Virtually all of Google’s APIs currently support OAuth 2.0, a framework for allowing third-party apps limited access to your data from other services, as their standard authentication mechanism. Starting today, Google is taking its OAuth 2.0 support a step further by bringing it to IMAP/SMTP and XMPP, the protocols that allow third-party access to Google services like Gmail and Google Talk. This move, says Google’s Ryan Troll, will allow developers to give users “tighter control over what data clients have access to, and clients never see a user’s password, making it much harder for a password to be stolen.” With OAuth 2.0 support, users will simply be able to revoke a client’s access to a service like Gmail without any impact to other apps that access the same data.
Google has been supporting OAuth for access to Gmail since 2010, but the framework’s version 2.0 adds a number of security features and also simplifies things for developers.
For users, the OAuth 2.0 experience will be pretty much the same as when they give an app access to their Gmail or Twitter accounts. The app never gets to see your passwords, and the authentication is handled by exchanging a token between the two services.
Developers who use IMAP/SMTP to access your Gmail accounts or XMPP to interact with Google Talk can start using OAuth 2.0 now. In today’s announcement, Google also stresses that the company is about to end support for its older account authentication APIs like XOAUTH for IMAP/SMPT, which uses OAuth 1.0a. The company is also deprecating support for a number of ways to access XMPP, so if you are a developer using these tools, make sure you take a look at today’s blog post.