K-9/Thunderbird mail has OAuth2 by Google Account added in Google Play & F-Droid but not Office365

[Andy Burnelli]

As of July 8th, K-9/Thunderbird is updated to utilize OAuth2 in response to
Google deprecating the normal way to log in using Mozilla mail user agents.

I'm confused... probably because I use Microsoft Office the old way, which
doesn't require any authentication other than the CD Key; but here's what I
know based on re-installing K-9 Mail after what 'Andy Burns' & 'gym' said.

K-9/TB Mail has OAuth2 by Google Account added in Google Play & F-Droid
<https://i.postimg.cc/15XPh8nc/k9mail01.jpg> K-9 Mail with OAuth2
But what does K-0 Mail have to do with Microsoft Accounts & Office365?

On May 30th, 2022, Google deprecated login/password making K-9 mail no
longer work as an "insecure app". Soon thereafter, the Mozilla Thunderbird
team apparently acquired licensing and source and this month the latest K-9
Mail update including one of two kinds of OAUth2 authentication.
*K-9 Mail (future Thunderbird for Android) adds OAuth 2.0 support*
<https://www.ghacks.net/2022/07/08/k-9-mail-future-thunderbird-for-android-adds-oauth-2-0-support/>

The problem with this type of OAuth2 authentication is that it _creates_ a
Google Account on your phone; but considering most people are like sheep
led to slaughter who already have that Google Account set up, it won't make
any difference as far as I can tell (since it will just _use_ what exists).

The reason K-9/TB did not use web OAUth2 authorization (which is what
Thunderbird on Windows uses, for example), is that Google requires an
annual security audit for any developer authorizing that way, and clearly
K-9/Thunderbird didn't pay for that audit (said to be tens of thousands).

Hence, for those who will never have a Google Account on their phone, this
still doesn't solve the privacy problems Google erected on May 30th, 2022;
but for most people who already have a Google Account set up on the phone,
at least they can use K-9/TB mail now without having to set up 2FA/2SV
(AFAIK).

Note that both the F-Droid and Google Play versions of K9/TB are updated to
OAuth2, and that they both say the same thing - which is (verbatim):
"*Added support for using OAuth 2.0 with Google,*
*Yahoo, AOL, and personal Microsoft accounts*
*(Office365 accounts are not supported yet)*"

As shown in this screenshot I just made to help others just now:
<https://i.postimg.cc/15XPh8nc/k9mail01.jpg> K-9 Mail with OAuth2

If someone can explain what K-9 mail has to do with Microsoft Office,
please let me know as that sentence makes no sense to me at the moment.
--
Posted out of the goodness of my heart to disseminate useful information
about K-9/Thunderbird, and to ask what it has to do with Microsoft anyway?

[Andy Burns]

Andy Burnelli wrote:

> But what does K-9 Mail have to do with Microsoft Accounts & Office365?

It's nothing to Microsoft Accounts (for activating or cloud logon to Win10/Win11
machines).

Office365 (now Microsoft365 after it was renamed, but almost nobody calls it
that) provides email in the form of IMAP/SMTP/POP just like gmail does.

A bit early to start calling K9=Thunderbird, just because we know that's what
it'll eventually become?

[Dave Royal]

https://github.com/thundernest/k-9/pull/6094
--
Remove numerics from email address

[Andy Burns]

Dave Royal wrote:

> https://github.com/thundernest/k-9/pull/6094

Is thundernest official mozilla, or some sort of fork like betterbird?

[Dave Royal]

Andy Burns <use...@andyburns.uk> Wrote

> Is thundernest official mozilla, or some sort of fork like betterbird?

Thundernest belongs to Thunderbird.
K9 moved their repo there I assume.
Thunderbird is not Mozilla any more.

[Paul]

https://github.com/thundernest/k-9

Sponsor this project

https://mzla.link/k9-give

https://www.computerworld.com/article/3663452/mozilla-launches-email-for-android-devices.html

"The source code for it was first published 2008, and
MZLA Technologies acquired it and its trademarks, and
it hired the open source project maintainer of K-9 Mail
as a full-time developer to improve the app and to help
gradually transition it to Thunderbird mobile."

