.000Z

Hi, I have been trying to find the right place to write this, and here is my best bet I think.
We have an issue with Google integration Oauth.

We have set up an OAuth consent screen and a client.
And that works fine with @gmail.com accounts but Google email accounts with other domains do not, i.e. @digitalrevisor.no.

What happens when trying to log in with the @digitalrevisor.no domain I get a message below: IMAP username or password is wrong and the consent screen does not appear.
This is a Google account and works with all other Google Oauth solutions. (Including Connected Accounts in Nextcloud)

Is the login for Mail just looking for @gmail.com before it opens the consent screen?
If so, is there or can you add a possibility to add domains in the Google integration settings?

Should I create a new issue for this?

Answer 26 · 2023-06-07T17:08:35.000Z

Gmail OAuth is only used for accounts hosted by Google. Yours does not seem to be

In any case, Github is for bugs. Please open a topic at https://help.nextcloud.com/c/apps/mail/35 for community support.

Answer 27 · 2023-06-09T06:54:07.000Z

Noted. Only Google Oauth implementation we have ever seen not accepting Google accounts with a different domain than @gmail.com is not a bug, but a feature I guess then.

Note: I believe that this is the reason why one has a separate sign-in with a Google button:
If the app had put Google.com instead of one.com it would work.

It is in no way uncommon for organizations to use their own domains for both Google and Microsoft accounts.

Answer 28 · 2023-06-09T19:14:15.000Z

Are you sure you email is hosted by gmail? If so, you can try to manually set up the connection with gmail's smtp and imap configuration (without password), and the authorization screen will pop up.
However, connection (post oauth login) will fail if it isn't actually hosted on gmail.

Answer 29 · 2023-06-12T07:06:36.000Z

GoogleOauthLogin.mp4

Her is a video logging in via Google Oauth to Google data migration app in Nextcloud with a @digitalrevisor.no domain.
I can't believe that we are the only ones going to have issues with logging into the Mail app.

Answer 30 · 2023-06-12T08:00:10.000Z

https://help.nextcloud.com/c/apps/mail/35