Adding OAuth 2.0 support for IMAP/SMTP and XMPP to enhance auth security

By Ryan Troll, Application Security Team

Cross-posted with the Google Online Security Blog

Our users and developers take password security seriously and so do we. Passwords alone have weaknesses we all know about, so we’re working over the long term to support additional mechanisms to help protect user information. Over a year ago, we announced a recommendation that OAuth 2.0 become the standard authentication mechanism for our APIs so you can make the safest apps using Google platforms. You can use OAuth 2.0 to build clients and websites that securely access account data and work with our advanced security features, such as 2-step verification. But our commitment to OAuth 2.0 is not limited to web APIs. Today we’re going a step further by adding OAuth 2.0 support for IMAP/SMTP and XMPP. Developers using these protocols can now move to OAuth 2.0, and users will experience the benefits of more secure OAuth 2.0 clients.

When clients use OAuth 2.0, they never ask users for passwords. Users have tighter control over what data clients have access to, and clients never see a user's password, making it much harder for a password to be stolen. If a user has their laptop stolen, or has any reason to believe that a client has been compromised, they can revoke the client’s access without impacting anything else that has access to their data.

We are also announcing the deprecation of older authentication mechanisms. If you’re using these you should move to the new OAuth 2.0 APIs.

• We are deprecating XOAUTH for IMAP/SMTP, as it uses OAuth 1.0a, which was previously deprecated. Gmail will continue to support XOAUTH until OAuth 1.0a is shut down, at which time support will be discontinued.
• We are also deprecating X-GOOGLE-TOKEN and SASL PLAIN for XMPP, as they either accept passwords or rely on the previously deprecated ClientLogin. These mechanisms will continue to be supported until ClientLogin is shut down, at which time support for both will be discontinued.

Our team has been working hard since we announced our support of OAuth in 2008 to make it easy for you to create applications that use more secure mechanisms than passwords to protect user information. Check out the Google Developers Blog for examples, including the OAuth 2.0 Playground and Service Accounts, or see Using OAuth 2.0 to Access Google APIs.


Ryan Troll has been with Google since 2010, and now works with the Application Security Team, focusing on OAuth and 2-Step Verification. When not at work, he spends time with his family, reads, and occasionally plays poker.

Posted by Scott Knaster, Editor