Rubin Shrestha
Zend certified PHP/Magento developer
Rubin Shrestha
Blog

How to continue using msmtp OAuth 2.0 for Gmail in mutt after oob deprecation?

by |Published

background

For two years I’ve been happily accessing my Gmail accounts with neomutt.

I’m sync’ing between neomutt locally and my online Gmail account with mbsync and a “2-Step Verification” app password (Sign in with App Passwords).

sending email with msmtp, until now

To send a Gmail with neomutt is trickier, because msmtp requires an unexpired token from the Gmail API. Fortunately GitHub user tenllado provided the only working open-source solution that I’ve been able to find, his script oauth2token. I adapted it as oauth2tool.sh. The steps for this to function are:

1 prepare – get my Gmail OAuth 2.0 credentials

  1. Use Gmail API’s Python Quickstart to get my credentials, which look like this:
    • my Client ID: xxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com
    • my Client Secret: xxxxxxxxxxxxxxxxxxxxxxxx
  2. Grab a copy of oauth2.py (Code “the refresh token lasts indefinitely”).
  3. Get the immortal refresh token: $ python2 oauth2.py --user=my@gmail.com --client_id=<myCI> --client_secret=<myCS> --generate_oauth2_token and follow the instructions. It looks like this:
    • refresh token: 1//03xxxxxxxxxxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxx

2 prepare – configure msmtprc

account my
auth oauthbearer
host smtp.gmail.com
port 587
from my@gmail.com
user my@gmail.com
passwordeval bash oauth2tool.sh my

3 use – send emails from the command line, until now

Then, when I send an email echo "test" | msmtp -a my <target_email>, my oauth2tool.sh pulls up a valid token. The way it does this is it grabs the token with pass if it’s not expired, otherwise it grabs a new one with python2 oauth2.py --user=my@gmail.com --client_id=<myCI> --client_secret=<myCS> --refresh_token=<myRT>.

With all this, I could easily send emails from my Gmail accounts from the command line, until now.

now, oob is no longer allowed

Now my once immortal refresh tokens are being expired, and I can’t renew them because Gmail’s oauth2.py is using redirect_uri = urn:ietf:wg:oauth:2.0:oob, which is deprecated.

Making Google OAuth interactions safer by using more secure OAuth flowsOAuth out-of-band (oob) flow will be deprecated”.

How to continue sending with msmtp?

OAuth 2.0 for Mobile & Desktop Apps “Loopback IP address (macOS, Linux, Windows desktop)” seems to be the way forward, but I’d need a few weeks of free time, which I don’t have, to figure out how. Any ideas out there?

Related question: Google Cloud: OAuth clients in test mode that are using the OAuth OOB flow.

You may also like