google/gmail blocks offlineimap due to security

[bjornfor]

This is what happens when I run offlineimap:

OfflineIMAP 6.5.5
  Licensed under the GNU GPL v2+ (v2 or any later version)
*** Processing account GMail
Establishing connection to imap.gmail.com:993
PLAIN authentication failed: [ALERT] Please log in via your web browser: https://support.google.com/mail/accounts/answer/78754 (Failure)
LOGIN authentication failed: [ALERT] Please log in via your web browser: https://support.google.com/mail/accounts/answer/78754 (Failure)
ERROR: All authentication types failed:
    PLAIN: [ALERT] Please log in via your web browser: https://support.google.com/mail/accounts/answer/78754 (Failure)
    LOGIN: [ALERT] Please log in via your web browser: https://support.google.com/mail/accounts/answer/78754 (Failure)
*** Finished account 'GMail' in 0:00
ERROR: Exceptions occurred during the run!
ERROR: All authentication types failed:
    PLAIN: [ALERT] Please log in via your web browser: https://support.google.com/mail/accounts/answer/78754 (Failure)
    LOGIN: [ALERT] Please log in via your web browser: https://support.google.com/mail/accounts/answer/78754 (Failure)

Visiting the url above (https://support.google.com/accounts/answer/6010255) indicates that google does not feel offlineimap is secure enough, and blocks it from logging in.

Google apparantly has the option to "allowing less secure apps to access your account" by toggling a switch, but they don't recommend it (of course).

Is this a won't (can't) fix?

[chris001]

I've just been thru this with another project.
The recommended approach is, do not save plaintext password with the application.
Instead, save a revokable OAUTH2 token, which is possible to generate from the google OAUTH playground page.
https://developers.google.com/oauthplayground/
The app (offlineimap, etc) can save the token on local disk file, and provide the token to gmail when gmail prompts for password. gmail will then login ok.
The user can revoke this token at any time via their google account - in case their machine suffered a security breach - the bad guys won't have stolen their plaintext password - only the token - which the user will revoke and prevent further loss of data or financial money accounts (google wallet.. google adwords.. etc).

[bjornfor]

Thanks for the info.

[chris001]

Welcome.
Here's some more info and python code to obtain the oauth2 access token automatically.
http://www.example-code.com/python/imap_gmail_oauth2.asp
https://github.com/richieforeman/oauth2gmail

php code with details to create access token:
https://github.com/PHPMailer/PHPMailer/wiki/Using-Gmail-with-XOAUTH2

[Frizlab]

Concretely, how do I solve this?

[Frizlab]

Never mind, I found a solution: in the admin console of the user (we have a Google Apps account), disable the login challenge (it's for 10 minutes only), then launch the synchronization.

[fser]

I've been doing some Perl (wich did not exist) if it can help https://github.com/fser/google-imap-oauth

[nicolas33]

There was WIP on OAUTH support but could never hit the mainline. Someone could find it in github, update and submit.

[nicolas33]

OAUTH2 was implemented and merged in next branch.

[th1031]

For those who use offlineimap for an occasional sync of their gmail content, one can simply toggle access (must be logged in) for what google deems less secure apps here:
http://www.google.com/settings/security/lesssecureapps

[nicolas33]

Interesting. This worth to be written in the documentation of the website, IMHO.

[chris001]

Here is some python code to do the OAuth2 login to gmail.
https://github.com/google/gmail-oauth2-tools/wiki/OAuth2DotPyRunThrough
However, the minor drawback is, user intervention is required one time per hour. User must copy and paste url from command line to web browser, click OK in browser, then copy/paste the token back into the command line.
There is surely a way to automate talking to the web server to receive the generated token, by impersonating the user in a browser, via python curl.
Probably this code should be added to imaplib2 to support the new high security default of gmail imap login. And support other secure web email that requires the high security of OAuth2. Probably Microsoft and Yahoo will default to require OAuth login soon, and every other webmail company to follow after them. Exceptions available only thru web "allow less secure apps to access my mail" which most users will want to avoid.

[vonpupp]

Hello,

How do I use OAUTH with offlineimap? Is it documented somewhere? Shouldn't I get an URL after using it the first time so I can authorize the app on gmail? I remember to have done something similar on rainbowstream (a Twitter terminal client written in Python with OAUTH support).

Thank you very much.

[nicolas33]

https://github.com/OfflineIMAP/offlineimap/blob/master/offlineimap.conf#L764

[jbouttier]

Hi,
I use OfflineIMAP to make an hourly backup of my Gmail account. I tried using OAuth but it is not practical since the access token generated by oauth2.py expires after one hour, hence I have to generate a new one for each backup. It seems that generating an access token, keeping the same refresh token, requires no user interaction and hence can be automated. One might write a script that generates an access token, then puts it in .offlineimaprc, then runs offlineimap, but wouldn't it be simpler that OfflineIMAP generates directly the access token ?
Thanks for this nice tool.

[nicolas33]

I wonder I might be missing something here. Isn't the oauth2_refresh_token setting in https://github.com/OfflineIMAP/offlineimap/blob/master/offlineimap.conf#L768 about automating the creation of this token?

[nicolas33]

@Frizlab @cscorley am I wrong with the understanding of this setting or should we write more documentation on how to configure offlineimap for OAUTH2?

[th1031]

Perhaps it would be useful to learn how another gmail backup utility works
with oauth. Have a look here:
http://gmvault.org/in_depth.html

This utility handles the oauth process by opening a web browser page (while
you are logged into your gmail account) and asking you to grant it access
to your Gmail. There is little point in me adding much more - it's all well
explained at the URL above.

On 12 April 2016 at 07:53, Nicolas Sebrecht [email protected]
wrote:

@Frizlab https://github.com/Frizlab @cscorley
https://github.com/cscorley am I wrong with the understanding of this
setting or should we write more documentation on how to configure
offlineimap for OAUTH2?

—
You are receiving this because you commented.
Reply to this email directly or view it on GitHub
#228 (comment)

[lasombra]

https://github.com/insanum/gcalcli has an interesting automated approach for that.

[lyarwood]

Make sure you remove oauth2_access_token from .offlineimaprc otherwise the refresh token isn't used to fetch a new access token.

[nicolas33]

@lyarwood Thanks. I made this commit: 7b4c47a to improve the doc.

AFAICT, there is no issue with this feature but enabling OAUTH2 is not so easy. My above patch should make things clear.

Feel free to re-open if required.

[jbouttier]

Sorry for the slow reply, I tried removing oauth2_access_token from .offlineimaprc but then I get an error, see the attached file.
error.txt

[nicolas33]

@jbouttier Please, open a new issue and put the error message inline.

[atipico]

https://accounts.google.com/o/oauth2/token

{
"error" : "invalid_request"
}