Add richer authentication support for POP3

That’s great indeed, TLS is also a requirement for Exchange Online. But still, authentication is made by basic-auth (if I understand well the following code, there is no way to choose between any other authentication mechanism like OAuth2) discourse/poll_mailbox.rb at tests-passed · discourse/discourse (github.com)

Tracing down a bit more, it seems that the Class: Net::POP3 (Ruby 2.7.0) (ruby-doc.org) library in Ruby does not support OAuth2 authentication, just basic one.

For reference:

It just expects a user and a password, rather than a user and a token, plus it would need to use the AUTH XOAUTH2 format for encoding and transmitting the token.

Sorry if I was not clear in my question, but I’m more asking about having a similar approach as per the following examples:

These approaches will allow Discourse to connect to POP3 (and hence IMAP) with OAuth2 authentication, thus fullfilling the requirements for MS and probably for GMail in the near future if not now ( OAuth 2.0 Mechanism | Gmail IMAP | Google Developers).

11 Likes

I think this is a very fine feature request and I very much support adding OAuth2 support to POP3.

Can’t commit though to when we can build it, but if a PR popped up we would certainly prioritize reviewing and merging it

10 Likes

Awesome, thank you so much! :clap:

Looking forward to seeing this feature around!

1 Like

AFAICS, Google/Gmail disabled POP3 authentication other than OAuth on 30.5. Therefore, I cannot retrieve mails via POP3 any more. Would be great if Discourse would support OAuth2.

I couldn’t find any other topic besides this one. Am I the only one using Gmail with Discourse?

1 Like

You can still use an App Password to authenticate with Gmail via POP3. Here is a recent relevant topic:

4 Likes

Just for those interested in the topic, there is a PR opened by our colleague @acosenza, feedback welcomed!

3 Likes

… and a fully functional alternate approach provided via plugin as explained in Microsoft Graph Mail Poller - plugin - Discourse Meta

Hope this raises interest for the community :tada: !

4 Likes

Bump because Google is about to pull the plug on Workspace accounts as well.

I see that PR was closed because of some dependency issues.
App passwords are still valid (for now), but oauth would be nice.

Email from Google: tldr - use oauth2 after sept 2024

Starting September 30, 2024, Google Workspace accounts will only allow access to apps using OAuth. Password-based access (with the exception of App Passwords) will no longer be supported. POP and IMAP are NOT going away and can still be enabled with apps that connect using OAuth.

Dear Administrator,

We’re writing to let you know that as we previously shared in this blog post, we’ll be turning off access to less secure apps (LSA) — non-Google apps that can access Google accounts with only a username and password (basic authentication) — starting June 15, 2024.

What do you need to know?

Access through basic authentication makes accounts more vulnerable to hijacking attempts. Moving forward, only apps that support a more modern and secure access method called OAuth will be able to access Google Workspace accounts.

Access to LSAs will be turned off in two stages:

  1. Beginning June 15, 2024 - The LSA settings will be removed from the Admin console and can no longer be changed. Enabled users can connect after that time, but disabled users will no longer be able to access LSAs. This includes all third-party apps that require password-only access to Gmail, Google Calendar, Contacts via protocols such as CalDAV, CardDAV, IMAP, SMTP, and POP.The IMAP enable/disable settings will be removed from users’ Gmail settings.If you’ve been using LSAs prior to this date, you can continue using them until September 30, 2024.
  2. Beginning September 30, 2024 - Access to LSAs will be turned off for all Google Workspace accounts. CalDAV, CardDAV, IMAP, and POP will no longer work when signing in with just a password — you will need to login with a more secure type of access called OAuth.

What do you need to do?

In order for your end users to continue using these types of apps with their Google Workspace accounts, they must switch to a more secure type of access called OAuth (a list of affected users is attached). This authentication method allows apps to access accounts with a digital key instead of requiring a user to reveal their username and password. We recommend that you share the user instructions (in this PDF file) with individuals in your organization to help them make the necessary changes. Alternatively, if your organization is using custom tools, you can ask the developer of the tool to update it to use OAuth. Developer instructions are also in this PDF file.

MDM configuration

If your organization uses a mobile device management (MDM) provider to configure IMAP, CalDAV CardDAV, or POP profiles, these services will be phased out according to the timeline below:

  1. Beginning June 15, 2024 - MDM push of password based IMAP, CalDAV, CardDAV, and POP will no longer work for customers who try to connect for the first time. If you use Google MDM, you will not be able to turn on “Custom Push Configuration” settings for CalDAV and CardDAV.
  2. Beginning September 30, 2024 - MDM push of password based IMAP, CalDAV, CardDAV, and POP will no longer work for existing users. Admins will need to push a Google Account using their MDM provider, which will re-add their Google accounts to iOS devices using OAuth. If you use Google MDM, “Custom push configuration-CalDAV” and “Custom push configuration-CardDAV” (more details about the settings here) will stop being effective.

Other less secure apps

  • For any other LSA, ask the developer of the app you are using to start supporting OAuth.

Scanners and other devices

For scanners or other devices using simple mail transfer protocol (SMTP) or LSAs to send emails, configure to use OAuth, use an alternative method, or configure an App Password for use with the device. If you replace your device, look for one that sends email using OAuth.

2 Likes

Since the PR is blocked by the upstream net-pop PR, are there any known workarounds for GSuite hosted accounts?

1 Like

Perhaps @team can give us an update on the plans for this feature?

1 Like

First of all I want to say thanks Ismael to your and your colleague Alessio for doing the legwork you have so far especially with Add OAUTH2 support by AlessioC31 · Pull Request #16 · ruby/net-pop · GitHub .

We do plan on working on this before the deadline that Google has provided, we don’t want to lose POP3 polling and we are tracking internally. It’s quite disappointing that the net-pop PR has been blocked.

Hopefully we can come to some solution, I see someone from Meta has posted in that PR, I will too, maybe we can get some movement on that PR otherwise we will have to come up with some alternative like monkey-patching Net::POP3 in discourse core.

4 Likes

Hi there any progress on this one? as the Google deadline is around the corner…

We discovered that actually there is nothing to do yet. Google will still support App Passwords per the following articles:

So the only thing to do if you are using SMPT/POP3 with Discourse and Google is to make sure you are using an App Password from Google.

5 Likes