From: William Bader <william@newspapersystems.com>
Date: Sun, 31 Jan 2021 06:42:46 +0000
Subject: Add README.OAUTH2 issue #27
Git-repo: https://gitlab.com/fetchmail/fetchmail.git
Git-commit: d52ba9652c9207358e0b9acc11403688f6f16b9e

---
 README.OAUTH2 |  147 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 147 insertions(+)

--- /dev/null
+++ b/README.OAUTH2
@@ -0,0 +1,147 @@
+OAUTH2 support for gmail
+========================
+
+Preface
+-------
+
+fetchmail 7 adds support for OAuth2.
+You create a project in google that requests gmail access to request an OAuth2 client id and client secret.
+Then you use the contributed fetchmail-oauth2.py to request a refresh token for gmail access to your gmail account.
+Then you use the fetchmail-oauth2.py again to request temporary access tokens that fetchmail uses like a password.
+
+Create a Google project and request an OAuth2 client id and client secret
+-------------------------------------------------------------------------
+
+* Open the Google API Dashboard: https://console.developers.google.com/apis/dashboard
+* The first time that you enter the page, you will have to select your country and agree to terms of service.
+* You should see a title bar with "Google APIs" and a menu down the left with "Dashboard, Library,
+  Credentials, OAuth consent screen, Domain verification, Page usage agreements".
+* Click to create a new project, possibly on a pull-down arrow to the right of "Google APIs" on the title bar.
+* Click on "NEW PROJECT".
+  + Enter a project name like "fetchmail".
+  + You can leave "Location" as "No organization" for personal email.
+  + If you are a G Suite administrator, you might be able to enter your G Suite organization.
+  + When you enter the project name, you will get a message like "Project ID: fetchmail-123456. It cannot be changed later."
+  + Make a note of the full project name.
+  + Click on "CREATE".
+  + Google will take a few seconds to create the project.
+* Switch to the new project, either from "SELECT PROJECT" in the notification window or on the title bar pulldown after "Google APIs".
+* Click on "Credentials" on the menu at the left.
+* Click on "+ CREATE CREDENTIALS" at the top of the window.
+* Select "OAuth client ID" from the list of credential types.
+* Click on "CONFIGURE CONSENT SCREEN" at the right.
+  + Select "External" from the list of user types. "Internal" is for organizations with G Suite.
+  + Click "CREATE".
+* Fill out the app registration form.
+  + "App name" can be the full project name, like "fetchmail-123456". It has to be unique.
+  + "User support email" can be your gmail email.
+  + "App logo" can be empty. I used /usr/share/icons/Adwaita/256x256/legacy/emblem-mail.png
+  + "Application home page" can be empty.
+  + "Application privacy policy link" can be empty.
+  + "Application terms of service link" can be empty.
+  + "Authorized domain" can be empty.
+  + "Developer contact email address" can be your gmail email.
+  + Click "SAVE AND CONTINUE".
+  + Click "ADD OR REMOVE SCOPES" on the "Edit app registration" screen.
+  + Click on "Google API Library". This opens a new tab.
+  + Filter for "Email" and click on "Gmail API".
+  + Click on "ENABLE".
+  + Return to the "Edit app registration" tab and refresh.
+  + Click "ADD OR REMOVE SCOPES" on the "Edit app registration" screen.
+  + I think that the scope ".../auth/gmail.modify" to "View and modify but not delete your email" is sufficient.
+  + Click on "SAVE AND CONTINUE". This opens the "Test Users" window.
+  + Click on "+ ADD USERS".
+  + Enter you gmail address and click on "ADD".
+  + Click on "SAVE AND CONTINUE".
+  + This opens a "Summary" page.
+  + If you need to change something, click on "OAuth consent screen" on the menu at the left and then "EDIT APP" to step through the screens again.
+* Click on "Credentials" on the menu at the left to create client credentials.
+  + Click on "+ CREATE CREDENTIALS" at the top of the window.
+  + Select "OAuth client ID" from the list of credential types.
+  + Select "Desktop app" from the list of "Application types".
+  + "Name" can be "DesktopClient1" or whatever the screen suggests.
+  + Click on "CREATE".
