oAuth 2.0, G Suite, Microsoft 365 and PHP

oAuth 2.0 in G Suite and Microsoft 365

G Suite. Starting February 15, 2021, G Suite accounts will only allow access to apps using OAuth. June 15, 2020 — users who try to connect via non-oauth for the first time will no longer be able to do so. G Suite will enforce oAuth for both IMAP and SMTP protocols.

Microsoft Office 365 Exchange. On October 13th, 2020 Microsoft will stop supporting Basic Authentication for Exchange Web Services (EWS) to access Exchange Online. Microsfot will enforce oAuth for IMAP, but not for SMTP protocol (at least for now).

App Passwords and IMAP oAuth

There is a principal difference between G Suite and Microsoft 365 approaches in enforcing oAuth 2.0 for IMAP protocol.

In G Suite According to this, App Passwords will continue to work after oAuth 2.0. will be enforced (information is confirmed by G Suite support).

If it stops working when OAuth is enforced, you can switch to using 2-step verification and an Application Specific Password. Actually, you don’t have to wait as 2-step authentication is a lot more secure.

According to Microsoft 365 support, it will be impossible to use App Passwords for IMAP authentication, as Microsoft considers App Passwords to be a “basic authentication”, even though they are protected by two-factor authentication.

As we can see G Suite approach seems to be a bit wiser than Microsoft’s as the purpose of App Passwords in to allow authenticate to those apps which can not perform 2FA. Usually those apps, which can not perform 2FA, can not perform oAuth too.

IMAP oAuth 2.0 authentication in PHP

Currently there are two main IMAP libraries supporting oAuth 2.0 for PHP:

• Horde IMAP Client — purely IMAP library. Well tested, but not very well documented.
• Zend/Laminas Mail — IMAP and SMTP library. Does not support searching emails by date, flags, etc.

Also PHP developers announced plans to add oAuth support to the native PHP IMAP extension: https://wiki.php.net/todo/ext/imap/xoauth2. But there is no any information on when PHP IMAP extension actually may receive these updates.

oAuth 2.0 and FreeScout

Adding oAuth 2.0 IMAP authentication support to the FreeScout includes the following complications:

1. The only suitable IMAP library supporting oAuth 2.0 is Horde IMAP Client, as Zend/Laminas Mail library does not support searching emails by date, etc.
2. Adding Horde IMAP Client library to the FreeScout will add around 800 new files/folders to the core and several megabytes to the dist of the app, which in the future may cause problems with updating the app on some hostings.
3. After switching from Webklex IMAP library to Horde IMAP Client library it may take a year to debug and fix all the issues which will arise (encoding issues, extracting attachments, saving email parts, etc).
4. PHP developers decided to add oAuth 2.0 support to the PHP IMAP extension: https://wiki.php.net/todo/ext/imap/xoauth2.

So taking all above into account the FreeScout Team would rather prefer to wait for the oAuth 2.0 to be added to the standard PHP IMAP extension, which may take a year or more.

For G Suite users we’ve prepared an instruction on how to connect G Suite to FreeScout using App Passwords. All G Suite users should now use App Passwords to connect to FreeScout.

If you are using FreeScout with Microsoft Office 365 Exchange please proceed to this issue to discuss how we are going to proceed with this.