From: Matthew Ogilvie <mmogilvi+fml@zoho.com>
Date: Sat, 3 Jun 2017 17:57:22 -0600
Subject: FAQ: list gmail options including oauthbearer and app password
Git-repo: https://gitlab.com/fetchmail/fetchmail.git
Git-commit: dbeee6a0c0fc5392953f38d6f0dcffdeeb8ae141

---
 fetchmail-FAQ.html |   24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

--- a/fetchmail-FAQ.html
+++ b/fetchmail-FAQ.html
@@ -1949,9 +1949,27 @@ sites.)</p>
 <p>Google has started pushing towards more complex authentication
 schemes based on OAuth 2.0 that require clients and users
 to jump through quite a few hoops, and use web browsers for signing in.
-If this hinders access to your account through fetchmail, you may need to turn on access for "less secure apps" at <a
-    href="https://myaccount.google.com/lesssecureapps">https://myaccount.google.com/lesssecureapps</a>.<br/>
-It is disputable whether an application that does not include web
+If this hinders access to your account through fetchmail, you have some
+options:</p>
+<ul>
+  <li>You can generate and use an
+      <a href="https://support.google.com/accounts/answer/185833">App Password</a>.
+      This is probably best unless you are on a "G-Suite" account and the
+      administrator has disabled this option.</li>
+  <li>You can use separate tools to generate and renew oauth2 access
+      tokens.  Then configure fetchmail to use "auth oauthbearer" and use
+      a current access token as the password.  See comments and --help in
+      contrib/fetchmail-oauth2.py from the fetchmail source tree
+      for more information.  This is derived from Google's
+      <a href="https://github.com/google/gmail-oauth2-tools/wiki/OAuth2DotPyRunThrough">OAuth2DotPyRunThrough</a>,
+      associated code, RFC-7628, and RFC-6750.</li>
+  <li>You may turn on access for "less secure apps" at
+      <a href="https://www.google.com/settings/security/lesssecureapps">https://www.google.com/settings/security/lesssecureapps</a>,
+      or see <a href="https://support.google.com/accounts/answer/6010255">https://support.google.com/accounts/answer/6010255</a>.
+      But G-suite administrators are more likely to have disabled
+      this option than "App Password"s.</li>
+</ul>
+<p>It is disputable whether an application that does not include web
 browsing capabilities or heavy-weight libraries is "less secure" as
 Google claims.</p>