It looks like it is orbiting the planet at maximum velocity.
And given a chance, it'll make the Kessel run in 12 parsecs.

Translated to English: "Your pay will be minimum wage and
you will be working out of this cardboard
box in the parking lot."

I'm not detecting a strong "on-site" presence. The project
is likely working out of orbiting cardboard boxes, community
code submissions and so on.

Paul

[Andy Burns]

Dave Royal wrote:

> Thunderbird is not Mozilla any more.

I know they say that, but last time I checked mzla was a wholly owned subsidiary
of mozilla? And the name mzla doesn't appear anywhere in thunderbird itself,
just a buried reference to it on the website.

[Andy Burns]

Paul wrote:

> https://www.computerworld.com/article/3663452/mozilla-launches-email-for-android-devices.html
>
>    "The source code for it was first published 2008, and
>     MZLA Technologies acquired it and its trademarks, and
>     it hired the open source project maintainer of K-9 Mail
>     as a full-time developer to improve the app and to help
>     gradually transition it to Thunderbird mobile."

yes, I do recognise the name "cketti" from the K-9 project

[Ken Blake]

On Thu, 14 Jul 2022 09:42:38 +0100 (GMT+01:00), Dave Royal
<da...@dave123royal.com> wrote:

>Remove numerics from email address

Why do you say that?

[Paul]

To create a working email address.

As soon as a person draws attention to their
email address, that means the email address is "real",
once you "solve the puzzle".

I never draw attention to my email address, because
it is not real. No amount of puzzle solving will make
my correct email address. Placing .invalid on the
end of mine, is an indication there is no such domain.
The .invalid is reserved for "invalidation". Or so
I'm told. Maybe you could find that in an RFC or
something.

https://en.wikipedia.org/wiki/.invalid

"RFC 2606"

Paul

[Joerg Lorenz]

Am 14.07.22 um 20:17 schrieb Paul:

That was once created to avoid spamming but is not necessary nowadays
anymore. Despite being technically correct, in German-speaking NGs it is
considered at least impolite to use the TLD ".invalid". Even worse are
the double or triple invalids. The expression invalid means in German
also handicapped.

Many regulars put these e-mail-addresses immediately in their killfiles.


--
Gutta cavat lapidem (Ovid)

[Andy Burns]

Joerg Lorenz wrote:

> Despite being technically correct

... the *best* type of correct :-)

[Joerg Lorenz]

Am 14.07.22 um 22:45 schrieb Andy Burns:

> Joerg Lorenz wrote:
>
>> Despite being technically correct
>
> ... the *best* type of correct :-)

As I said: *Handicapped*

[Dirk T. Verbeek]

Op 14-07-2022 om 20:17 schreef Paul:

An older RFC proposes @example.com which is a black hole.

[Andy Burns]

Andy Burnelli wrote:

> As of July 8th, K-9/Thunderbird is updated to utilize OAuth2

And the very latest K9 6.201 oAuth2 authenticates Office365 Business accounts,
not just personal ones, it does so without sneakily adding any "accounts" to
android itself, it's all contained within K9

Possibly worth trying K9 to Gmail again?

[Andy Burnelli]

Thanks for that update that K-9 Mail/Thunderbird updated four days ago.
<https://k9mail.app/>
<https://k9mail.app/download>
Added support for using OAuth 2.0 with Office365 accounts (@cketti)
Fixed a bug that could lead to two message lists being displayed on top of each other (@cketti)
Avoid a crash when trying to create new message notifications but the notification sound couldn't be accessed (@cketti)
Fixed a bug where multi-select mode was exited early in some cases (@cketti, @rezazarchi)
Fixed "Select all" visibility in menu when rotating the device (@rezazarchi)
Don't require re-authorization when getting an OAuth token fails due to a temporary error (@cketti)
Updated translations (many volunteers via Transifex)

Here are some related screenshots:
<https://i.postimg.cc/15XPh8nc/k9mail01.jpg> K-9 Mail with OAuth2 6.200
<https://i.postimg.cc/rpWC5zxw/k9mail02.jpg> GPS vs F-Droid K-9 update
<https://i.postimg.cc/Y2XDxnhG/k9mail03.jpg> K-9 Mail version 6.201

