K-9: XOAUTH2 implementation for Yahoo accounts

Created on 11 Oct 2016  路  11Comments  路  Source: k9mail/k-9

Expected behavior

Yahoo accounts should be able to sign in, without enabling less secure apps.

NB: For POP3 XOAUTH2 isn't available on Yahoo. POP3 is deprecated anyway. We should probably also tell Yahoo users (notification) to migrate from POP3.

Actual behavior

Denied.

Steps to reproduce

  1. Configure a Yahoo account on IMAP
  2. Try to login

    Environment

K-9 Mail version: master

Android version: 7.0

Account type (IMAP, POP3, WebDAV/Exchange): IMAP

Developer notes

The work to implement some of the XOAUTH2 code is done in #1295

However the assumption was made that it would be Google accounts. So much of token refresh code works out of the box. This isn't true for Yahoo accounts. So some work needs to be done in terms of:

  1. Writing an XOAUTH2 token refresh tool for Yahoo accounts
  2. Making sure we use the right method for each one

I suspect we'll have a hardcoded URL in the app somewhere for Yahoo's endpoint. But I'm speculating until I get my hands dirty again

enhancement needs info security
Source
picture philipwhiuk

Most helpful comment

In yahoo account security page, you can create an "application password" to use in K9.
https://login.yahoo.com/account/security

So it seems they choose to deprecate XOAUTH2

picture totolanister on 26 May 2020
👍2 😄1

All 11 comments

Yahoo aren't being communicative on what endpoint you're supposed to hit :(

philipwhiuk picture philipwhiuk on 14 Oct 2016

@philipwhiuk - https://github.com/andris9/xoauth2/commit/ae0667f92a460751eec6ec7b618a35db5e56e6c4

Apologies in advance for nodejs, but I thought it might help anyway. :+1:

vt0r picture vt0r on 14 Oct 2016
👍1

Thanks! There's no scope in the project creation for Mail. But I might just try locally without the scope and see.

As for the nodejs - unfortunately my day job is more and more JS every day so that's not a problem!

philipwhiuk picture philipwhiuk on 14 Oct 2016

Update on this. It doesn't work without the scope. Back in October I pinged Dylan Casey who manages Yahoo's OAuth2 infrastructure as to why. He said he'd get back to me. No word so I've asked for an update.

philipwhiuk picture philipwhiuk on 23 Jan 2017

good to hear, thanks for the effort! :+1:

Valodim picture Valodim on 24 Jan 2017

So to be clear: it's still the case that to use K-9 with Yahoo mail I will need to change the setting in my account there about "less secure apps" or whatever?

natevw picture natevw on 19 Mar 2018

Apparently Sky's version of Yahoo is getting this now and you may not be able to pick the option (TBA). It's still blocked by Yahoo not giving a damn.

My 5 cents says move away from a provider who had a major security breach and then implemented this purely to save face as PR move.

philipwhiuk picture philipwhiuk on 14 Jan 2020
😄1

In yahoo account security page, you can create an "application password" to use in K9.
https://login.yahoo.com/account/security

So it seems they choose to deprecate XOAUTH2

totolanister picture totolanister on 26 May 2020
👍2 😄1

The app pwd stuff works.in case anyone faces issues, just clear cache, FC app and launch. It would work..

vdbhb59 picture vdbhb59 on 21 Jun 2020

Are there any instructions on how to use the "application password"? I can get one from Yahoo, but I can't figure out where to set it in K9.

DwayneJengSage picture DwayneJengSage on 22 Jun 2020

@DwayneJengSage Just use it in the password field, without any space. It will be normal password option.

vdbhb59 picture vdbhb59 on 23 Jun 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

D0ve picture D0ve  路  3Comments
eleith picture eleith  路  3Comments
farson2003 picture farson2003  路  4Comments
j-ed picture j-ed  路  3Comments
SpatMan05 picture SpatMan05  路  3Comments