How To Get Your Gmail Account To Continue Using Oauth2

[Protocol]

Hi, Jeff.

I hope you don't mind me creating this thread, but there is no dedicated thread for users to reply to regarding your announcement here and at the bottom of my post.

So far, everything is working fine for me, although I only manage two Gmail accounts on two different computers.

Also, I haven't had any more prompts to turn on 2-step verification (2SV). I'll see what happens in mid May.


Multi-factor authentication requirement for Google Cloud

Gmail/Oauth -- what to do

[Jeff]

Yeah, I'll admit -- I'm not sure what's going on with the whole thing; Oauth2 for Gmail continues to work. I'm thinking of releasing yet another update that re-instates it without needing to use the F8-backdoor, and just rely on the necessary link in the error log (like it already does) for when it does stop working.

But I feel like there are potentially important dates that could still cause the shutdown:
1) The end of the month, May 1
2) The May 13+ date cited in console/2SV (doesn't seem particularly relevant, but who knows)
3) 30 days after the initial deadline, e.g. May 23
4) The end of the month after a 30-day grace period...

After that...

[Protocol]

I just had to re-authorize my Gmail account.
I hope authorization lasts longer than that in the future.

[Jeff]

I just tested my "personal oauth" and it's the same. I haven't been checking it daily, but my presumption is that it was triggered 7 days after the initial setup (Apr 23). This could be because the new dev account needs time to prove itself, or it could be because the account is unverified.

Just a heads up -- v5.6.3 will be available soon. Like the last update, it will be made available via the early release channel and I'll post a download link here in the forum; then a short turn-around for the official release. Because built-in Oauth is still working, v5.6.3 will reinstate it (but still provide additional info in case of a shutdown); the personal oauth method will still be available. This will be uploaded either tomorrow (Friday) or Monday.

[robert2323]

I spent considerable time last week, probably about eight hours total, converting all 43 of my Oauth2 Gmail accounts to your recommended so-called personal Oauth2 accounts. It seemed worth it in order to stick with Pop Peeper. All seemed well until today, when all 43 of these accounts began giving this message:
"Oauth2 error ([invalid_grant] Token has been expired or revoked.) -- There was a problem connecting to the Oauth2 server. Try again later or reset Oauth2 if the problem persists."

I hate to criticize a free product that I have used for many years, but your reasons for having your users go through this mess don't make sense to me. If all this trouble is about saving $700, you should have asked for contributions. That small amount could easily have been raised. I would have gladly paid, and still would. Asking users to downgrade their security to app passwords or to setup these hokey Gmail kludge personal oauth2 accounts is not the way to go. Especially since now we see that they don't even work.

I'm not happy about being a guinea pig on this. Being instructed to create personal Oauth2 accounts, as you instructed, but now finding out that there are problems with that is very troubling. It's usually best not to give out technical advice if you're not sure how it works. Having to reestablish 43 Oauth2 credentials every seven days is a cruel joke. Obviously, I am not going to do so.

At this point I consider Pop Peeper a broken app. What it needs is REAL Oauth2 validation as it did before. Rolling back the clock, as you are attempting to do, or coming up with unworkable kludges, is a great way to make people want to dump Pop Peeper for, say, Microsoft Outlook.

I'm sure there is more to the story that I don't know about, such as how hard you work to keep Pop Peeper. I'm sure you do. I appreciate the time you must spend on this. But from a user's point of view, especially one that is security conscious. your decision not to find a way to keep Oauth2 in your product, was wrong. Yes, I read your reasons carefully, but they don't make sense. Driving a stake through the heart of your product in order to save $700 makes no sense.

[Protocol]

I hate to criticize a free product that I have used for many years, but your reasons for having your users go through this mess don't make sense to me. If all this trouble is about saving $700, you should have asked for contributions. That small amount could easily have been raised. I would have gladly paid, and still would. Asking users to downgrade their security to app passwords or to setup these hokey Gmail kludge personal oauth2 accounts is not the way to go. Especially since now we see that they don't even work.

Driving a stake through the heart of your product in order to save $700 makes no sense.

Is it only $700.00?
If that's the case, I will help with that too.

[Jeff]

Perhaps I didn't make it very clear in the original announcement, so here are some recaps:
- It's an annual review (ie. $720+ every year)
- Based on my experience from last year, the review process alone takes a lot of my time
- It's a significant amount of stress (but considering the last several months, that's a wash)
- Most importantly, I don't think it will continue to be $720/year and it will be at least $2700/year (the $720/year is a promotion and $2700 is the regular price, which is still cheaper compared to other businesses offering the same service)

I spent considerable time last week, probably about eight hours total

Sorry about that, but I have no idea why it took that long. Hopefully the initial setup did only take the 10 minutes I estimated, and so the other time is presumably having to re-authenticate the accounts with the new Oauth2 setup. If the instructions were unclear, I'm obviously willing to update it (if it's still necessary).

