Gmail OAuth/OOB deprecation: how to fix?

Dave Ewart davee at sungate.co.uk
Thu May 5 20:51:32 UTC 2022


I setup Mutt to talk to Gmail (personal domain GSuite) last year by
following a HOWTO. Not sure which one, but this is what I have got in my
config. I must have done some initial setup for the client/tokens, but
haven't had to touch the configuration since.

# For Mutt talking to Gmail
set imap_user = "<full-email-address>" 
set imap_authenticators="oauthbearer"
set smtp_authenticators="oauthbearer"
set smtp_url = "smtp://<full-email-address>@smtp.gmail.com:587/"
set folder = "imaps://imap.gmail.com"
set spoolfile = "+INBOX"
# This pulls in the sensitive credentials/tokens
source "gpg2 -dq ~/.muttgmail.gpg |"
# It includes stuff like this...
# set imap_oauth_refresh_command="~/src/google-oauth-for-mutt/oauth2.py --quiet --user=<email> --client_id=<STUFF.apps.googleusercontent.com --client-secret=SECRET --refresh_token=TOKEN"
# set smtp_oauth_refresh_command=... (ditto)

This has been working well. Yesterday I got an email from Google which
seems to be suggesting something in the setup is using a deprecated
methodology. 

Excerpts from what they actually said:

    "Our records indicate you have OAuth clients that used the OAuth OOB
flow in the past.

    We are writing to inform you that OAuth out-of-band (OOB) flow will
be deprecated on October 3, 2022 [...]"

They refer to
https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html

    "What do I need to do?

    "Migrate your app(s) to an appropriate alternative method by
following these instructions [... as per the instructions in the blog
post above ...]:"

Then they list my 'apps', which is something I just called
'mutt-gmail-auth' in my GSuite account.

Being quite honest, I don't really understand what it's describing here
as I don't understand OAuth - I just followed a HOWTO! Nor can I see
what to do to fix it. I don't understand what OOB means in this context.
Does the config just need a minor tweak, or is this whole approach a
complete non-starter now that Google has changed stuff?

Cheers,

Dave.


-- 
Dave Ewart davee at sungate.co.uk, http://twitter.com/DaveEwart
All email from me is digitally signed, http://www.sungate.co.uk/
GPG key updated Jan 2013 see http://www.sungate.co.uk/gpg
Fingerprint: CF3A 93EF 01E6 16C5 AE7A  1D27 45E1 E473 378B B197
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1528 bytes
Desc: not available
URL: <http://lists.mutt.org/pipermail/mutt-users/attachments/20220505/570c8336/attachment.asc>


More information about the Mutt-users mailing list