We reported earlier on hints from Google employee Tim Bray that the company might be working on an integrated password and login solution. We know Bray is working on OAuth and OpenID-related projects, and Google announced in a blog post today that it is adding OAuth 2.0 support for IMAP/SMTP and XMMP. The majority of Google’s API’s already support the OAuth 2 authentication standard for sharing your account data with third-party apps, but today’s addition of support for IMAP/SMTP and XMMP opens OAuth 2.0 to third parties accessing services such as Gmail and GTalk.
Today we’re going a step further by adding OAuth 2.0 support for IMAP/SMTP and XMPP. Developers using these protocols can now move to OAuth 2.0, and users will experience the benefits of more secure OAuth 2.0 clients.
According to Ryan Troll of Google’s Application Security Team, clients never ask for a user’s password with the OAuth 2.0 authentication mechanism. He also noted “users have tighter control over what data clients have access to, and clients never see a user’s password, making it much harder for a password to be stolen.”
Google outlined a timeline for support for older authentication standards:
Best iPhone, iPad, & Apple TV game controllers
If you’re using these you should move to the new OAuth 2.0 APIs.
-We are deprecating XOAUTH for IMAP/SMTP, as it uses OAuth 1.0a, which was previously deprecated. Gmail will continue to support XOAUTH until OAuth 1.0a is shut down, at which time support will be discontinued.
-We are also deprecating X-GOOGLE-TOKEN and SASL PLAIN for XMPP, as they either accept passwords or rely on the previously deprecated ClientLogin. These mechanisms will continue to be supported until ClientLogin is shut down, at which time support for both will be discontinued.