Having to reestablish 43 Oauth2 credentials every seven days is a cruel joke

That's still to be determined. I will say that in my experience, it only takes a few mindless clicks to re-authenticate, which is just a matter of allowing my webbrowser to save cookies and passwords. But I can appreciate that having to do that for 43 accounts -- especially at the same time -- would be exasperating.

It's usually best not to give out technical advice if you're not sure how it works.

I do truly apologize for that, but allowing this "kludge" was obviously not the original solution. It was added last minute because I found that people were not liking the need to enable 2FA (which I still believe is an unnecessary restriction to using app-passwords) and so I looked for another alternative.

I hate to criticize a free product that I have used for many years

And therein lies a major problem. Google has now made it wholly impractical to provide not just a free email client, but even a OTP email client.

I haven't completely given up on the idea of paying Google's fees. The good news is that the standard Oauth2 *does* continue to work, and I'll be pre-releasing v5.6.3 soon to make it easier (ie. not disabling Oauth2). In hindsight, I wish I had taken this approach in the first place, but I fully expected it to be shutdown. My dev account no longer shows a date like it did before, it says it's verified, and that's all I can tell you.

So give me your thoughts. For the sake of discussion, would changing POP Peeper to a subscription-only service have been any less offensive to you than doing what I did and trying to keep it free?

And, while I can accept constructive criticism, I've been under more stress than you can imagine because of this, so please keep that in mind.

[robert2323]

Jeff, thanks for your response. 
 
Thanks for clarifying that the costs would be higher than $700 per year.  Nevertheless, I'm a firm believer that any email client must have Oauth2. Using App Passwords is simply too risky especially with Gmail accounts that are the lifeblood of many  important Android devices. One is opening himself to too many risks by doing so.  It would be different if Pop Peeper were open source, but it's not. Thus nothing is stopping Pop Peeper from copying the app password for nefarious purposes. Not that that would ever be intentional, of course, but it could happen by accident or by a malicious virus. Or simply a programming error.  Asking Pop Peeper users to downgrade to such a method is dangerous.  Any security conscious individual should want the security of the software he uses built into its technology (Oauth2), not built into one's trust in the software or its software developer. 

There is no doubt that the Oauth2 workaround you suggested is unworkable because of its seven-day limit. You can search the Internet and find this verified. I did yesterday. 

The reason it took me so long to change all my Gmail accounts to your suggested personal Oauth2 method is that other than a few of my main Gmail accounts, which are always logged into  Chrome, the 40 or so other less-used Gmail accounts are not typically logged in.  All have complicated passwords controlled by KeePass and all have 2FA.  So I had to bring up a Chrome guest window and log into each of these one-by-one via the Chrome web browser, mess with the Google account settings, and go through Oauth2 procedures. And also a lot of associated time overhead. Lots and lots of wasted time on this. 

[mjs]

I've been indisposed (noted that my last forum login was exactly one month ago today, April 3) - and have only recently (just the past few days) monitored some of what's been going on with Gmail. With that in mind (just to add my 2-cents to the conversation, FWIW), I can report that it would appear I haven't personally had any errors of any kind in POP Peeper for any of my 26 Gmail accounts for at least the past month (assuming that if I had, I'd have observed errors over the past few days that would have occurred previously considering the errors of this type would presumably remain persistent, i.e not self-clear).

Of my 26 Gmail accounts in POP Peeper (v5.6.1 up until this morning); 11 have been using app-passwords, the remaining 15 have been using Oauth2 the entire time over the past 4 weeks plus. And I do not have any of these accounts "open" (logged-in) in any other apps of any kind.

So it would appear that my experience does not reflect any issues involving the need to be resetting POP Peeper Gmail account authorizations for an extended period of time (using both app-passwords and Oauth2) apparently well beyond a stated 7 day period of time (referenced below).

I'm not going to presume to address your situation directly in regards to the need to be resetting your Gmail accounts, but considering that I've had zero Gmail issues for apparently over a month - could you please provide a source (i.e. recent link on this point you've posted below):

There is no doubt that the Oauth2 workaround you suggested is unworkable because of its seven-day limit. You can search the Internet and find this verified. I did yesterday.  

The only thing I've found is this: https://stackoverflow.com/questions/738 ... count-only - that is significantly dated back nearly 3 years. It would seem that a "seven-day" limit would not make sense (to me anyway) - of which perhaps Jeff will comment on.

