[Alpine-info] Gmail IMAP with username+password (was: Instructions to configure XOAUTH2 in Gmail have changed)

[Robert Wolf]

Hello Eduardo,


> That's interesting. I have found directions to use xoauth with offline email


Wow, I have not expected, that offlineimap supports xoauth too. Great.



> This is interesting. While the use of XOAUTH2 over app generated passwords

> might be a matter of personal preference,


With the App password everything works still same way, only the password is 
different.



> I wonder why Google allows these still.


It's one application password (if someone steals this password, he can only 
access data from this application, but cannot steals the whole accounts), and 
it's generated (random characters, i.e. better then "abc123" password). Maybe 
therefore they allow it?



> Do you have to generate a password for different machines or can you use the 

> same password for two different machines?


I just select what application I want access (Mail, Calendar, Contacts, Youtube 
and "other"??) and then device from which I want to access it (predefined are 
iPhone, iPad, BlackBerry, Mac, Windows Phone, Windows Computer and then "Other" 
with custom name). I have selected "Mail" application and "Other" device named 
"imap". Then I can access mailbox using IMAP with offlineimap or from alpine.




> (say a user needs access from office computer and from home computer).


It looks like he generates one password for access to Mail and then he can use 
it as many time as he want.



> If the answer is that the same password generated in one machine can be used 

> to access in another machine, then I do not see much of a gain in security.


As discussed with my work colleague, there is higher security that the password 
is only for access to specific application (not the whole google account) and 
the password is random generated 16 characters, which is better then passwords 
created by users "abc123". It's protecting google account, but it's not 
protecting better the application.



> Refresh tokens cannot be moved from one machine to another. Typically any

> attempt to move a refresh token from one machine to another will make the

> refresh token lose its effectiveness (this is a problem that people find

> when they attempt to authorize Alpine in one machine and do the

> authorization process in another).


Yes, this is more secure. But, does it mean that I need to generate new refresh 
token everytime I change my client IP? My offlineimap runs on server with fixed 
IP, but on my notebook, I move to different networks. Then do I have to 
generate refresh token everytime?


> What this potentially means is that if someone decodes a password file that

> contains an app generated password they will gain access to that account,

> but not if they decode such password file containing a refresh token.


Yes, that's true. Now the password file contains password for IMAP access
only, not for the google account anymore. Of course, I can generate for
offlineimap and for alpine two different passwords and if I find out, that
someone got one password, I can delete it (and maybe generate new one). It's 
something like API tokens for web services - IP independent and for specific 
app only.


Thank you.

Regards,

Robert Wolf.