Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GMail compatibility without app passwords #6454

Closed
Tracked by #3146
Hal1512 opened this issue May 14, 2022 · 30 comments · Fixed by #7430
Closed
Tracked by #3146

GMail compatibility without app passwords #6454

Hal1512 opened this issue May 14, 2022 · 30 comments · Fixed by #7430

Comments

@Hal1512
Copy link

Hal1512 commented May 14, 2022

Is your feature request related to a problem? Please describe.

GMail considers the integration from this Mail app to be 'less secure'. They claim on their site that they will no longer support apps that log into your mail account with only user name and password.

https://support.google.com/accounts/answer/6010255?hl=en

Describe the solution you'd like

I believe that if the mail connector also asked for and presented an App Password to GMail, that qualifies as a more secure way to connect.

https://support.google.com/accounts/answer/185833

Describe alternatives you've considered

No response

Additional context

No response

@ChristophWurst ChristophWurst moved this to 📄 To do (5-20 entries) in 💌 📅 👥 Groupware team May 16, 2022
@ChristophWurst ChristophWurst moved this from 📄 To do (5-20 entries) to 🧭 Planning evaluation (dont pick) in 💌 📅 👥 Groupware team May 16, 2022
@feutl
Copy link

feutl commented Jun 9, 2022

This is an issue now!
I have 2 accounts which do not work with nextcloud mail any more. The workaround to use 2FA and a app password is not a sufficient solution.
Fairemail fixed the issue on Android and let me sync my mails without setting up 2FA.

How could something like this not being resolved in time? Gmail is sadly used by lots of NC users - I am quite sure.

Also interesting nobody made any statement so far. It took me quite long to even realize this too, but still - should have been addressed already

@ChristophWurst
Copy link
Member

My personal account still works.

@feutl
Copy link

feutl commented Jun 9, 2022

@ChristophWurst
Have you setup 2FA with an app specific password ? If so, yes it works.
If not, I am surprised, all 3 of my accounts without 2FA do not work any more.

@ChristophWurst
Copy link
Member

Right, I'm using 2FA with an app password.

@feutl
Copy link

feutl commented Jun 9, 2022

And this is the issue, if you have not setup 2FA (for whatever reason) there is no app password option in gmail. Therefor the authentication needs to be fixed for those accounts.
As I said, Fairemal - the android client - has fixed this already some time ago.

@ChristophWurst ChristophWurst moved this from 🧭 Planning evaluation (dont pick) to 📄 To do (5-20 entries) in 💌 📅 👥 Groupware team Jun 9, 2022
@ChristophWurst ChristophWurst changed the title Enhancement/Will Soon Be A Bug - GMail needs a more secure connection starting May 30 2022 GMail needs a more secure connection Jun 9, 2022
@ChristophWurst ChristophWurst changed the title GMail needs a more secure connection GMail compatibility without app passwords Jun 9, 2022
@MrPresident2
Copy link

any news about that? I don't think we can use Gmail anymore

@enekonieto
Copy link

Until someone is assigned I think we should hope no movement.

@MrPresident2
Copy link

do you know about another way to connect Gmail to Nextcloud then?

@enekonieto
Copy link

No, I am also stuck with this issue :(

@ChristophWurst ChristophWurst self-assigned this Jul 1, 2022
@ChristophWurst ChristophWurst moved this from 📄 To do (5-20 entries) to 🏗️ In progress in 💌 📅 👥 Groupware team Jul 1, 2022
@ChristophWurst
Copy link
Member

ChristophWurst commented Jul 1, 2022

XOAUTH2 support will be added via #6819.

I have figured out what it takes to register Mail as a Google OAuth application. We will need admin settings and an adapted setup dialogue.

Moreover there needs to be a mechanism to detect and replace expired access tokens using the refresh token. I haven not been able to trigger an expiration myself, but waiting until Monday morning could help. Simply removing the service from my Google accounts gives a generic failed authentication response

S: 2 NO [AUTHENTICATIONFAILED] Invalid credentials (Failure)
>> Command 2 took 0.8495 seconds.

\Horde_Imap_Client_Exception::LOGIN_EXPIRED https://www.rfc-editor.org/rfc/rfc5530.html is what Horde might throw. That would be great and we could trigger a token refresh when that specific error is thrown.

