On 6/29/23 16:05, Brian E Carpenter wrote:
Microsoft seems to take the opposite view with Outlook. They have withdrawn support for the traditional forms of authentication and are now promoting the use of OAUTH as an alternative.
Not "promoting". They are *enforcing* it, which in turn has forced implementors such as Thunderbird to jump through many hoops, and millions of users to jump through yet more badly documented hoops. As one of those millions, I lost a couple of hours of my life as a result, for zero benefit.
There's also zero reason for users to have confidence that the browser used by their MUA doesn't compromise their privacy or security.
More generally, if you need to link a huge web browser into your application just to authenticate to a server, something is very badly wrong. That's a large number of lines of code and therefore a large amount of potential vulnerability there.
And this practice also (at least for every instance I've seen) breaks non-interactive use of, say, IMAP, which enables various kinds of automatic processing.
In other words, insistence on OAUTH authentication invalidates
several decades' worth of common and useful practice, for a very
dubious benefit that has been imposed on huge communities of
users.
Keith
