Re: gmail+imap+smtp (oauth2)

[Tomas Hlavaty]

On Sat 07 May 2022 at 04:55, Tim Cross <theophilusx@gmail.com> wrote:
> No, the University has considerable say. Typically, it has control over

how does one obtain the client_id?
from the university?

> Putting aside that applicaiton ID and client ID are not the same thing,
> not the bit

they seem to be instances of the same concept, whitelist items
one whitelist item for the university controlled whitelist
one whitelist item for google controlled whitelist

> I disagree. The spec is open and anyone can implmeent it in any
> language

that is true but not very useful due to the whitelists

>> one of the features seems to be that there is a (usually extra) party with 
>> special role
>> having absolute authority about who to let through the gate
>
> How is that any different to any other service (including SMTP).

traditionally, there used to be two actors involved in client-server
protocols like smtp and there were no whitelists

oauth2 involves more actors and whitelist(s)

> Even if you had a fully open source oauth2 implementaiton, there will
> still be a party (resource owner) who controls access and
> approves/rejects requests for access.

so far people could use whatever smtp client they chose
without having to whitelist it
(it was even possible to manually enter commands)

with oauth2, people cannot use whatever smtp client they choose;
that's why this thread exists