Pegasus Mail Logo


Update, June 2022  We have submitted Pegasus Mail to Google for validation, and assuming they approve it, we will release a v4.81 release with the code for OAUTH2 support the moment the approval is out (it's basically ready to go).

Addendum, June 16: Google have responded to our submission with a long list of requirements, including considerable refactoring to this web site. We are attempting to comply with their demands, but cannot offer any further estimate of whether our application will be accepted, or how long it might take.

Update, May 2022  We have been alerted to another section in the GMail OAUTH2 terms and conditions that appears to suggest that Pegasus Mail should be exempt from their "security assessment" requirement because it uses only local storage of restricted scope data.

Unfortunately, Google's documentation is extremely ambiguous, and they do not provide any contact information of any kind for real people who could offer correct interpretations of the requirements. We are going back to the publication process to re-examine proceeding with the approval process for Pegasus Mail, and although we are not at this stage certain whether it will be possible, we will do our best to find a way to get this process completed.

(Our thanks to Hector Martin for his assistance with this issue)

May 2022 — OAUTH2 support for GMail  At the end of May 2022, GMail (Google Mail) will require all users to switch to an authentication process called OAUTH2.

We have now completed the code and interface required to support OAUTH2 for GMail in Pegasus Mail, and have put it through extensive active testing. The final step in the process was to click the 'Publish App' button in the Google console where I set up the parameters for the Pegasus Mail OAUTH2 code, which submits the application for Google's approval to access live data for all GMail users: I have just done that, and wish I had not.

'Publishing the app' in Google terms requires a quite astonishing number of steps, including even having to prepare a Youtube video showing my code in action. All that would have been manageable, if excessively demanding, but then you come to the final paragraph, which I will quote here verbatim:

"Every app that requests access to restricted scope Google user´s data and has the ability to access data from or through a third party server is required to go through a security assessment from Google empanelled security assessors. This assessment helps keep Google users´ data safe by verifying that all apps that access Google user data demonstrate capability in handling data securely and deleting user data upon user request. In order to maintain access to restricted scopes, the app will need to undergo this security assessment on an annual basis, this process is called the security reassessment, also known as annual recertification. The cost of the assessment typically varies between $10,000 -$75,000 (or more) depending on the size and complexity of the application; smaller applications may see costs at a lower threshold of $4,500. This fee may be required whether or not your app passes the assessment and will be payable by the developer. We expect that fees will include a remediation assessment if needed."

Regrettably, these kinds of fees are far beyond what I can afford, given that I rely on donations from my users to make ends meet: even the $4,500 fee is well beyond what I could find on an annual basis. Google do not mention these fees anywhere else I have seen during the development process - only when you move to the publication stage do they appear — they are a kind of "sting in the tail", as it were.

So, having spent hundreds of frustrating hours developing a working OAUTH2 solution for GMail, I am defeated at the final hurdle. Google's demands mean that I am simply not going to be able to support GMail past May 31st, however much it hurts me to feel that I am letting my users down.

My deepest apologies to you all.

[ Page modified 9 May 2022 | Content © David Harris  ]