+  + It will show a window with "Your Client ID" and "Your Client Secret". Copy them somewhere safe.
+
+Download and build fetchmail 7
+------------------------------
+```
+git clone https://gitlab.com/fetchmail/fetchmail.git
+cd fetchmail
+git checkout -t origin/next
+./autogen.sh
+./configure
+make
+make check
+sudo make install
+```
+
+Configure fetchmail-oauth2.py
+-----------------------------
+* Create a file, for example /home/yourname/.fetchmail-oauth2
+```
+client_id=YOUR-CLIENT-ID
+client_secret=YOUR-CLIENT-SECRET
+refresh_token_file=/home/yourname/.fetchmail-refresh
+access_token_file=/home/yourname/.fetchmail-token
+max_age_sec=3000
+```
+* Replace YOUR-CLIENT-ID and YOUR-CLIENT-SECRET with the keys for "Your Client ID" and "Your Client Secret" from the previous step.
+* The refresh and token files do not need to exist, but they have to be valid paths.
+* Run `contrib/fetchmail-oauth2.py -c /home/yourname/.fetchmail-oauth2 --obtain_refresh_token_file`
+  + The script will give you a URL.
+  + Paste the URL into a web browser.
+  + URL should open a google authentication page.
+  + Select the email account.
+  + Google will warn that the app isn't verified. Click on "Continue".
+  + Google will warn that "fetchmail-123456 wants to access your Google Account `your.name@gmail.com`".
+  + Click on "Allow".
+  + The page will display the sign in key.
+  + Paste the key into the script.
+  + The script will report:
+```
+Refresh token saved to '/home/yourname/.fetchmail-refresh'
+Initial access token saved to '/home/yourname/.fetchmail-token'
+Access Token Expiration Seconds: 3599
+```
+  + Hopefully you will not need to do this again for months or years.
+* Run `chmod 0600` on all of the files .fetchmail-oauth2 .fetchmail-refresh .fetchmail-token
+
+Configure fetchmail
+---------------------
+* Create an entry in your `.fetchmailrc`
+```
+poll imap.gmail.com protocol imap
+  auth oauthbearer username "your.name@gmail.com"
+  passwordfile "/home/yourname/.fetchmail-token"
+  is yourname here
+  fetchlimit 10 folder "Download"
+  keep
+  sslmode wrapped sslcertck
+```
+* Run `chmod 0400` on your `.fetchmailrc`
+* The optional "fetchlimit #" limits the number of emails if you are testing.
+* The optional "folder name" sets the folder to check.
+* I made gmail filters that add a "Download" label to important emails.
+* Fetchmail downloads unread emails. You can go into gmail and mark a few emails unread for testing.
+* Try running fetchmail once at a command line.
+
+Script fetchmail
+----------------
+* Each access token expires after an hour.
+* If you run fetchmail from cron, you should run `fetchmail-oauth2.py -c /home/yourname/.fetchmail-oauth2 --auto_refresh ; fetchmail`
+* For example, `*/2 * * * * (fetchmail-oauth2.py -c /home/yourname/.fetchmail-oauth2 --auto_refresh ; fetchmail) > /home/yourname/fetchmail.log 2>&1`
+* The `--auto_refresh` option checks the age of the key against the `max_age_sec` and renews it if necessary.
+* `max_age_sec=3000` in `.fetchmail-oauth2` renews the key after 50 minutes, which should give a safe margin.
+
+Further reading
+---------------
+* Instructions by the author of OAuth2 support for Fetchmail and Postfix
+  + Setting Up OAUTH2 Support for Fetchmail and Postfix http://mmogilvi.users.sourceforge.net/software/oauthbearer.html
+  + Run `fetchmail-oauth2.py --help | less`
+* Documents from Google
+  + Using OAuth 2.0 to Access Google APIs https://developers.google.com/identity/protocols/oauth2
+  + Integrating Google Sign-In into your web app https://developers.google.com/identity/sign-in/web/devconsole-project
+* Google links
+  + Google API Dashboard: https://console.developers.google.com/apis/dashboard
+  + Google Cloud Resource Manager: https://console.developers.google.com/cloud-resource-manager