使用IMAPSync从GMail导入

Question

我正在编写一个Golang应用程序，以使用IMAPSync和Google的OAuth2.0将电子邮件从Gmail导入到本地电子邮件服务器。让我们称其为后端应用程序。

还有一个随附的ios应用，该应用使用AppAuth来启用用户登录其Google帐户的功能。这样我就可以得到一个refresh token，一个access token，一个JWT令牌，其有效载荷看起来像

{
    "iss": "accounts.google.com",
    "at_hash": "HK6E_P6Dh8Y93mRNtsDB1Q",
    "email_verified": "true",
    "sub": "10769150350006150715113082367",
    "azp": "1234987819200.apps.googleusercontent.com",
    "email": "jsmith@example.com",
    "aud": "1234987819200.apps.googleusercontent.com",
    "iat": 1353601026,
    "exp": 1353604926,
    "nonce": "0394852-3190485-2490358",
    "hd": "example.com"
}

计划将这些信息发送到后端，并使用IMAPSync在后端开始导入。

要使用IMAPSync登录到Google帐户，我正在运行此命令

/usr/bin/imapsync --host1 imap.gmail.com --authmech1 xoauth2 --ssl1 --user1 user1@gmail.com --password1 access_token --host2 imap.gmail.com --authmech1 xoauth2 --ssl1 --user2 user1@gmail.com --password2 access_token --justlogin --debug

这是输出的最后几行：

Host1: imap.gmail.com says it has CAPABILITY for AUTHENTICATE XOAUTH2
Use of uninitialized value $iss in concatenation (.) or string at         /usr/bin/imapsync line 4463.
Use of uninitialized value $keyfile in concatenation (.) or string at /usr/bin/imapsync line 4463.
Use of uninitialized value $keyfile in concatenation (.) or string at /usr/bin/imapsync line 4466.
Service account: 
Key file: 
Key password: notasecret
pkcs12: Cannot open input file , No such file or directory
pkcs12: Use -help for summary.
Private key:

RSA.xs:288: OpenSSL error: no start line at /usr/share/perl5/JSON/WebToken/Crypt/RSA.pm line 19.

我非常不熟悉IMAP和电子邮件导入。这是正确的方法吗？ 我遵循了本教程OAuth 2.0 for Mobile & Desktop Apps 我应该改用这个（Using OAuth 2.0 for Web Server Applications），让后端进行所有身份验证并检索所有令牌吗？

但是，由于ios应用程序是此应用程序唯一面向用户的一面，那么如何使用户登录？

谢谢！

Answer 1

阅读 https://imapsync.lamiral.info/FAQ.d/FAQ.XOAUTH2.txt

=======================================================================
  Imapsync tips to use XOAUTH2 authentication (Gmail) and old XOAUTH 
=======================================================================


=======================================================================
Q. Is XOAUTH2 authentication available with imapsync?

R. Yes, but XOAUTH2 has been really tested on Unix systems, 
   less profund on Windows but it should work.

   Two file formats are available from Gmail: json and pk12.
   json is easier to manage than pk12.

=======================================================================
Q. Imapsync XOAUTH2 fails with the following message, how to fix that?
{
 "error": "unauthorized_client",
 "error_description": "Unauthorized client or scope in request."
}

R. In order to work you also have to allow the service https://mail.google.com/ 
   in the Google client API manager for OAUTH2.
   "Select OAuth 2.0 scopes:"

=======================================================================
Q. How to use XOAUTH2 via a json file to globally authenticate gmail users? 

R. Unless you use an imapsync binary like imapsync.exe or imapsync_bin_Darwin,
   Perl modules needed for xoauth2 are:

  Crypt::OpenSSL::RSA
  JSON
  JSON::WebToken
  LWP
  HTML::Entities
  Encode::Byte

A easy way to install or upgrade Perl modules is to use cpanm command,
also called cpanminus. On Linux it is something like

  sudo cpanm  JSON::WebToken JSON Crypt::OpenSSL::RSA LWP HTML::Entities Encode::Byte

The json file patch code and explanation comes from Secretion at
https://github.com/imapsync/imapsync/pull/68

Here is a complete example for Gmail. It is a little stupid
since it is the same account as source and destination but
it's just to get the picture for xoauth2 authentication.

All xoauth2 config is given via the --password1 parameter. 
It has the form:

  --password1 secret.xoauth2.json

where secret.xoauth2.json is the json file given by Gmail.


    imapsync \
        --host1 imap.gmail.com --ssl1 --user1 gilles.lamiral@gmail.com \
        --password1 secret.xoauth2.json --authmech1 XOAUTH2 \
        --host2 imap.gmail.com --ssl2 --user2 gilles.lamiral@gmail.com \
        --password2 secret.xoauth2.json --authmech2 XOAUTH2 \
        --justlogin --debug

Use your own xoauth2 values.

The secret.xoauth2.json looks like:

    {
      "type": "service_account",
      "project_id": "your-project-name",
      "private_key_id": "1cfb..............................bd7fbe",
      "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiGziM...ZV5ACKPHuOfp8A46I=\n-----END PRIVATE KEY-----\n",
      "client_email": "jsonfile@your-project-name.iam.gserviceaccount.com",
      "client_id": "105................689",
      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
      "token_uri": "https://accounts.google.com/o/oauth2/token",
      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
      "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/jsonfile%40your-project-name.iam.gserviceaccount.com"
    }

You get this json file by a link like:
https://console.developers.google.com/apis/credentials?project=your-project-name

See also:
https://developers.google.com/gmail/imap/xoauth2-protocol
https://developers.google.com/identity/protocols/OAuth2

=======================================================================
...