OAuth access to IMAP/SMTP in Gmail
Google has long believed that users should be able to export their data and
use it with whichever service they choose. For years, the Gmail service has supported standard
API protocols like POP and IMAP at no extra cost to our users. These efforts are consistent
with our broader
data liberation
efforts.
In addition to making it easier for users to export
their data, we also enable them to authorize third party (non-Google developed) applications
and websites to access their data at Google. One of the more common examples is allowing a
social network to access your address book in order to send invitations to your friends.
While it is possible for a user to authorize this access by disclosing their
Google Account password to the third party app, it is more secure for the app developer to use
the industry standard protocol called
OAuth which enables the user to give
their consent for specific access without sharing their password. Most Google APIs support
this OAuth standard, and starting today it is also available for the IMAP/SMTP feature of
Gmail.
The feature is available in
Google Code Labs and we have provided a site
with
documentation and sample
code. In addition, Google has begun working with other companies like Yahoo and
Mozilla on a formal Internet standard for using OAuth with IMAP/SMTP (learn more at the
OAuth for IMAP mailing
list).
One of the first companies using this feature is
Syphir, in their
SmartPush application for the
iPhone, as shown in the screenshots below. Unlike other push apps, Sypher's SmartPush
application never sees or stores the user’s Gmail password thanks to this new OAuth
support.
We look forward to finalizing an Internet standard for using OAuth with IMAP/SMTP, and
working with IMAP/SMTP mail clients to add that support.
By Eric Sachs, Senior Product
Manager
