Tags: scribe oauth2
|Google has switched off so called "insecure" authentication methods, including "PLAIN", which Scribe relied on. |
Today I got that draft implementation working enough to be able to login to the Gmail IMAP server using OAuth2. It does take you via a detour into your default browser but in the end it works. It's also quite the hack job at this point so I want to clean up the code and make the error handling at least very verbose. I will be making a release in the next few days off the stable branch that includes functional OAuth2 support.
It has been argued that Google's motivation in doing this is to force people onto the web and out of installed desktop / mobile clients, for the purpose of making Gmail's web UI more palatable. I remain unconvinced about this argument in that there seems to be another reason that makes more sense to me. OAuth2 doesn't require the client to store the plain text password. Thus reducing the possible points of failure for security. Most installed clients are bad at storing persistent account credentials in a fully secure fashion. So by removing that attack vector it could be argued that Google is doing App authors a favour.
I still find OAuth2 quite needlessly complicated. And it's very dependent on the client having lots of pre-configured knowledge about the server it's authenticating with. I mean for every service that Scribe will support OAuth2 authentication I have to have a unique ClientID and ClientSecret, as well as the token URI and access URI... none of which are "discoverable" on the fly, but hard coded in. So you can't connect Scribe to some arbitrary new service that supports OAuth2. I have to manually create support each new service. I don't yet understand how that is a reasonable state of affairs.