I first tried to install the Google Play Store repository version
*Google Play Store* (via the FOSS Aurora Store GPS client)
<https://play.google.com/store/apps/details?id=com.fsck.k9>
Name: com.fsck.k9.apk
Size: 8103422 bytes (7913 KiB)
SHA256: 46F071F989C6A138C2B8835D7FCDFA902AE1697B6B3C1C16581EE34B42E51CC3

But that GPS version wouldn't "update" the existing (probably F-Droid).
<https://i.postimg.cc/rpWC5zxw/k9mail02.jpg> GSP vs F-Droid K9 update

It always confused me which versions update which, where I think if it's an
F-Droid app it can't be updated with a Google Play Store app, but what about
when it's from GitHub or SourceForge? Dunno. Haven't tried them.

*SourceForge*
<https://sourceforge.net/projects/k-9-mail.mirror/>
<https://sourceforge.net/projects/k-9-mail.mirror/files/latest/download>
<https://downloads.sourceforge.net/project/k-9-mail.mirror/6.200/k9-6.200.apk>
<https://master.dl.sourceforge.net/project/k-9-mail.mirror/6.200/k9-6.200.apk>
Name: k9-6.200.apk
Size: 8098357 bytes (7908 KiB)
SHA256: 3D8275705E00C159CD1AE473164B403EDF2A2D24E97D9F34D50FDA0677F8B398

*GitHub*
<https://github.com/thundernest/k-9>
<https://github.com/thundernest/k-9/releases>
<https://github.com/thundernest/k-9/releases/download/6.201/k9-6.201.apk>
Name: k9-6.201.apk
Size: 8103232 bytes (7913 KiB)
SHA256: 53F6678B9CF065B2413A53F70BFBF56E2C9C42454DA1A4F37AEC6AD60AB9D53A

*F-Droid*
<https://f-droid.org/packages/com.fsck.k9/>
<https://f-droid.org/en/packages/com.fsck.k9/>
<https://f-droid.org/repo/com.fsck.k9_32001.apk>
Name: com.fsck.k9_32001.apk
Size: 8102284 bytes (7912 KiB)
SHA256: 53637CC7DCF5B4F16EB167F91797DE06D07E00B30FDDBCAC0AA6CBC79122A42D

Since I'm likely already using an F-Droid K-9/TB, I updated from F-Droid.
It didn't download nor send new mail, so maybe there's something I need to do.
<https://i.postimg.cc/Y2XDxnhG/k9mail03.jpg> K-9 Mail version 6.201

I might have to delete K-9 Mail altogether to test out whether the OAUth2
can be done over the web like Thunderbird on Windows does it.
--
Note I haven't had a Google Account on Android for years, & I'm not rooted.

[Andy Burnelli]

Christian Ketterer (aka cketti) appears to be the main developer...
<https://github.com/thundernest/k-9/releases/tag/6.201>

[Andy Burnelli]

> I might have to delete K-9 Mail altogether to test out whether the OAUth2
> can be done over the web like Thunderbird on Windows does it.

Hi Andy Burns,
You're a genius!

You just solved all the problems Google created on May 30th, 2022!

1. I deleted my K-9 mail app (because it wouldn't re-authorize even
after I updated it to version 6.201 which has the new OAuth2 code).

2. I re-installed that K-9 Mail app and then let it authorize a
Google email account (without having a Google Account on the phone!)

3. That worked!
And it did NOT create a Google Account on the phone!

How the heck did you know that would work given there's _nothing_ I can
find in the high level 6-line release notes that says that the OAuth2
is now being done via web authorization (versus account authorization)?

Here are the related screenshots:

<https://i.postimg.cc/15XPh8nc/k9mail01.jpg> K-9 Mail with OAuth2 6.200
<https://i.postimg.cc/rpWC5zxw/k9mail02.jpg> GPS vs F-Droid K-9 update
<https://i.postimg.cc/Y2XDxnhG/k9mail03.jpg> K-9 Mail version 6.201

<https://i.postimg.cc/5NqnKf9t/k9mail04.jpg> OAuth2 finally uses the web
<https://i.postimg.cc/W4Knq385/k9mail05.jpg> NO Google Account on Android!
--
I'm going to guess that the Thunderbird team paid for the security audit
that the Fair Mail developer said was necessary to authorize OAUth2 over
the web.

