Using MPro with Microsoft mail
mark stephens (181) 125 posts |
I have previously been using MPro with a Microsoft email account on IMAP until this week. Microsoft has now switched off basic authentication and now asking for Auth2. Does does anyone have an advice on making MPRO work with this? |
Chris Hughes (2123) 336 posts |
I suspect you will need to talk to Andrew Rawnsley about this one. All the web based Mail programs, like Outlook.com, Yahoo and Google are all moving over to OAuth2. It’s supposedly more secure. OAuth2 I think requires SSL as well. |
mark stephens (181) 125 posts |
Thanks for the suggestion |
Dave Higton (1515) 3534 posts |
Anyone thinking of developing an OAuth2 client might do well to read this which is reference 27 from the Wikipedia page on OAuth |
Rick Murray (539) 13850 posts |
Thank you for confirming what I thought – it’s not so much enhanced security as a way of locking out others (particularly small outfits that simply cannot afford to do this). For the moment, everybody supports IMAP (these days with “insecure application specific passwords”), but the moment that a well defined well supported service as IMAP is dropped is the moment I drop the email provider entirely. I have no intention of using OAUTH2, if it won’t work with a traditional email client … there’s the door. GTFO. |
Chris Mahoney (1684) 2165 posts |
If I understand correctly, I think typically people don’t write their own implementations, but rather pop up a browser window with e.g. the Google login page. They then use one of the browser APIs to grab the resulting token and store it somewhere in the app. I’m not sure how this would work in RISC OS. The login process may require JavaScript, and I have no idea whether Iris has the necessary APIs to integrate this correctly. |
Rick Murray (539) 13850 posts |
How cute. How RISC OS. I’m talking about the word “may”.
No, you request a token. Which Google will give you if it has trust in your site (I don’t think you can just plonk a Sign in with Google bit on your site and it’ll immediately start working) and the user has authorised data to be shared with your site. In the guise of making logins easier, Google has inserted itself between the bit where you provide a password, and the bit where something happens. Hey, hey, the mothership is calling… |
David J. Ruck (33) 1636 posts |
Oauth2 does work in traditional email clients such as Thunderbird, just not RISC OS ones. |
Chris Mahoney (1684) 2165 posts |
You may be right. We use Microsoft’s ‘widget’ at work and we can plonk it anywhere, but there may have been some initial setup/approval that I’m not aware of. Google, on the other hand, could be doing its own thing. Veering towards Aldershot here, but at work we have some data that we share with other companies, including Google. One of these companies asked for a couple of extra fields, which we added to the database. A while later I got an email from someone at Google saying “we’re not sure what we’re supposed to be doing with these new fields”. I found it pretty arrogant for Google to apply its mindset of “there’s data here, so we must grab it and do something with it”. |
Rick Murray (539) 13850 posts |
Clearly not a place to which the GDPR applies… |
Steve Fryatt (216) 2105 posts |
Why not? And, yes, I have read the GDPR and sat through more compliance seminars than are probably good for me. |
Grahame Parish (436) 481 posts |
There’s a big difference between ‘applies’ and ‘applied’ though. |
Chris Mahoney (1684) 2165 posts |
Correct, although I’m not sure whether that’s even relevant in this case (it’s our own data, not customer data). |
Rick Murray (539) 13850 posts |
Well, for one thing over here (France) it has been decided that sharing data with Google is unlawful as it is passing private information on Europeans to a regime hostile to the concept of privacy. So no Google Analytics… Edit: on break now so link: https://www.cnil.fr/en/use-google-analytics-and-data-transfers-united-states-cnil-orders-website-manageroperator-comply |