Atozed Forums

Full Version: Indy, OAuth 2.0 with protocol POP
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Hi,
is it possible to receive mails using POP3 with OAuth 2.0 with newest version of Indy? I manage to receive mails using IMAP with OAuth 2.0 as well as sending with SMTP with OAuth 2.0, but I cannot do it with POP3 (I can do it using App Password (ASP), but I want to avoid it). Thank You for Your quick replies Smile
(04-27-2020, 09:16 AM)IndyBeginner Wrote: [ -> ]is it possible to receive mails using POP3 with OAuth 2.0 with newest version of Indy?

Indy does not have any native support for OAuth at this time. There are some 3rd party implementations floating around, though.

(04-27-2020, 09:16 AM)IndyBeginner Wrote: [ -> ]I manage to receive mails using IMAP with OAuth 2.0 as well as sending with SMTP with OAuth 2.0, but I cannot do it with POP3

Why not? What is the actual problem you are experiencing? Using OAuth with POP3 shouldn't be any different than using it with IMAP and SMTP. How are you using OAuth with IMAP and SMTP to begin with? Are you sure that your POP3 server even supports OAuth? Please be more specific.
Let mi start explaining:
I manage to connect via SMTP basing on project: https://github.com/geoffsmith82/GmailAuthSMTP . In the similar way, I did it on IMAP.
But, when I try to connect via POP3, like I do it via IMAP, I failed. On most forums, people write, that Google do not suport OAuth 2.0 on POP3, e.g.:
https://support.google.com/mail/thread/23553381?hl=en . These are posts from the end of the year 2019, BUT on the official Google site, they claim that OAuth 2.0 is supported, e.g.: https://developers.google.com/gmail/imap...2-protocol . Last update is in the beginning of April. I decided to look inside the Indy code, to IdPOP3 and IdIMAP4 classes. I found differences in the part of code, where authorization is - please, look at the TIdIMAP4.Login and TIdPOP3.Login pictures in attachment. I use initial-response in connection via SMTP and IMAP, but it looks like TIdPOP3 does not support initial-response. So, will I manage to connect with OAuth2 with POP3 in Indy (avoiding using app password)?
(04-28-2020, 07:40 AM)IndyBeginner Wrote: [ -> ]I decided to look inside the Indy code, to IdPOP3 and IdIMAP4 classes. I found differences in the part of code, where authorization is - please, look at the TIdIMAP4.Login and TIdPOP3.Login pictures in attachment. I use initial-response in connection via SMTP and IMAP, but it looks like TIdPOP3 does not support initial-response.

There are comments about that in the source code for TIdPOP3.Login() and TIdSASLEntries.LoginSASL(), which is the method that both TIdPOP3 and TIdSMTP use:

Code:
// SASL in POP3 did not originally support Initial-Response. It was added
// in RFC 2449 along with the CAPA command. If a server supports the CAPA
// command then it *should* also support Initial-Response as well, however
// many POP3 servers support CAPA but do not support Initial-Response
// (which was formalized in RFC 5034). So, until we can handle that
// descrepency better, we will simply disable Initial-Response for now.

Code:
// SASL in SMTP and DICT supported Initial-Response from the beginning,
// as should any new SASL-enabled protocol moving forward.
//
// SASL in IMAP did not originally support Initial-Response, but it was
// added in RFC 4959 along with an explicit capability ('SASL-IR') to
// indicate when Initial-Response is supported. SASL in IMAP is currently
// handled by TIdIMAP4 directly, but should it be updated to use
// TIdSASLEntries.LoginSASL() in the future then it will set the
// ACanAttemptIR parameter accordingly.
//
// SASL in POP3 did not originally support Initial-Response. It was added
// in RFC 2449 along with the CAPA command. If a server supports the CAPA
// command then it *should* also support Initial-Response as well, however
// many POP3 servers support CAPA but do not support Initial-Response
// (which was formalized in RFC 5034). So, to handle that descrepency,
// TIdPOP3 currently sets ACanAttemptIR to false.  In the future, we could
// let it set ACanAttemptIR to True instead, and then if Initial-Response
// fails here for POP3 then re-attempt without Initial-Response before
// exiting with a failure.

As you can see in TIdPOP3.Login(), it does indeed set ACanAttemptIR=False, whereas TIdSMTP sets ACanAttemptIR=True unconditionally, and TIdIMAP4 uses the initial-response parameter based on the presence of the SASL-IR capability.

So, to do what you want in POP3, you will have to set ACanAttemptIR=True instead, but know that it MAY fail on older non-Google servers.

On the other hand, the initial-response parameter of an AUTH command in POP3 is optional, even by modern RFCs, so Google should not be requiring clients to use the initial-response parameter. If it is, that is a bug on Google's part.

(04-28-2020, 07:40 AM)IndyBeginner Wrote: [ -> ]So, will I manage to connect with OAuth2 with POP3 in Indy (avoiding using app password)?

If Google is requiring the use of the initial-response parameter in an AUTH XOAUTH2 command, and if you don't update the source code for TIdPOP3.Login() to set ACanAttemptIR=True, then no, unless you handle the SASL commands manually by calling TIdPOP3.SendCmd() directly.