XOAUTH2 is a modern authentication platform for IMAP, POP, and SMTP that uses an "access token" instead of a password. It involves getting an access token via OAuth2, creating an initial client response from the username and access token, and authenticating with the initial client response. The document provides examples of the protocol exchange for IMAP, POP, and SMTP using XOAUTH2 authentication. It also describes the format of the initial client response and provides a login flow example using a Windows 8.1 mail client and Google Apps.

1. XOAUTH2
CPRD Takehiko Kodama

2. About XOAUTH2
XOAUTH2 is:
- Modern Authentication platform of IMAP,
POP, SMTP
- Using “Access Token” Instead of password
- 1. get Access Token by OAuth2
- 2. create Initial Client Response
- 3. authenticate by Initial Client Response

3. IMAP Protocol Exchange
S: * OK Gimap ready for requests from 999.999.999.999 s2mb342107909paf
C: 1 capability
S: * CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA ID XLIST CHILDREN X-GM-EXT-1
XYZZY SASL-IR AUTH=XOAUTH AUTH=XOAUTH2 AUTH=PLAIN AUTH=PLAIN-CLIENTTOKEN
S: 1 OK Thats all she wrote! s2mb342107909paf
C: 2 authenticate xoauth2 dXNlcj1hbWFnYWtpLnRv…
S: * CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA ID XLIST CHILDREN X-GM-EXT-1
UIDPLUS COMPRESS=DEFLATE ENABLE MOVE CONDSTORE ESEARCH UTF8=ACCEPT
S: 2 OK example@gmail.com authenticated (Success)
Specify Initial Client Response which is created from username
and access token

4. POP Protocol Exchange
S: +OK Gpop ready for requests from 999.999.999.999 sl3mb196836996iec
C: CAPA
S:
S:
S:
S:
S:
S:
S:
S:
S:
S:
+OK Capability list follows
USER
RESP-CODES
EXPIRE 0
LOGIN-DELAY 300
TOP
UIDL
X-GOOGLE-RICO
SASL PLAIN XOAUTH2
.
C: AUTH XOAUTH2 dXNlcj1hbWFnYWtpLnRv…
S: +OK Welcome.
Specify Initial Client Response which is created from
username and access token

5. SMTP Protocol Exchange
S: 250 SMTPUTF8
C: EHLO example.com
S:
S:
S:
S:
S:
S:
S:
S:
250-mx.google.com at your service, [999.999.999.999]
250-SIZE 35882577
250-8BITMIME
250-AUTH LOGIN PLAIN XOAUTH XOAUTH2 PLAIN-CLIENTTOKEN
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-CHUNKING
250 SMTPUTF8
C: AUTH XOAUTH2 dXNlcj1hbWFnYWtpLnRv…
S: 235 2.7.0 Accepted
Specify Initial Client Response which is created from
username and access token

6. XOAUTH2 Initial Client Response
Format of Initial Client Response is:
(^A = 001)
Can be created by following command:
base64("user=" {User} "^Aauth=Bearer " {Access Token} "^A^A")
echo -en "user=example@gmail.com001auth=Bearer
vF9dft4qmTc2Nvb3RlckBhdHRhdmlzdGEuY29tCg==001001" | base64

7. Login Flow
● Mail Client: Windows 8.1 Mail
● Mail Provider: Google Apps
○ Single-Sign on with HDE One Access Control

8. Login Flow: Chose mail services

9. Login Flow: Sign in

10. Login Flow: Sign in

11. Login Flow: Authorize Mail app

12. Login Flow: Done

13. State of XOAUTH2 on Google
Disabled PLAIN Auth(password) on Default

14. Supporting Mail Services / Mailers
Mail Services Mailers
● More applications will support
Yes No
Gmail
Google Apps
Outlook.com
Office 365 (Exchange online)
Yahoo! mail
Yes No
Windows 8.1 mail Outlook
Thunderbird