Quote:
Originally Posted by xyzzy
I have always thought that the POP/IMAP/SMTP protocol does not include any identification about which email client is being used. When I look at the exchange log in my Thunderbird I don't see anything that says "I am Thunderbird". Well at least I didn't notice anything.
|
There is a
optional ID extension to the IMAP protocol. I looked in a imap log file I created using version 68.0 of Thunderbird and it contains:
ID ("name" "Thunderbird" "version" "68.0")
It sent that to the IMAP server to identify what the email client was. However, I don't think that command is needed for OAuth2 support.
IMAP also supports a CAPABILITY command which a client can send to the server to request what capabilities it supports. It returns various keywords. I believe AUTH=XOAUTH2 is used to identify that the IMAP server supports OAuth2. The email client has to send a AUTHENTICATE XOAUTH2 command that contains a OAuth2 token to the server to login to the users account, if the IMAP account is configured to use OAuth2 for authentication.
When you add a email account that uses OAuth2 you get a browser popup that requests you enter your username and password and confirm that you want Thunderbird to be able to access the mailbox. If it succeeds it returns a token, which is saved and used whenever Thunderbird logs you in to that email provider. I assume that if the server is not configured to support Thunderbird, the attempt will fail. If that's true that would prevent any random email client from using OAuth2 with a email provider, they have to get the email provider to register their email client first.
OAuth 2 providers typically issue the developers a identifier for their application and some secret/password. These are used to check if a call was really issued by your application. I'm unsure exactly when they're passed to the server but its over a secure connection.
The POP3 and SMTP protocols use a AUTH, rather than a AUTHENTICATE command. But I suspect they work basically the same way.
https://developers.google.com/gmail/...auth2-protocol ,
https://developer.yahoo.com/oauth2/guide/?guccounter=1 and
https://stackoverflow.com/questions/...onsumer-secret has more details.