适用于桌面客户端的 Gmail IMAP OAuth [英] Gmail IMAP OAuth for desktop clients

问题描述

最近 Google 宣布他们支持 Gmail IMAP/SMTP 的 OAUth.我浏览了他们的多个文档，但我仍然对他们是否支持已安装应用程序的 OAuth 感到困惑.

1.在本文档中，他们说:

<块引用>

注意:虽然 OAuth 协议支持桌面/已安装应用程序用例，仅限 Google支持 Web 应用程序的 OAuth.

但他们也有已安装应用程序的OAuth的文档.

2.当我阅读他们指出的 OAuth 规范 时，它说(在第 11.7 节中):<块引用>

在许多应用程序中，消费者应用程序将在控制之下潜在的不受信任方.为了例如，如果消费者是自由的可用的桌面应用程序，一个攻击者可能能够下载一个复制以供分析.在这种情况下，攻击者将能够恢复用于身份验证的消费者秘密消费者到服务提供者.

此外，我认为上面第 1 点中的免责声明是关于 Google 数据 API，当然 IMAP/SMTP 不是其中的一部分.

我知道对于已安装的应用程序，我可以进行如下设置:

1. 在 example.com 上有一个用于我的应用程序的小型网络应用程序.这个与 Google 对话的网络应用获取访问令牌.

2. 安装的应用程序与 example.com 对话只是为了获取访问令牌.

3. 安装的应用程序然后使用访问令牌与 Google 对话.

我现在很困惑.这是唯一的方法吗?此外，如果我从桌面应用程序执行 OAuth，我们必须随应用程序一起发送消费者密钥.那么，我们就无法对消费者密钥保密.

解决方案

是的，已安装的应用程序支持 Oauth；请参阅使用 OAuth 的 Gmail IMAP 和 SMTP 文档.

1. 文档已经过时(2008 年)
2. 这是有道理的，但仅适用于不以安全方式存储访问令牌的应用程序.

您的设置很好，尽管我认为拥有与 google 对话的网络应用程序不是强制性的；例如，您的用户只需将请求令牌"复制并粘贴到您的桌面客户端应用程序即可.

Recently Google announced that they are supporting OAUth for Gmail IMAP/SMTP. I browsed through their multiple documentations, but still I am confused about if they support OAuth for installed applications.

1. In this documentation they say:

Note: Though the OAuth protocol supports the desktop/installed application use case, Google only supports OAuth for web applications.

But they also have a document for OAuth for installed applications.

2. When I read the OAuth specification pointed by them, it says (in section 11.7):

In many applications, the Consumer application will be under the control of potentially untrusted parties. For example, if the Consumer is a freely available desktop application, an attacker may be able to download a copy for analysis. In such cases, attackers will be able to recover the Consumer Secret used to authenticate the Consumer to the Service Provider.

Also I think the disclaimer in point 1 above is about Google Data APIs, and surely IMAP/SMTP is not a part of them.

I understand that for installed applications I can have a setup like:

1. Have a small web-app at say example.com for my application. This web-app talks to Google gets the access token.

2. The installed application talks to example.com only to get the access token.

3. Installed application then talks to Google with the access token.

I am now confused. Is this the only way? Also, if I do OAuth from desktop application we have to ship the Consumer Secret key with the app. Then, we can't maintain secrecy of the consumer key.

解决方案

Yes, Oauth is supported for installed applications; see Gmail IMAP and SMTP using OAuth documentation.

1. Documentation is simply outdated (2008)
2. It makes sense but just for application that does not store access token in a safe way.

Your setup is good although i don't think having a web-app that talks with google is mandatory; for example your users could just copy and paste "request token" to your desktop client application.

这篇关于适用于桌面客户端的 Gmail IMAP OAuth的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！