[Andy Burns]

Andy Burnelli wrote:

> Since I'm likely already using an F-Droid K-9/TB, I updated from F-Droid.
> It didn't download nor send new mail, so maybe there's something I need to do.
> <https://i.postimg.cc/Y2XDxnhG/k9mail03.jpg> K-9 Mail version 6.201
>
> I might have to delete K-9 Mail altogether to test out whether the OAUth2
> can be done over the web like Thunderbird on Windows does it.

All I did for my existing O365 account within K9 was go into
hamburger/settings/accounts/fetching mail/incoming server for the IMAP server
and swap authentication type from normal to oAuth2.0
that prompted a "web" login to microsoft and grant K9 access to the mailbox

similar under sending mail/outgoing server for the SMTP server

My phone *does* have a mothership login account, but I don't use gmail on the
phone, I did temporarily add gmail within K9 and it worked, was it K9 that you
thought had sneakily created a google account within android, or was that some
other email app?

I can try K9 to gmail on an old phone without a mothership account, just not
right now ...

[Andy Burns]

Andy Burnelli wrote:

> That worked!
> And it did NOT create a Google Account on the phone!

Excellent.

> How the heck did you know that would work given there's _nothing_ I can
> find in the high level 6-line release notes that says that the OAuth2 is now
> being done via web authorization (versus account authorization)?

I just figured that if K9 now has enough code to fully authenticate to O365
without an android account doing the work for it, then why wouldn't it use the
same code to authenticate to gmail?

Just hoping now that the Thunderbirding of K9 doesn't ruin it, signs are good
that it's getting more attention now, presumably cketti is now on mzla payroll
rather than a volunteer?

[Andy Burnelli]

Andy Burns wrote:

>> That worked!
>> And it did NOT create a Google Account on the phone!
>
> Excellent.

We've been searching for a solution since, oh, about early March!
<https://i.postimg.cc/MGfN2Z7r/gmailpasswd01.jpg> Google May 30 nastigram
<https://i.postimg.cc/2yBvxJhJ/gmailpasswd02.jpg> Due to K9-Mail password
<https://i.postimg.cc/432zCNgx/gmailpasswd03.jpg> Win TB is set to OAuth2
<https://i.postimg.cc/MGs3HSyn/gmailpasswd04.jpg> As are some Android MUAs
<https://i.postimg.cc/cL9r9qFW/gmailpasswd05.jpg> Less secure app access
<https://i.postimg.cc/RhHkj4gJ/gmailpasswd06.jpg> TB imap & oauth settings

Thanks! I'll try to leverage this solution to everyone if I can.

<https://i.postimg.cc/15XPh8nc/k9mail01.jpg> K-9 Mail with OAuth2 6.200
<https://i.postimg.cc/rpWC5zxw/k9mail02.jpg> GPS vs F-Droid K-9 update
<https://i.postimg.cc/Y2XDxnhG/k9mail03.jpg> K-9 Mail version 6.201
<https://i.postimg.cc/5NqnKf9t/k9mail04.jpg> OAuth2 finally uses the web
<https://i.postimg.cc/W4Knq385/k9mail05.jpg> NO Google Account on Android!

We should publish articles together, by the way...

>> How the heck did you know that would work given there's _nothing_ I can
>> find in the high level 6-line release notes that says that the OAuth2 is now
>> being done via web authorization (versus account authorization)?
>
> I just figured that if K9 now has enough code to fully authenticate to O365
> without an android account doing the work for it, then why wouldn't it use the
> same code to authenticate to gmail?

Well, the problem that the Fair Mail developer said was needed was the
OAuth2 code had to pass a "security audit" by Google, whereas to work with
Office 365, one would presume that Google wouldn't care about it, perhaps?

Anyway, sometimes intuition serves us well as it did here.
Kudos to you for suggesting that solution.

>
> Just hoping now that the Thunderbirding of K9 doesn't ruin it, signs are good
> that it's getting more attention now, presumably cketti is now on mzla payroll
> rather than a volunteer?

I sent a note today to Jesse who is the original K9 developer as I don't
have any contact information for Christian Ketterer (aka cketti) asking
_how_ they accomplished this wonderful solution.

