Add XOAUTH2 support?

Brandon Long blong at
Thu Apr 4 17:37:05 UTC 2019

XOAUTH2 is just OAUTHBEARER but based on an earlier draft, so yes, it's
very similar.  We had to ship it at Google because we we're deprecating
oauth1 and our XOAUTH with it, and the rfc was taking longer than we'd

Given the large population of users, I'd be for supporting it,
maybe with the caveat that we'll remove it when they support OAUTHBEARER.
Up to you.

I'll see if I can find someone at MS to ping about it, my old contact
decamped to FB last year.


On Thu, Apr 4, 2019, 9:17 AM Kevin J. McCarthy <kevin at> wrote:

> On Wed, Apr 03, 2019 at 06:47:19PM -0500, Alexander Perlis wrote:
> >Mutt supports OAUTHBEARER. Would patches adding XOAUTH2 be welcome?
> Authentication schemes and OAUTH/XOAUTH2/etc are not really my area.
> I'm Cc'ing the original contributor of the OAUTHBEARER patches.
> Brandon, I would greatly appreciate your input on this matter.
> Based on your description, _technically_ it wouldn't be hard to refactor
> the existing functions with a XOAUTH2/OAUTHBEARER flag and just generate
> the correct string for each.  If it did get done, I would prefer it to
> be explicit (i.e. approach #2), and would lean toward XOAUTH2 not being
> auto-tried when the authenticators list is empty.
> However, this feels to me like a step in the wrong direction.  The RFC
> is coming up on 4 years old, and as you mentioned Microsoft themselves
> had a hand in producing it.  Even though the patch probably wouldn't be
> horrific, it is still a technical burden for an already deprecated
> non-standardized scheme.
> Unless Microsoft has indicated they have no intention of implementing
> OAUTHBEARER support, I would lean against the change.
> --
> Kevin J. McCarthy
> GPG Fingerprint: 8975 A9B3 3AA3 7910 385C  5308 ADEF 7684 8031 6BDA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Mutt-dev mailing list