@ChristophWurst
Copy link
Member

I causes a generic Invalid credentials. So we need to keep book about the token validity and do the refresh proactively.

@ChristophWurst
Copy link
Member

POC is at #6830. Linking the Nextcloud Mail account to Gmail works. Keeping the access token updated works.

The open todos are mostly about handling all possible conditions during the setup and making sure the app stays usable with this new auth option.

@ChristophWurst
Copy link
Member

#6830 (comment) sneak preview

@feutl
Copy link

feutl commented Jul 11, 2022

I have the feeling that also outlook.com or MS365 accounts cannot be added to Mail right now.
I have an enterprise subscription which I wanted to add to Mail but I am struggeling. I assume the same issue.
Right now I am stuck at "automatically" adding the account to Mail, but even if I add it manually authentication fails.

@ChristophWurst
Copy link
Member

Related: #6591

@Dvalin21
Copy link

Google no longer or at least it doesnt show up when I got there a way to add an "App" Password. I keep getting this setting is no longer available.

@feutl
Copy link

feutl commented Aug 17, 2022

Any news when this is getting released ?
Got quite silent the last days after the initial push by @ChristophWurst

@ChristophWurst
Copy link
Member

I can't give an ETA at this point. It's ongoing work but there are lots of things happening at the time.

@feutl
Copy link

feutl commented Aug 18, 2022

great, like to hear that lots of things are happening :D thanks

@feutl
Copy link

feutl commented Feb 28, 2023

Any timeframe when this gets released, it is almost a year now.

@ChristophWurst
Copy link
Member

2022-12-05

@feutl
Copy link

feutl commented Feb 28, 2023

ok, I found the hint in the release notes but really struggling in getting this working.
The information in the NC admin panel as well as https://github.com/nextcloud/mail/blob/main/doc/admin.md are very rudimentary - as a non DEV ;)
Still struggling in finding the right api - app to get started.

@ChristophWurst
Copy link
Member

OAuth is technical. We can't change that. Selfhosting and OAuth is always a bit painful.

@feutl
Copy link

feutl commented Feb 28, 2023

Would be great to have more guidance, like how to setup the "OAuth-Zustimmungsbildschirm" correctly and so on
Had a look at help.nextcloud.com but could not find anything more specific there either.

@digitalrevisor
Copy link

Hi, I have been trying to find the right place to write this, and here is my best bet I think.
We have an issue with Google integration Oauth.

We have set up an OAuth consent screen and a client.
And that works fine with @gmail.com accounts but Google email accounts with other domains do not, i.e. @digitalrevisor.no.

What happens when trying to log in with the @digitalrevisor.no domain I get a message below: IMAP username or password is wrong and the consent screen does not appear.
This is a Google account and works with all other Google Oauth solutions. (Including Connected Accounts in Nextcloud)

Is the login for Mail just looking for @gmail.com before it opens the consent screen?
If so, is there or can you add a possibility to add domains in the Google integration settings?

Should I create a new issue for this?

@ChristophWurst
Copy link
Member

Gmail OAuth is only used for accounts hosted by Google. Yours does not seem to be

image

In any case, Github is for bugs. Please open a topic at https://help.nextcloud.com/c/apps/mail/35 for community support.

@digitalrevisor
Copy link

Noted. Only Google Oauth implementation we have ever seen not accepting Google accounts with a different domain than @gmail.com is not a bug, but a feature I guess then.

Note: I believe that this is the reason why one has a separate sign-in with a Google button:
If the app had put Google.com instead of one.com it would work.

It is in no way uncommon for organizations to use their own domains for both Google and Microsoft accounts.

@tmrlvi
Copy link
Contributor

tmrlvi commented Jun 9, 2023

Are you sure you email is hosted by gmail? If so, you can try to manually set up the connection with gmail's smtp and imap configuration (without password), and the authorization screen will pop up.
However, connection (post oauth login) will fail if it isn't actually hosted on gmail.

@digitalrevisor
Copy link

GoogleOauthLogin.mp4

Her is a video logging in via Google Oauth to Google data migration app in Nextcloud with a @digitalrevisor.no domain.
I can't believe that we are the only ones going to have issues with logging into the Mail app.

@ChristophWurst
Copy link
Member

@nextcloud nextcloud locked as resolved and limited conversation to collaborators Jun 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
Development

Successfully merging a pull request may close this issue.

8 participants