Search code examples
authenticationimap

How can I get PLAIN authentication working with Google's IMAP server?

So for a while I've been relying on the PLAIN support for logging into Google's IMAP server in my email client. Recently they started blocking that and return an error (despite listing it as a supported authentication method).

For instance take this example:

Connected to 'imap.gmail.com:993' using SSL
A0001 CAPABILITY
* OK Gimap ready for requests from ##.##.##.## cd6mb38777249ieb
* CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA ID XLIST CHILDREN X-GM-EXT-1 XYZZY SASL-IR AUTH=XOAUTH2 AUTH=PLAIN AUTH=PLAIN-CLIENTTOKEN AUTH=XOAUTH
A0001 OK Thats all she wrote! cd6mb38777249ieb
A0002 AUTHENTICATE PLAIN
+
####################################
* NO [WEBALERT https://accounts.google.com/ContinueSignIn?sarp=1&scc=1&plt=AKgnsbszktZSU6iVmh...snip....] Web login required.
A0002 NO [ALERT] Please log in via your web browser: http://support.google.com/mail/accounts/bin/answer.py?answer=78754 (Failure)
SSL connection closed.
ScribeImap_Thread.cpp:647 - Connect to imap.gmail.com:993 failed.

I've tried opening the "https://accounts.google.com/ContinueSignIn..." URL in my browser: Dlg Image

And I get redirected to https://myaccount.google.com/ but the next login attempt fails as well. So it doesn't seem to change the authentication at all.

Is the PLAIN authentication just blocked completely or am I doing it wrong?

Alternatively is there a authentication method that works and DOESN'T need a browser component to log in? (XOAUTH2 seems to need a web login as well)

Solution

  • It's pretty official:
    http://googledevelopers.blogspot.com.au/2015/04/a-final-farewell-to-clientlogin-oauth.html

    They have shut off PLAIN login completely and it's not coming back.

    So there are two options:

    1. Turn on "less secure apps".
    2. Implement OAUTH2.

    I've decided to implement OAUTH2 support (which isn't too far off working actually). Initially I thought I would need an embedded browser component in my app, but it turns out that I can launch the system browser and the user can copy the token across in a some what manual process.

    Interestingly for those working on OAUTH2 support in their software, Google have setup a playground to see the whole process in practice:
    https://developers.google.com/oauthplayground/