As far as I know, K-9 Mail is the _only_ 3rd-party Android MUA that can
connect to Google mail servers after May 30th, 2022 without 2FA/2SV.

A remaining question is how much privacy did I just give to Google by
setting this up, as Google knows I'm on a Galaxy A32-5G and I'm sure they
know a few other things just based on what the OAUth2 had to perform.

[Andy Burnelli]

Andy Burns wrote:

> All I did for my existing O365 account within K9 was go into
> hamburger/settings/accounts/fetching mail/incoming server for the IMAP server
> and swap authentication type from normal to oAuth2.0
> that prompted a "web" login to microsoft and grant K9 access to the mailbox
>
> similar under sending mail/outgoing server for the SMTP server

Thanks for letting us know how to told K-9 Mail to start using OAuth2
without creating a mothership tracking account on the phone.

I spent a few minutes looking about in K-9 Mail before deleting it and
starting over, and perhaps I must have missed those options.

As long as you received a "web" login, that's what matters!

>
> My phone *does* have a mothership login account, but I don't use gmail on the
> phone, I did temporarily add gmail within K9 and it worked, was it K9 that you
> thought had sneakily created a google account within android, or was that some
> other email app?

1. Whenever you log into "certain" Google apps, an account is CREATED for
you on your Android phone, whether you like it or not.

2. In my experience, GMail is one of those apps. So is Google Voice. And,
while it changes from year to year, sometimes Google Maps will create the
account the instant you make the mistake of logging into it.

3. Most Google apps do NOT create the mothership tracking account though,
but I don't use them all that much (e.g., I use Ungoogled Chromium instead
of Chrome and I use NewPipe instead of YouTube, etc.).

4. I think the Google Play Store is another app that CREATES a mothership
tracking account; but I don't use it except if I want to update some apps
or if I want to turn on Google Play Protect, since both those actions do
not require a login (but I usually have both those turned off).

Note: The Google Play Store only updates "some" apps; so it's essentially
useless anyway, at least compared to apps that update ALL apps that need
updating.

5. In my tests after receiving the Google nastigram notification in March
of this year that Google was deprecating login/password, I tested Fair Mail
the instant they added OAUth2, which also CREATED a google account on the
phone.

6. As for K-9 Mail, I only knew that someone else said in the Martin
Brinkman blog that K-9 Mail also CREATED the account. I don't think I had
tested it though as I had assumed that information was correct.

>
> I can try K9 to gmail on an old phone without a mothership account, just not
> right now ...

I can confirm that I did not have a mothership tracking account on my
Android 12 phone both before and after I logged in today using K-9 version
6.201 (which I did after I saw your previous message that they fixed the
O365 issue).
--
Posted out of the goodness of my heart to disseminate useful information.

[Andy Burnelli]

Andy Burnelli wrote:

> I sent a note today to Jesse who is the original K9 developer as I don't
> have any contact information for Christian Ketterer (aka cketti) asking
> _how_ they accomplished this wonderful solution.
>
> As far as I know, K-9 Mail is the _only_ 3rd-party Android MUA that can
> connect to Google mail servers after May 30th, 2022 without 2FA/2SV.

UPDATE:

I spoke to the developers today who told me that the K-9 team worked with
the Fair Mail team to add web OAUth2 authorization this week to both!

Details here:
*PSA There are now 3rd-party MUAs to recover from*
*Google May 30th 2022 unilateral loss of privacy*
<https://groups.google.com/g/comp.mobile.android/c/prNMni71S3k>

--
Posted out of the goodness of my heart to disseminate useful information

because I'm a caring kind-hearted person who enjoys helping others.

[Andy Burnelli]

Andy Burns wrote:

> I just figured that if K9 now has enough code to fully authenticate to O365
> without an android account doing the work for it, then why wouldn't it use the
> same code to authenticate to gmail?

Hi Andy,

Since you helped me, I figured I'd supply some details I gleaned today...

I communicated with the Fair Mail developer today and it turns out to be
far too complicated for me to summarize as I didn't understand it all.

