0

I've gone through the process of creating an OAuth2 access token for a test application on my Google account (not using GSuite) and whenever I try to use it to authenticate using XOAUTH2 with imap.google.com, it fails and returns {"status":"400","schemes":"Bearer","scope":"https://mail.google.com/"} followed by the IMAP status response NO [AUTHENTICATIONFAILED] Invalid credentials (Failure)

I've seen some other similar issues raised, and it turns out the problem was because they didn't use the scope https://mail.google.com/ when requesting the token. However, I did use that scope and the token validates; using https://www.googleapis.com/oauth2/v1/tokeninfo it returns:

{
  "issued_to": "xxxxx.apps.googleusercontent.com",
  "audience": "xxxxx.apps.googleusercontent.com",
  "scope": "https://mail.google.com/",
  "expires_in": 2083,
  "access_type": "offline"
}

The thing is, the same token works just fine with authenticating using Google's POP3 server, connecting to pop.gmail.com. It seems to be an issue specific to IMAP, and I checked, both POP3 and IMAP access are enabled for the Gmail account I'm testing with.

In addition, the same IMAP code which performs the XOAUTH2 authentication works just fine with Outlook and their access token. So I'm at a loss as to why Google is rejecting a valid token when I'm using the broadest scope available.

Any suggestions or insights would be welcome.

mstefanik
  • 31
  • 2
  • Which language and version are you using? Can you povide your request code? If the same token works for POP3 but not IMAP, probably the problem is not the token itself, but the request implementation, or using an old library version. – ziganotschka Aug 14 '20 at 11:27
  • It's my own code (written in C/C++) that's performing the authentication, not a third party library. And the thing is, the same IMAP code works just fine with bearer tokens for Outlook (which means the code that sends the AUTHENTICATE command to the IMAP server must be correct, otherwise the Outlook servers would reject the token as well). This is only presenting as an issue with Gmail and IMAP, no other service. Unfortunately, the error response from Google is rather unhelpful. – mstefanik Aug 14 '20 at 17:59

1 Answers1

1

After doing some more testing, I was able to get this to work. The solution won't likely be helpful for anyone who isn't rolling their own OAuth2 code, but here was the problem. I was encoding the AUTHENTICATE request like this (where ^A is the SOH control character):

^Auser=username@gmail.com^Aauth=bearer ya29.a0AfH6SMA8fcO_RkV3sH73f.....^A^A

Google's POP3 server was completely fine with this, and so was Outlook's mail servers. However, Google's IMAP server apparently had a real issue with "bearer" not being capitalized. After reviewing RFC 7628, and despite this explicitly in the standard:

Note to implementers: The SASL OAuth method names are case insensitive. One example uses "Bearer" but that could as easily be "bearer", "BEARER", or "BeArEr".

Changing the request to use "auth=Bearer" instead of "auth=bearer" allowed the client to authenticate. This is clearly a Google issue, but at least it's resolved.

mstefanik
  • 31
  • 2