Fetchmail: add support for Oauth2

[StefanRijnhart]

IMAP access to G-Suite will be removed in the near future: https://gsuiteupdates.googleblog.com/2019/12/less-secure-apps-oauth-google-username-password-incorrect.html

If I understand correctly, the critical path seems to be that new installations won't be able to connect to G-Suite for IMAP after 20th of June 2020. It is less clear to me if SMTP access is also being curtailed.

While imaplib has supported Oauth2 authentication for a long time (
http://rakeshmukundan.in/2013/01/23/access-gmail-python-imaplib-and-python-with-oauth2/), it looks like the integration in Odoo is not yet present (https://github.com/odoo/odoo/blob/master/addons/fetchmail/models/fetchmail.py#L103-L108).

[Yenthe666]

@mart-e I guess you're a good person to give initial feedback on this one :) I saw some topic about this in the past but can't find it anymore. Not even sure if it was on Github.

[StefanRijnhart]

Ah sorry, wrong blog post. Here is the blog post mentioning the cutoff dates: https://gsuiteupdates.googleblog.com/2019/12/less-secure-apps-oauth-google-username-password-incorrect.html. I'll update the issue description.

[eLBati]

I think SMTP will be affected too: accessing to gmail accounts with SMTP does not work without enabling less secure apps (an old issue at #1810)

[rim-odoo]

We are reviewing this question internally and should get back to you soon

(internal task: 2170676)

[fabioce]

Any news about this topic?
Thanks

[gurneyalex]

@rim-odoo Hello what's the status on this issue?

[rim-odoo]

@gurneyalex The task has been validated and is worked on internally :)
The fix should be merged before Google removes password authentication for good

[nbessi]

@rim-odoo any update on that issue. Is there a PR somewhere ?

[rim-odoo]

I got the confirmation that our R&D team is still working on developing a fix for this issue.

Please also note that Google has postponed the removal of basic password authentication, sine die : https://gsuiteupdates.googleblog.com/2020/03/less-secure-app-turn-off-suspended.html

[Shide]

@rim-odoo Any notice about that?

[BT-dschleich]

@rim-odoo any news yet about the progress?

[ShahRajper]

@rim-odoo any update/news on this?

[Yenthe666]

See also #44943 and #64213

[gamarino]

Access to non-secure apps is banned for google accounts with 2 factor authentication. The only alternative right now is application passwords, that it is not recommended by Google and it should be reconfigured each time the account owner updates his password

[Yenthe666]

Yes indeed, I've noticed so too. Sadly still not any update/support about this matter from Odoo.

[pavelsodomka]

Any news after 19 months ?

[Yenthe666]

This is kinda getting ridiculous. @rim-odoo any update? "should get back to you soon" should be any day now, right? 🤦

[pedrobaeza]

@rim-odoo is no longer working at Odoo.

[pavelsodomka]

Is there still anyone working at Odoo besides the 1700 account managers ? I really think this a basic security requirement pushed both by Google and Microsoft and the fix is rather easy and straightforward. OAuth 2 is not a rocket science.

[Yenthe666]

Wow, I totally didn't register that.. @odony and @mart-e can you two as main security guys please jump in here?

[mart-e]

As you have noticed, there is an ongoing development at #64213 (and #64215), so yes, it will land into Odoo, hopefully soon but can't promise you more, sorry.

[Yenthe666]

There has been zero movements in 9 months though :/

[mgielissen]

Office365 stops with basic authentication in october 2022
https://office365itpros.com/2021/09/24/basic-authentication-exchange-online-tenants-stops-october-2022/

[JosDeGraeve]

We've gone ahead and opted for smtp for incoming mail, because this is what odoo is using too.
We created an lmtp container that delivers email to an odoo instance
It looks for xmlrpc credentials in a json file, using the destination domain / recipient as key.

https://gitlab.com/Apertoso/docker/odoo-lmtp/-/blob/main/odoo-lmtpd.py

[gurneyalex]

hello @mart-e what is the status of this ? I see #64215 was closed recently, but #64213 is still moving...

[tde-banana-odoo]

hello @mart-e what is the status of this ? I see #64215 was closed recently, but #64213 is still moving...

Hello @gurneyalex ,

Master version PR was used mainly for review, dev and testing. We plan to merge in all major versions (13+) and we will try to backport in 12 if code applies without too much changes (seems to be the case so currently still in our plans). Rationale is that even if 12.0 is EOL people may take time to migrate towards 13.0, hence trying to support it.

Cheers !

[sthibaul]

google announced they will be requiring oauth from May 30th

[gurneyalex]

backport to earlier odoo versions: OCA/social#860

[yajo]

This can be closed, right?

[gurneyalex]

@yajo yes

[eLBati]

With odoo 12 I am getting

The redirect URI in the request, urn:ietf:wg:oauth:2.0:oob, can only be used by a Client ID for native application. It is not allowed for the WEB client type. You can create a Client ID for native application at https://console.developers.google.com/apis/credentials/oauthclient

after clicking on Get an Authorization Code on ir.mail_server

Did anyone managed to connect to gmail?

Thanks

[eLBati]

Anyway, we are enabling "apps passwords" as a workaround
https://support.google.com/accounts/answer/185833

[blaskurain]

@eLBati try configuring the access for a Desktop app instead of a web application.

[mlaitinen]

Code exists, no documentation. Typical Odoo.

Ran into the same error message as @eLBati. Changing the application type to a "Desktop app" didn't help. But luckily, I found a workaround for setting up the incoming email using OAuth2.

1. Follow Odoo's instructions for setting up the OAuth2 login, up until the "Retrieve the Client ID" step
2. Enable "External Email Servers" in the General Settings (and save)
3. Store the Client ID and Client Secret under "Gmail Credentials" in the General Settings
4. Change the google_redirect_uri to http://localhost:8069/auth_oauth/signin (I was running Odoo locally, you might want to enter the real address there)
5. Create a new incoming mail server, fill in the fields (remember to select "Gmail") and click the authorization URL link
6. Choose the Google account, allow access, etc.
7. When the authentication procedure redirects you back to the google_redirect_uri, Odoo displays an error, BUT, you can now copy the authorization code from the URL. Simply copy the part after code= and before &scope=.
8. Paste the authorization code to the incoming email server settings, save and test.

Not sure whether the google_redirect_uri is used for something else, so you might want to revert that to the original value after performing these steps.

[matteoopenf]

I try to install on odoo 12.0, but I obtain the module is not completely installed:

Someone have the same problem?