Suffice to say there's some kind of anti-competitive limitation of tokens
on the part of Google for OAUth2 authorizations, which _spiked_ appreciably
for K-9 mail and Fair Mail (far more to Fair Mail due to, they think, far
more Google users) which has caused Google to drop the authentication at
the limiting point.

Worse, Fair Mail seems to be gone (at the moment) from Google Play, but you
can still get it from GitHub (which is the best place to get both MUAs).

In addition, there was some mention of Google loosening their onerous terms
of destroying privacy for a minor trade in security in requiring the annual
security audits for web authentication.

Probably the most important information I was given today was that the
developer of Fair Mail received help from the developers of K-9 Mail to
implement the same web OAUth2 libraries that were used for Office 365.

In addition, I was told that the Thunderbird team never approached the K-9
folks about integrating them instead of integrating K-9, which is
surprising as that indicates either that they know something we don't
(e.g., Fair Mail is considered more private than K-9 mail), or they didn't
do an in-depth search of what's out there, or something else altogether
(e.g., friendships among the industry perhaps?). Dunno.

But for sure the Thunderbird team never approached the Fair Mail developer.
--
Posted out of the goodness of my heart to disseminate useful information,
and, as always, to pay back those people most who helped me most, by way of
fair and honest compensation for the volunteer efforts we all invest here.

[gym]

On 7/23/2022 3:28 AM, Andy Burnelli wrote:
> As for K-9 Mail, I only knew that someone else said in the Martin
> Brinkman blog that K-9 Mail also CREATED the account. I don't think I had
> tested it though as I had assumed that information was correct.

It probably was at the time of posting, but you seem to have missed some
more recent replies:

Anonymous said on July 18, 2022 at 4:39 pm
"It’s working fine with non-device accounts...."

Anonymous said on July 18, 2022 at 4:35 pm
"Not only did they add Oath 2 support but they are also the ONLY client
that supports Oath 2 for non-device accounts. i.e. you can have as many
gmail accounts as you want setup on K9 without having to add them to
your android device.
I’ve been looking for this feature for a long time and no other client
ever supported it (apparently a very expensive google audit is necessary
for it). It’s great to have this in K9/Thunderbird (which I’ve been
using for years)."

[He didn't know about Fair Mail]

There is also a newer post, added yesterday, which confirms what you
just discovered.

https://www.ghacks.net/2022/07/08/k-9-mail-future-thunderbird-for-android-adds-oauth-2-0-support/

Also, there is a thread titled "Use browser when adding Google account
on Android One #6167" at https://github.com/thundernest/k-9/issues/6167
where the OP complained that in order to link a Gmail account to K-9,
another Google account had to be created on the phone with all the
consequences that entails and requested a web authorization option.
cketti replied to that thread back on July 15, saying that device
accounts were not created when he added Gmail accounts:

cketti commented Jul 15, 2022
"On my devices K-9 Mail happily adds Gmail accounts that aren't added as
device accounts. Are you saying that's not the case for you?"

https://github.com/thundernest/k-9/issues/6167

There was something about Fair Mail too, but I can't remember where I
saw it.

So the info was out there, just a bit buried. Your recent posts should
go a long way to correcting that and making more readers aware of the
change.

> To be sure, there are a huge number of issues still outstanding (e.g.,
> Google is limiting their token counts to such a low number as to be anti
> competitive, which is affecting Fair Mail far more than K-9 Mail due to the
> huge number of Google email users on Fair Mail compared to K-9 Mail), but
> the PSA here is that Google "apparently" loosened the annual security audit
> requirements for MUA developers so that Android can again authorize Google
> email accounts WITHOUT creating a mothership tracking account on the
> device.

As word gets out, I suspect K-9's popularity may increase. What happens
if Google's token count is exceeded?

[Andy Burns]

Andy Burnelli wrote:

> Suffice to say there's some kind of anti-competitive limitation of tokens
> on the part of Google for OAUth2 authorizations, which _spiked_ appreciably
> for K-9 mail and Fair Mail (far more to Fair Mail due to, they think, far
> more Google users) which has caused Google to drop the authentication at
> the limiting point.

I had a dig around in the K9 source code, particularly what changed to enable
Office365, it's disappointing to see oAuth involves "magic" strings which vary
per provider.

