Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:107951
Return-Path: <bishop.bettini@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 16372 invoked from network); 27 Dec 2019 19:16:34 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 27 Dec 2019 19:16:34 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 428581805EC
	for <internals@lists.php.net>; Fri, 27 Dec 2019 09:18:59 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: *
X-Spam-Status: No, score=1.3 required=5.0 tests=BAYES_50,
	FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,
	HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <bishop.bettini@gmail.com>
Received: from mail-qv1-f44.google.com (mail-qv1-f44.google.com [209.85.219.44])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Fri, 27 Dec 2019 09:18:55 -0800 (PST)
Received: by mail-qv1-f44.google.com with SMTP id t6so10265458qvs.5
        for <internals@lists.php.net>; Fri, 27 Dec 2019 09:18:55 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:reply-to
         :from:date:message-id:subject:to:cc;
        bh=J7Dm7x4aOA0gd2EpI6xuQOxpJDG5wYp5JnBx2x5wYJ8=;
        b=jEoX0qW6tu5KRNkfIYxvl0jLV9Zldny+MJNXy3e/XuJwS8zeMP+dFI6mTLw/1VlAiX
         OKzelxRV+grn3QAVDotyyuJRMwSWKxzaeKB2nLb340WiVfbHNLK2G67CudZi2DnbMlG8
         z0Hl8h8GnoV6zCEkpns++ScyauJgrcsNjb7SfyvZz/rmIDvvI4B0lmnHg0vLWDUkT/L9
         Z0wG2Yv4GOYMbIvQSHf6FKk/v7HC8/VdDvq5tPT1QkNxf2ElySxk2ONozHMi7cPIpwQm
         upiS+rbR73Mq3iOpxu2Na5Ji3CG2sF+MoD/X+RdDm3KEwIMKPjJgrOJrFTGRSzPG2h4G
         Hzyw==
X-Gm-Message-State: APjAAAXxIk5w3XYGY4+pDTQ4LahXqaxYoBz5/j4S2yhinfWjEnKq435J
	uXfJ/6ZcKXIcvXQ7d5SdsQ+KJrBefxpfbbS0Nzc=
X-Google-Smtp-Source: APXvYqyiT+3zUUSw2cTDSyVjggETOQIAZX8DP9Ry+wSgv43CmitldGmLEYsa5mf/KSDf1aP0MvjaDHMbI++cqbx8yOc=
X-Received: by 2002:a0c:eac7:: with SMTP id y7mr41884812qvp.86.1577467133569;
 Fri, 27 Dec 2019 09:18:53 -0800 (PST)
MIME-Version: 1.0
References: <b85f9c5c757e75ffae3f8c07906471cb3a14d01b@webmail.likebtn.com> <CAF+90c_Kt9SsqAzdL439gjCOq8nyTM=mkkh-whDqSH4WKi5Akw@mail.gmail.com>
In-Reply-To: <CAF+90c_Kt9SsqAzdL439gjCOq8nyTM=mkkh-whDqSH4WKi5Akw@mail.gmail.com>
Reply-To: bishop@php.net
Date: Fri, 27 Dec 2019 12:18:27 -0500
Message-ID: <CAEYWF=5hgDjUBcmAbrBd50pGRVPY4WZ9Wb0B2aRY1AiXs2==HA@mail.gmail.com>
To: Nikita Popov <nikita.ppv@gmail.com>
Cc: FreeScout <info@freescout.net>, PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000243065059ab2b040"
Subject: Re: [PHP-DEV] XOAUTH2 support in PHP IMAP
From: bishop@php.net (Bishop Bettini)

--000000000000243065059ab2b040
Content-Type: text/plain; charset="UTF-8"

On Thu, Dec 26, 2019 at 6:45 AM Nikita Popov <nikita.ppv@gmail.com> wrote:

> On Wed, Dec 25, 2019 at 7:11 PM FreeScout <info@freescout.net> wrote:
>
> >
> > Hi Team!
> >
> > Could you please take a look at
> > https://github.com/google/gmail-oauth2-tools/issues/18
> >
> > What do you think? Will it be possible to add XOAUTH2 support to PHP
> > IMAP extension?
> >
> > Thanks
> >
>
> The IMAP extension is based on a C library that has not been maintained for
> the last decade. As such, it is highly unlikely that the IMAP extension
> will ever see new features.
>
> In fact, it is quite likely that the extension will be removed from the PHP
> distribution for PHP 8, though no decision has been made on this yet. I
> would encourage anyone still using the IMAP extension to instead switch to
> one of the pure-PHP mailing libraries. I'm not particularly familiar with
> mailing libraries, so don't know which of them already support XOAUTH2,
> maybe someone else knows?
>

In Horde/Imap_client, the API looks like this:

$credential = new \Horde_Imap_Client_Password_Xoauth2($username,
$accesstoken);

The important thing for mail-consuming applications is the realization that
the second argument there (accesstoken) comes from an auth flow. It's not
provided by a user, and it's not provided by the IMAP library.

So to access email over IMAP using PHP, applications need two things (1) an
OAuth library capable of carrying out an OAuth exchange and (2) an IMAP
library capable of submitting an OAuth token to an OAuth aware IMAP server.

Horde/Imap_Client has #2 built in per above. Zend/Mail has third-party
patches, but nothing yet built-in. I'm sure there are other libraries out
there as well. AFAIK, there isn't a single package capable of initiating an
oauth flow exchange and submitting that to an IMAP server. For example,
here's what Moodle did[1]. (They used their in-built oauth2 consumer and
joined it with Horde/Imap per above.)

It would be possible for us to add an imap_open_token($username, $token)
interface that did effectively what Horde does above. It is, after all,
just passing a certain encoded line string to the IMAP server and handling
the response. But even if we did add that, it still wouldn't solve the
problem consumers have: they need to initiate an oauth flow to get a token,
and that's something no drop-in replacement can solve. It's legitimately
new code.

[1]: https://moodle.org/mod/forum/discuss.php?d=366716

--000000000000243065059ab2b040--