In regards to the website linked above - scrolling down a bit to where "Publishing Status" is referenced - there is the comment quote: "Just set your app to production, your refresh tokens will stop expiring." to address the topic discussed (i.e. in regards to the Google "access token authorization").

My technical knowledge is very limited in regards to any of this including the obtaining OAuth 2.0 credentials from Google and OAuth2 Application Rate Limits etc., but considering I've not had any POP Peeper Gmail issues for quite some time - I'm just curious about this concern expressed regarding Oauth2 (7-day) "limits" - when from my perspective (as mentioned) - I've personally had ongoing zero errors for all of my 26 POP Peeper Gmail accounts extending back minimally over a period of 4 weeks now.

[Jeff]

"A Google Cloud Platform project with an OAuth consent screen configured for an external user type and a publishing status of "Testing" is issued a refresh token expiring in 7 days" -- source

So that does seem to be the case.

I'm currently running a new test by toggling the "in production" status. The topic that mjs linked to suggested this has mixed results; however, one possible reason for it not working is if there are over 100 users. I'll reply with results.


As has been mentioned, you can go back to using the built-in Oauth2 method, as it's still working. fwiw, the google console says, "this app has been verified." I'm not going to push my luck by asking Google what that means (and.... other reasons for which I'm also not going to push my luck on). You can remove the "Oauth2" values in the Options; of course you'll obviously have to re-consent those accounts.

[Protocol]

"A Google Cloud Platform project with an OAuth consent screen configured for an external user type and a publishing status of "Testing" is issued a refresh token expiring in 7 days" -- source

So that does seem to be the case.

What does the "Unless" part mean?

A Google Cloud Platform project with an OAuth consent screen configured for an external user type and a publishing status of "Testing" is issued a refresh token expiring in 7 days, unless the only OAuth scopes requested are a subset of name, email address, and user profile (through the userinfo.email, userinfo.profile, openid scopes, or their OpenID Connect equivalents).

Do we only have a limit of 100?

There is currently a limit of 100 refresh tokens per Google Account per OAuth 2.0 client ID. If the limit is reached, creating a new refresh token automatically invalidates the oldest refresh token without warning.

[Jeff]

Google (not just Gmail) has hundreds or thousands of scopes, all requesting different things. For an IMAP/POP3 client, there is just one scope that's relevant, and it's not one of those.

There is currently a limit of 100 refresh tokens per Google Account per OAuth 2.0 client ID

I believe what that's saying is that you could potentially have 100 different apps using Oauth2 on one account. If you exceed 100 tokens (apps), the oldest token would get removed and whatever app using that token would be affected. Wait.... it does stipulate "per client id" -- so, that suggests that you could have (for example) up to 100 instances of POP Peeper all checking the same account. I don't think that affects most normies.

[Jeff]

It has been 8 days since I switched to "in production" on my test configuration. The one account that I re-oauth'd immediately after changing to production still works with no additional need to re-oauth. The other account did subsequently need to be re-oauth'd; this is not surprising considering it was last re-oauth'd when it was still in the "testing" phase which required re-oauth every 7 days. Unlike when I re-oauthed the first account immediately after switching to production, the 2nd account did get a new page saying "google hasn't verified this app"; but I was able to continue as normal by pressing "advanced" and then "continue to pop peeper".

While this is still preliminary, it is a good sign if you switched to the personal Oauth2 method.

[Protocol]

I just had to re-authorize my Gmail account.
I hope authorization lasts longer than that in the future.

It's been about 13 days, and I haven't had to re-authorize since then.
I haven't changed anything since I first set it up.

Jeff, I don't know what you mean by "in production", but I went to go to Google Cloud Console, and I've been blocked and prompted to turn on 2SV. I don't really need to get back in there if everything keeps working.

[Jeff]

"in production" is under "Oauth consent screen" / Audience. It's the publishing status and can be toggled between testing and in production. Based on what I had read, they won't require you to go through the review until you reach 100 users.

If yours still works, that's great! I assume you had not changed yours to "in production"?

And, yes, my test account now has the 'google cloud access blocked' as well since I was testing the lack of 2SV on that account. The only/main reason I can think of that you may need to access the console is if you create a new gmail account you want to access. But you could theoretically enable 2SV temporarily, do your business, then disable 2SV again.

Notice the date was originally "May 13" (as evidenced by your screenshot in the first post), now it says "Effective May 8"...

[Protocol]

If yours still works, that's great! I assume you had not changed yours to "in production"?

Notice the date was originally "May 13" (as evidenced by your screenshot in the first post), now it says "Effective May 8"...

No, I haven't changed it to "in production".

I actually didn't notice that they changed the date.

[Protocol]

I still have to keep re-authorizing one of my Gmail accounts.
I might have a look at switching to "in production" tomorrow.