Pegasus Mail Logo


Update, August 2022  After a difficult and mostly pretty horrible two-month process, Google have now approved Pegasus Mail to use OAUTH2 for accessing GMail.

BUT (you knew there was going to be a "but", didn't you)... In the time we have been waiting for the approval to complete, they have changed their own rules (by deciding that they will no longer accept the redirect method we were previously successfully using), and as a result, our OAUTH2 module no longer works.

The solution involves — and I'm not joking here — writing our own web server, and starting it up to receive the token from Google when you authorize Pegasus Mail to access your account. Fortunately, I have written web servers before, so this process is not as serious a problem as it might have been, but the simple fact that I should need to do it at all indicates just how ridiculous this whole 'OAUTH2 migration' has become.

I am now well into the process of completing a small web server I can include in Pegasus Mail to accommodate Google. It should require no configuration or setup, and Pegasus Mail users should not even know it's there, doing its work in the background. I hope to have the amended module in testing around the middle of August, and if all goes well, should have Pegasus Mail v4.81 with full GMail OAUTH2 support ready a short time after that.

Thank you for sticking with me through this entire, arduous business.

Update, June 2022  We have submitted Pegasus Mail to Google for validation, and assuming they approve it, we will release a v4.81 release with the code for OAUTH2 support the moment the approval is out (it's basically ready to go).

Addendum, June 16: Google have responded to our submission with a long list of requirements, including considerable refactoring to this web site. We are attempting to comply with their demands, but cannot offer any further estimate of whether our application will be accepted, or how long it might take.

Update, May 2022  We have been alerted to another section in the GMail OAUTH2 terms and conditions that appears to suggest that Pegasus Mail should be exempt from their "security assessment" requirement because it uses only local storage of restricted scope data.

Unfortunately, Google's documentation is extremely ambiguous, and they do not provide any contact information of any kind for real people who could offer correct interpretations of the requirements. We are going back to the publication process to re-examine proceeding with the approval process for Pegasus Mail, and although we are not at this stage certain whether it will be possible, we will do our best to find a way to get this process completed.

(Our thanks to Hector Martin for his assistance with this issue)

May 2022 — OAUTH2 support for GMail  At the end of May 2022, GMail (Google Mail) will require all users to switch to an authentication process called OAUTH2.

We have now completed the code and interface required to support OAUTH2 for GMail in Pegasus Mail, and have put it through extensive active testing. The final step in the process was to click the 'Publish App' button in the Google console where I set up the parameters for the Pegasus Mail OAUTH2 code, which submits the application for Google's approval to access live data for all GMail users: I have just done that, and wish I had not.

'Publishing the app' in Google terms requires a quite astonishing number of steps, including even having to prepare a Youtube video showing my code in action. All that would have been manageable, if excessively demanding, but then you come to the final paragraph, which I will quote here verbatim:

"Every app that requests access to restricted scope Google user´s data and has the ability to access data from or through a third party server is required to go through a security assessment from Google empanelled security assessors. This assessment helps keep Google users´ data safe by verifying that all apps that access Google user data demonstrate capability in handling data securely and deleting user data upon user request. In order to maintain access to restricted scopes, the app will need to undergo this security assessment on an annual basis, this process is called the security reassessment, also known as annual recertification. The cost of the assessment typically varies between $10,000 -$75,000 (or more) depending on the size and complexity of the application; smaller applications may see costs at a lower threshold of $4,500. This fee may be required whether or not your app passes the assessment and will be payable by the developer. We expect that fees will include a remediation assessment if needed."

Regrettably, these kinds of fees are far beyond what I can afford, given that I rely on donations from my users to make ends meet: even the $4,500 fee is well beyond what I could find on an annual basis. Google do not mention these fees anywhere else I have seen during the development process - only when you move to the publication stage do they appear — they are a kind of "sting in the tail", as it were.

So, having spent hundreds of frustrating hours developing a working OAUTH2 solution for GMail, I am defeated at the final hurdle. Google's demands mean that I am simply not going to be able to support GMail past May 31st, however much it hurts me to feel that I am letting my users down.

My deepest apologies to you all.

[ Page modified 9 May 2022 | Content © David Harris  ]