Re: oauth to be required for gmail

[Florian Weimer <fw@deneb.enyo.de>]

* David Engster:

> So I wondered: How does Thunderbird does it?
>
> Oh, there are the ID's and secrets:
>
> https://dxr.mozilla.org/comm-central/source/comm/mailnews/base/util/OAuth2Providers.jsm
>
> But it seems if you put a comment above it which says "Don't copy these
> values for your own application--register it yourself", then it's
> fine.
>
> This whole OAuth2 stuff is ridiculous.

Isn't there a different mode for Thunderbird, which performs a regular
web login and can also support third-party authentication for
enterprise accounts?  Admittedly, it's been a year or two since I
tried this.

Basically, what seems to happen is that Thunderbird sees the OAuth2
request in the IMAP handshake, starts its internal web browser,
renders the Google login page.  With an enterprise domain, Google then
automatically redirects to the external authentication source (based
on its preconfigured records), which can do any authentication it
wants (e.g., use Kerberos, so that the user doesn't even have to enter
a password), and then redirects back to Google, at which point Google
serves something back via the web browser which can be used to
complete the IMAP handshake.

My point is that it is pretty much impossible to complete that
sequence without a complete, Javascript-enabled web browser.  But that
mode, while ridiculously complex, still isn't as pointless as the
approach with static password that is not actually secret and thus
does not serve any purpose at all.