Blog
IMAP Gmail support in Scribe
Date: 15/8/2021
Tags: Scribe Google
This is an update on the support for Gmail IMAP connections. I'm sure that if you have tried to connect to Gmail with Scribe you get a warning about the app being "unverified". You can click into the advanced section and bypass that warning to get access. But as of right now that is limited to 100 users (of which 81 have taken advantage of bypassing the warning). So very soon that will not be a valid path to gaining access to Gmail from within Scribe.

So this verification process? What's involved? Well you have to tick certain boxes. Things like having a homepage that meets certain criteria, having a privacy policy that states what you'll do with the user's data. And also using certain "scopes" that Google deem responsible. And that's where the trouble starts. Because Google (more specifically the app verification team) on one hand wants the apps to use fine grained scopes like "https://www.googleapis.com/auth/gmail.modify" but if you actually try and implement that you find that the OAUTH2 process fails with a scope error. If you then revert to using the more broad scope of "https://mail.google.com/" you can create a connection but the app verification team won't accept the app on the basis of the scope being too broad. They then contend that you should re-implement your client using the native Gmail restful API.

The native API? Really... just implement a whole backend to support one company's server? The whole point of IMAP and SMTP is that the client supports ONE protocol used by everyone. This would be a lot of work to support just one service. And even then Google states that you SHOULDN'T do that here: https://developers.google.com/gmail/api/guides. What is one to do?

Well right now. Nothing. Nothing can be done, Google have painted all the email client developers into a corner where there is no way forward. Some mutually exclusive options that don't work for us. What should they do? Probably enable the gmail.modify scope for IMAP and then allow apps to use than and be accepted for verification. Is that going to happen? Probably not. For reasons unknown. Google is now far to large and political to get things like that right.

So at some point Gmail support will just cease to work anymore and there is nothing I can do about it. I'm considering just yanking it out completely. The office 365 support has also been borked for a long time for extremely similar reasons... "use our proprietary API not this well known standard". And beyond Google and Microsoft there aren't any other OAUTH2 services I tried to support. (Am I missing something?)
(1) Comment | Add Comment