That’s great indeed, TLS is also a requirement for Exchange Online. But still, authentication is made by basic-auth (if I understand well the following code, there is no way to choose between any other authentication mechanism like OAuth2) discourse/poll_mailbox.rb at tests-passed · discourse/discourse (github.com)
It just expects a user and a password, rather than a user and a token, plus it would need to use the AUTH XOAUTH2 format for encoding and transmitting the token.
Sorry if I was not clear in my question, but I’m more asking about having a similar approach as per the following examples:
These approaches will allow Discourse to connect to POP3 (and hence IMAP) with OAuth2 authentication, thus fullfilling the requirements for MS and probably for GMail in the near future if not now ( OAuth 2.0 Mechanism | Gmail IMAP | Google Developers).
AFAICS, Google/Gmail disabled POP3 authentication other than OAuth on 30.5. Therefore, I cannot retrieve mails via POP3 any more. Would be great if Discourse would support OAuth2.
I couldn’t find any other topic besides this one. Am I the only one using Gmail with Discourse?
Starting September 30, 2024, Google Workspace accounts will only allow access to apps using OAuth. Password-based access (with the exception of App Passwords) will no longer be supported. POP and IMAP are NOT going away and can still be enabled with apps that connect using OAuth.
Dear Administrator,
We’re writing to let you know that as we previously shared in this blog post, we’ll be turning off access to less secure apps (LSA) — non-Google apps that can access Google accounts with only a username and password (basic authentication) — starting June 15, 2024.
What do you need to know?
Access through basic authentication makes accounts more vulnerable to hijacking attempts. Moving forward, only apps that support a more modern and secure access method called OAuth will be able to access Google Workspace accounts.
Access to LSAs will be turned off in two stages:
Beginning June 15, 2024 - The LSA settings will be removed from the Admin console and can no longer be changed. Enabled users can connect after that time, but disabled users will no longer be able to access LSAs. This includes all third-party apps that require password-only access to Gmail, Google Calendar, Contacts via protocols such as CalDAV, CardDAV, IMAP, SMTP, and POP.The IMAP enable/disable settings will be removed from users’ Gmail settings.If you’ve been using LSAs prior to this date, you can continue using them until September 30, 2024.
Beginning September 30, 2024 - Access to LSAs will be turned off for all Google Workspace accounts. CalDAV, CardDAV, IMAP, and POP will no longer work when signing in with just a password — you will need to login with a more secure type of access called OAuth.
What do you need to do?
In order for your end users to continue using these types of apps with their Google Workspace accounts, they must switch to a more secure type of access called OAuth (a list of affected users is attached). This authentication method allows apps to access accounts with a digital key instead of requiring a user to reveal their username and password. We recommend that you share the user instructions (in this PDF file) with individuals in your organization to help them make the necessary changes. Alternatively, if your organization is using custom tools, you can ask the developer of the tool to update it to use OAuth. Developer instructions are also in this PDF file.
MDM configuration
If your organization uses a mobile device management (MDM) provider to configure IMAP, CalDAV CardDAV, or POP profiles, these services will be phased out according to the timeline below:
Beginning June 15, 2024 - MDM push of password based IMAP, CalDAV, CardDAV, and POP will no longer work for customers who try to connect for the first time. If you use Google MDM, you will not be able to turn on “Custom Push Configuration” settings for CalDAV and CardDAV.
Beginning September 30, 2024 - MDM push of password based IMAP, CalDAV, CardDAV, and POP will no longer work for existing users. Admins will need to push a Google Account using their MDM provider, which will re-add their Google accounts to iOS devices using OAuth. If you use Google MDM, “Custom push configuration-CalDAV” and “Custom push configuration-CardDAV” (more details about the settings here) will stop being effective.
Other less secure apps
For any other LSA, ask the developer of the app you are using to start supporting OAuth.
Scanners and other devices
For scanners or other devices using simple mail transfer protocol (SMTP) or LSAs to send emails, configure to use OAuth, use an alternative method, or configure an App Password for use with the device. If you replace your device, look for one that sends email using OAuth.
We do plan on working on this before the deadline that Google has provided, we don’t want to lose POP3 polling and we are tracking internally. It’s quite disappointing that the net-pop PR has been blocked.
Hopefully we can come to some solution, I see someone from Meta has posted in that PR, I will too, maybe we can get some movement on that PR otherwise we will have to come up with some alternative like monkey-patching Net::POP3 in discourse core.
!