<https://github.com/thundernest/k-9/blob/main/app/k9mail/build.gradle#L79>

[Andy Burnelli]

gym wrote:

> On 7/23/2022 3:28 AM, Andy Burnelli wrote:
>> As for K-9 Mail, I only knew that someone else said in the Martin
>> Brinkman blog that K-9 Mail also CREATED the account. I don't think I had
>> tested it though as I had assumed that information was correct.
>
> It probably was at the time of posting, but you seem to have missed some
> more recent replies:
>
> Anonymous said on July 18, 2022 at 4:39 pm
> "It's working fine with non-device accounts...."

I thank you, gym, for being the first to let the rest of us know the
details of K-9/TB web-OAuth2 implementations, along with Andy Burns who
brought up that even newer K-9/TB Office 365 web-OAUth2 solution.

If we add what Marcel (the Fair Mail developer) told me, now we have (at
least) two solutions to recover from the May 30th 2022 Google deprecation
of login/passwd
a. K-9/TB Mail was the first to build in web-OAuth2 authentication
b. Then Fair Mail added the same web-OAuth2 authentication libraries

> Anonymous said on July 18, 2022 at 4:35 pm
> "Not only did they add Oath 2 support but they are also the ONLY client
> that supports Oath 2 for non-device accounts. i.e. you can have as many
> gmail accounts as you want setup on K9 without having to add them to
> your android device.

That _was_ the case a few days ago, but I have received a communication
from the Fair Mail developer (Marcel) who told me the K-9 developer,.
(likely Christian) shared the web-Oauth2 Office 365 code library with him.

> Anonymous said on July 18, 2022 at 4:35 pm
> "Not only did they add Oath 2 support but they are also the ONLY client
> that supports Oath 2 for non-device accounts. i.e. you can have as many
> gmail accounts as you want setup on K9 without having to add them to
> your android device.

This is interesting as I hadn't thought of those who have multiple Google
email accounts on one Android device who then _also_ have an on-device
Google Account (which I haven't had for years, even as I have _many_ Google
email accounts).

The way I access multiple email accounts on one device is to use separate
MUAs for each - but this feature allows one MUA for all. Nice.

> I've been looking for this feature for a long time and no other client
> ever supported it (apparently a very expensive google audit is necessary
> for it). It's great to have this in K9/Thunderbird (which I've been
> using for years)."

Marcel implied that Google is unfairly limiting his OAUth2 tokens, but that
Google did loosen up the annual audit requirement for the likes of K-9/TB
and Fair Mail. Dunno about any others as I only have innuendo so far on the
audit requirement being loosened up by Google.

Basically Google made a change & told the whole world to "deal with it".
You & Andy & I and all the rest of the others are having to deal with it.

>
> [He didn't know about Fair Mail]
>
> There is also a newer post, added yesterday, which confirms what you
> just discovered.
>
> https://www.ghacks.net/2022/07/08/k-9-mail-future-thunderbird-for-android-adds-oauth-2-0-support/

That links to a section about Fair Mail which probably needs updating:
�<https://www.ghacks.net/2022/05/19/fairemail-developer-calls-it-quits-and-pulls-apps-from-google-play/>

At this point Fair Mail has the same OAUth2 functionality as K9/TB (AFAIK).

> There was something about Fair Mail too, but I can't remember where I
> saw it.

On the XDA site there's a thread about Fair Mail that the developer
(Marcel) is very active in (he posts to it multiple times a day so it's
almost two thousand pages long).

It won't take anyone intelligent but a second to recognize my posts there.

(It will take the iKooks about a thousand more pages though, & then the
iKooks claim they are utter geniuses for figuring it out on their own).

> So the info was out there, just a bit buried. Your recent posts should
> go a long way to correcting that and making more readers aware of the
> change.

I'm just a user who was happy until May 30th, 2022, and then who needed a
solution after May 30th, but which took a LOT of understanding of the
underlying ripple effects (which I hadn't cared about until May 30th).

The the solutions you and Andy posted helped a lot.
In fact, at this point, I can go back to ignoring everything about OAUth2
or 2FA/2SV because only this week the solution for us was built by
Christian (K-9/TB) and Marcel (Fair Mail).

I'm sure other 3rd-party MUAs will follow those two industry leaders.

