[jeffbee]

You seem to be taking the perspective of an application developer or something like that? Certainly for users all they need to do is roll in with their favorite IMAP client and use it. All of what you said applies not at all to users.

[Aloisius]

> roll in with their favorite IMAP client and use it

That's just it. Lots of client developers, especially open source ones, balked.

So to use something like mutt with gmail requires a user go into their google settings, set up 2fa then create an app-specific password. And if a user is on a Google Workspace account with "insecure" passwords turned off, they either have to do all the gcloud/consent/etc. stuff themselves or steal a client secret from another client.

Oauth client secrets aren't really compatible with open source and oauth flows don't work well in terminals. Google's onerous process didn't help and on top of that, using oauth means getting hit by Google's quotas.

Who knows how long Google will support app-specific passwords? Or perhaps they'll start forcing 2fa via their own gmail app every login.

[superkuh]

It does. Gmail disabled imap login for everyone. You explicitly have to find and set up a special "app password" to enable just IMAP now. Many major corporate email clients (like thunderbird) have implemented these corporation-mail-company specific work arounds though so the user doesn't notice them.