Re: gmail+imap+smtp (oauth2)

[Tomas Hlavaty]

On Tue 10 May 2022 at 17:51, Tim Cross <theophilusx@gmail.com> wrote:
> Tomas Hlavaty <tom@logand.com> writes:
>> When a school/university demands gmail account
>> and google locks me out of my gmail account,
>> what happens?
>
> When a school/university makes a decision to use Google as their email
> provider, it isn't 'normal' google - it is your school/university's
> email, essentially hosted by google. As such, your institution controls
> access, not google. Google just provides the service to your
> school/university. Often, the setup involves integration with your
> school/university IAM system i.e. your 'identity' (your username) is
> managed by the school/university. This integration makes it easier for
> existing school/university workflows to continue i.e. onboarding of new
> students/staff, removal of accounts when students/staff leave etc. It
> also makes integration with other services, such as on-line LMS (Moodle,
> Blackboard etc) easier as there is just one 'meta directory' of all
> accounts. This is where oauth2 shows its strengths. Your institituion
> essentially becomes a identity provider which Google trusts. When you
> request authorisation credentials, they are provided by your
> institutions IAM system. Your client then submits those authorisation
> credentials to get an access token from Google which you then submit to
> the Google service you want to access (i.e. email).

thank you for the explanation

who is in charge of giving out oauth2 client_id?
does it mean that the university gives out client_id?

is it still google who gives out application id
(the google specific and required additional parameter for the oauth2 client?)

> So, if your locked out, it is because your institution has decided to
> lock you out, not google.

that's good to know