Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Limiting access to data in your Google account #2222

Open
Pectojin opened this issue Jun 25, 2019 · 14 comments

Comments

@Pectojin
Copy link
Contributor

commented Jun 25, 2019

Just got the below email. I'm hoping the Mailpile team was informed/is able to resolve this.

Same thing happened to gmvault (gaubert/gmvault#335 (comment)) and they weren't able to resolve it. It's a total PITA for end users to setup a personal oauth service to use the tool.

I'm not gonna speculate but I'm getting increasingly upset with Google pulling this stuff.


image

@BjarniRunar

This comment has been minimized.

Copy link
Member

commented Jun 29, 2019

Thanks for reporting this. I'll see if I can figure out WTF is going on. 😞

@h3artbl33d

This comment has been minimized.

Copy link

commented Jul 2, 2019

I think this is related to what Google calls "project Strobe". Your Gmail account in Mailpile, is it configured with OAuth? If so, you can fix this by reconfiguring your account using IMAP rather than OAuth.

When adding an account:

  1. Make sure IMAP is enabled for your Gmail account
  2. Untick the "Detect settings" box in the Basic Settings tab
  3. Configure the account as if it were a regular IMAP/SMTP account
  4. If you are using two factor authentication, generate an app password rather than inputting your normal password.

This should be sufficient to work around Google's ridiculous practices. If not, please reply and I'll help you wherever I can.

@BjarniRunar

This comment has been minimized.

Copy link
Member

commented Jul 2, 2019

Thanks @h3artbl33d for mentioning this; this is indeed a feasible workaround for people who are motivated and in trouble.

But for everyone else, if we can't access GMail accounts without jumping through hoops, that's a pretty major setback for the project. I'm hoping I can reach someone at Google to figure out what is going on. Their docs and instructions just don't make sense to me, I fear I may have missed some critical e-mails or something.

@h3artbl33d

This comment has been minimized.

Copy link

commented Jul 2, 2019

In retrospect: it was a part of a larger announcement; from the title or intro that was sent out way back, it wasn't very clear what the direct impact on Gmail OAuth was going to be; only by clicking some link and reading the webpage. More in-depth information:

https://developers.google.com/terms/api-services-user-data-policy#additional-requirements-for-specific-api-scopes
https://support.google.com/cloud/answer/9110914#restricted-scopes

It pretty much boils down to "limit your API scope, because we want to keep our monopoly at harvesting user data" (apologies for the harsh phrasing).

@BjarniRunar

This comment has been minimized.

Copy link
Member

commented Jul 3, 2019

As a mail client that wants to read and write e-mail on your behalf, we can't limit our scopes.

@h3artbl33d

This comment has been minimized.

Copy link

commented Jul 10, 2019

I totally understand that. This move that Google is making here is hurting the community. You could apply for the restricted scope verification: https://support.google.com/cloud/answer/9110914#restricted-scopes

I'd very much like to help you out any way I can. But other than researching this development, there is not much I can do. Personally, I wouldn't entrust a random stranger (which is what I am) with the credentials to request such a verification and collaborate with Google ;)

EDIT: It's even worse than I initially thought. According to the support link in the first paragraph:

What if my app is using IMAP or SMTP? Do I need to submit for verification?
Yes, because IMAP and SMTP usage require using https://mail.google.com/, you will need to submit your app for the restricted scope verification. If your usage of IMAP/SMTP is deemed to violate the minimum scope policy within the verification process, you will need to migrate to using the Gmail API by September 15, 2019.

So, if a project fails the verification process - which has vague guidelines to put it subtle - there isn't even a fallback to IMAP/SMTP possible anymore. Way to go Google!

@BjarniRunar

This comment has been minimized.

Copy link
Member

commented Jul 10, 2019

I still haven't gotten any responses from Google.

@BjarniRunar

This comment has been minimized.

Copy link
Member

commented Jul 10, 2019

Having pondered this briefly, I think I'm just going to abandon the existing credentials and try to create new ones this week. We missed whatever deadlines they had set, but there's nothing that says we can't register a "new" app with the perms we need. That may need a review, but hopefully this time I'll manage to navigate that...

@h3artbl33d

This comment has been minimized.

Copy link

commented Jul 10, 2019

Thank you kindly for your time and effort on this issue. It's bad that Google went down this road and indirectly hurting open source projects like Mailpile. If there is anything I can do to help, please ping me, I will gladly help Mailpile advance in any way I can.

@JackDca

This comment has been minimized.

Copy link
Contributor

commented Jul 18, 2019

For what it is worth - as of today 2019-07-18, which is 3 days past the deadline advertised by Google - I am still able to sign on and download new mail from three gmail accounts (i.e. mptest????@gmail.com) that I use for testing. I also tried sending from one to another (uses SMTP). This is using the current master e86d5ba.

The receive settings are IMAP/TLS/port 993/OAuth2.

Send settings are SMTP/TLS/port 465/OAuth2.

Either the deadline has been extended, or Google rethought the impact of invalidating IMAP and SMTP access, or Bjarni's credential efforts have been rewarded.

@BjarniRunar

This comment has been minimized.

Copy link
Member

commented Jul 18, 2019

All my mails were ignored, but I got an e-mail just a few minutes ago telling me that the deadline had passed and our credentials would be revoked. So, I expect things to break badly quite soon now.

I've applied for new credentials, but they say the process may take weeks and since I never got any responses to our last application, I'm not feeling much optimism this time around. Fingers crossed?

@BjarniRunar

This comment has been minimized.

Copy link
Member

commented Jul 19, 2019

So, uh, good news! Our access is revoked... but:

Turns out, brave users can still click through using the "advanced" option and decide to grant access anyway. So it's ugly and scary, but we're not dead in the water.

@BjarniRunar

This comment has been minimized.

Copy link
Member

commented Jul 19, 2019

@h3artbl33d

This comment has been minimized.

Copy link

commented Jul 19, 2019

@BjarniRunar I don't think I can do a better job, nor do I want to say anything about the effort you went through; would you give me a try with the big, bad and mean G to get this resolved?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.