Symphony Mailer doesn't support XOAuth2 natively

[Vitaliy-1]

One of the distinctive features of the Symfony SMTP transport (used in Laravel 9) is that it doesn't allow to specify authentication type. It just applies authenticators in the following order until the first success:

• CRAM-MD5
• LOGIN
• PLAIN
• XOAUTH2
  (see https://github.com/symfony/symfony/blob/6.3/src/Symfony/Component/Mailer/Transport/Smtp/EsmtpTransport.php#L40)

Moreover, XOAUTH2 type uses password in place of the access token: https://github.com/symfony/symfony/blob/6.3/src/Symfony/Component/Mailer/Transport/Smtp/Auth/XOAuth2Authenticator.php#L35

Does this apply any serious limitations to email sending which require additional handling? As minimum I'm able to send through Gmail using app specific password (requires 2 factor authentication)

[NateWr]

@Vitaliy-1 and I discussed this today. Here is the problem as I understand it:

Our existing configuration options for sending through Gmail support XOAUTH2 using a clientid, clientsecrettoken and refreshtoken.

; smtp_oauth_provider = Google
; smtp_oauth_email =
; smtp_oauth_clientid =
; smtp_oauth_clientsecret =
; smtp_oauth_refreshtoken =

However, Symphony Mailer's SMTP mailer sends through XOAuth2 type, it does not support these configuration options. When it sends mail using XOAauth2, it only sends the configured username and password:

; smtp_username = username
; smtp_password = password

It's not clear whether or not this will work. Even if we use the clientsecret as the password for Google, it seems like the secret token may expire after one hour and need to be renewed (see discussion).

To move forward, we need the following help:

1. An existing user of Gmail through XOAuth2 needs to test 3.4 to see if they can send email with the current configuration settings, and let us know if not.
2. If they are able to send email, we need to test if this continues to work after 24 hours or if the token needs to be updated somehow.
3. Finally, @Vitaliy-1 discovered that through the 2-factor authentication settings in Gmail, it is possible to set a custom password. (From https://myaccount.google.com/security, enable 2-factor password. Then go back to Application Password and set up a password.) Will this work to set up email sending through Gmail?

[asmecher]

IIRC the XOauth2 support was added in response to GMail deprecating SMTP-based delivery. It's always been complicated to set up and requires meddling with a temporary server-side script; see e.g. this forum post. So I doubt the uptake is very good.

Our own admin documentation refers to another process for setting up GMail-based delivery based on app-specific passwords. For Gmail users (unpaid) it seems to require the "unsafe apps" option, which we should consider deprecated and I have been discouraging for a long time e.g. on the forum. However, that note isn't attached to Workspace users -- I think we can recommend that without problems.

So if the Application Password process continues to work with Symphony, I think we can remove XOauth2 without affecting a lot of users.

[Vitaliy-1]

Starting from 2023, Microsoft drops the support basic authentication and those options that we still have to connect to Google/Gmail APIs won't work for Microsoft services and APIs

[asmecher]

I would suggest watching symfony/symfony#48888 for an "official" Symfony source.