>> To be sure, there are a huge number of issues still outstanding (e.g.,
>> Google is limiting their token counts to such a low number as to be anti
>> competitive, which is affecting Fair Mail far more than K-9 Mail due to the
>> huge number of Google email users on Fair Mail compared to K-9 Mail), but
>> the PSA here is that Google "apparently" loosened the annual security audit
>> requirements for MUA developers so that Android can again authorize Google
>> email accounts WITHOUT creating a mothership tracking account on the
>> device.
>
> As word gets out, I suspect K-9's popularity may increase.

The stats of K-9-with-Google vs Fair-Mail-with-Google were given in the XDA
thread where I wasn't the only one surprised how few Google users use K-9
mail.

It was also surprising that the Thunderbird team never approached Marcel,
the developer of K-9 Mail (but it's likely for reasons we don't know yet).

What's not all that surprising though is Fair Mail is generally considered
far more privacy oriented than is K-9 Mail, which isn't likely to change
all that much given the Mozilla roots of the Thunderbird team (but you
never know).

> What happens
> if Google's token count is exceeded?

The OAUth2 token request graphs were provided in that XDA Fair Mail thread.

You hit the nail on the head where instead of Google stopping the
individual abuser, Google just stops the MUA from OAUth2 authorization.

If one person abuses their Gmail account by using Fair Mail, then EVERYONE
who uses Fair Mail stops working... is how I understood that discussion.

WTF?
That's just stupid.

Anyone who says Google is smart doesn't know how stupid Google really is.
(Just like Apple.)

More detail is in the XDA thread which I assume you know about.
�<https://forum.xda-developers.com/t/app-5-0-fairemail-fully-featured-open-source-privacy-oriented-email-app.3824168/page-1145>

[Andy Burnelli]

Thanks Andy as kind-hearted purposefully helpful knowledgeable people
like you make Usenet worthwhile to learn from (despite the many trolls).

I don't do coding all that well (since I hate it), so I thank you on behalf
of the rest of us (normal) users for digging into that K-9/TB source code
on web-OAUth2 authentication.

It's clear from the graphs on XDA that Google knows EXACTLY every single
OAuth2 request (there's no distinction, as I understand it, for that
purpose anyway, between web-OAUth2 and on-device-account-OAUth2).

And it's clear that Google is artificially limiting those requests on a
per-app basis, which the app developers feel is patently illegal
anti-competitive behavior.
<https://forum.xda-developers.com/attachments/1658334974924-png.5664479/>

The developer has been posting the graph of the OAuth2 token requests here
<https://forum.xda-developers.com/attachments/1658398120537-png.5665175/>

And here (although I don't know if you need to be logged in to see them).
<https://forum.xda-developers.com/attachments/1658423640813-png.5665525/>

Here's the XDA thread but it grows by _pages_ every single day!
<https://forum.xda-developers.com/t/app-5-0-fairemail-fully-featured-open-source-privacy-oriented-email-app.3824168/page-1144>
<https://forum.xda-developers.com/t/app-5-0-fairemail-fully-featured-open-source-privacy-oriented-email-app.3824168/page-1145>

--
Posted out of the goodness of my heart to disseminate useful information

both for now, and for anyone in the future who finds this thread searching.

[Andy Burnelli]

Andy Burns wrote:

> I had a dig around in the K9 source code, particularly what changed to enable
> Office365, it's disappointing to see oAuth involves "magic" strings which vary
> per provider.
>
> <https://github.com/thundernest/k-9/blob/main/app/k9mail/build.gradle#L79>

Hi Andy,

Thanks for that purposefully helpful data point about the magic strings.

I mentioned that snippet about Google requiring per-provider "magic
strings" to the developer of Fair Mail (Marcel) who replied...

"In fact this goes even further: those magic numbers require
a signed contract with most providers."

[Andy Burns]

Andy Burnelli wrote:

> I mentioned that snippet about Google requiring per-provider "magic
> strings" to the developer of Fair Mail (Marcel) who replied...
> "In fact this goes even further: those magic numbers require  a signed contract
> with most providers."

Imagine if FTP, SMTP, HTTP, TELNET servers required all clients to sign a
contract to connect to their servers? the internet would never have flown.