View Issue Details

WikiJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0030280mantisbtemailpublic2022-05-17 09:162022-06-09 07:02
Reportermos379 Assigned To 
PrioritynormalSeverityfeatureReproducibilityN/A
Status acknowledgedResolutionopen 
Summary0030280: Implement Google OAuth Authentication for PHPMailer to send notifications with Gmail
Description

Since Google more or less made simple SMTP unusable it would be great to add the OAuth mechanism to mantis.
PHPMailer has support for it and it is pretty easy to add.
I did this on my local installation but don't know how to easily create a PR for this on GitHub

  1. Add "league/oauth2-google" to the composer file

  2. Add some config templates to the config.inc file

    $g_smtp_authType = 'Google';
$g_smtp_oauthUserEmail = "support@domain.com";
$g_smtp_oauthClientId = "203672031929-xxxxx.apps.googleusercontent.com";
$g_smtp_oauthClientSecret = "GOCSPX-XX__XXXGSCFc5RCX7UIF4t0XZMO";
$g_smtp_oauthRefreshToken = "1//34vCHSqfEAu9nCgYIARAAGAkSNwF-L9IroS7Y_54Ybhrad4sgzWkMunyf972uMq5w2XMehme66p7g-6YSzqudYn3bMW7-jBvw1m0";

  3. change email_api.php
    a. Add uses

    use PHPMailer\PHPMailer\OAuth;
use League\OAuth2\Client\Provider\Google;

    b. add code in email_send function after "$t_mail->SMTPKeepAlive = true;"

    if( !is_blank( config_get( 'smtp_username' ) ) and is_blank( config_get( 'smtp_authType' ) ) ) {
            # Use SMTP Authentication
            $t_mail->SMTPAuth = true;
            $t_mail->Username = config_get( 'smtp_username' );
            $t_mail->Password = config_get( 'smtp_password' );
        }
        if( config_get( 'smtp_authType' ) == 'Google' ) {
            # Use SMTP OAUTH Authentication
            $t_mail->SMTPAuth = true;
            //Set AuthType to use XOAUTH2
            $t_mail->AuthType = 'XOAUTH2';

            //Fill in authentication details here
            $oauthUserEmail = config_get( 'smtp_oauthUserEmail' );
            $clientId = config_get( 'smtp_oauthClientId' );
            $clientSecret = config_get( 'smtp_oauthClientSecret' );

            //Obtained by configuring and running get_oauth_token.php
            //after setting up an app in Google Developer Console.
            $refreshToken = config_get( 'smtp_oauthRefreshToken' );

            //Create a new OAuth2 provider instance
            $provider = new Google(
                [
                    'clientId' => $clientId,
                    'clientSecret' => $clientSecret,
                ]
                );

            //Pass the OAuth provider instance to PHPMailer
            $t_mail->setOAuth(
                new OAuth(
                    [
                        'provider' => $provider,
                        'clientId' => $clientId,
                        'clientSecret' => $clientSecret,
                        'refreshToken' => $refreshToken,
                        'userName' => $oauthUserEmail,
                    ]
                    )
                );
            $t_mail->Username = config_get( 'smtp_username' );
            $t_mail->Password = config_get( 'smtp_password' );
        }

  4. Add some documentation somewhere to link
    https://github.com/PHPMailer/PHPMailer/wiki/Using-Gmail-with-XOAUTH2

EDIT (dregad): fix markdown

TagsNo tags attached.

Activities

dregad

dregad

2022-05-17 11:42

developer   ~0066589

I understand your problem with Google disabling simple password authentication for their SMTP server, but TBH I am reluctant to implement a specific solution for just a single e-mail provider (even if it's Google).

Chances are that other providers will also require OAuth2 in the future, so what would be next for us ? Add similar hacks to email_send() and more composer dependencies for Yahoo, Hotmail, etc ? This would turn into a maintenance nightmare. Moreover, the provider-specific composer dependencies would have to be added globally (composer.json), causing overhead for everyone not using Gmail.

Ideally, we need to have a more generic solution, that could work for other OAuth2 providers too.

In any case, new configs need to be defined and fully documented in config_defaults_inc.php (and in the Admin Guide as well). And please follow our coding guidelines (particularly variable naming).
mos379

mos379

2022-05-18 04:12

reporter   ~0066595

@dregad Totally agree, I just wanted to share my work as I wanted to continue using mantis instead of switching to a different solution just because it doesn't support a small module.

I was hoping that someone from the project would know how to "properly" integrate these items, as I'm not fluent with php and only maintained the changes locally as I saw that the PHPMailer was already used and there was a simple way to introduce the OAUTH mechanism...
PHPMailer already supports others as well.
//@see https://github.com/thephpleague/oauth2-google
use League\OAuth2\Client\Provider\Google;
//@see https://packagist.org/packages/hayageek/oauth2-yahoo
use Hayageek\OAuth2\Client\Provider\Yahoo;
//@see https://github.com/stevenmaguire/oauth2-microsoft
use Stevenmaguire\OAuth2\Client\Provider\Microsoft;
dregad

dregad

2022-05-18 05:14

developer   ~0066596

PHPMailer already supports others as well.

Yes, and for each one, an another dependency must be added to composer.json... And potentially some provider-specific code too.

I just wanted to share my work as I wanted to continue using mantis instead of switching to a different solution just because it doesn't support a small module.
I was hoping that someone from the project would know how to "properly" integrate these items

Your contribution is appreciated, but as mentioned not usable in its current form.
But considering our small team's limited resources, this becomes a matter of us having the time to implement such a solution, which is unlikely to happen in the foreseeable future unless the community comes up with an acceptable patch.

That being said, if I understand correctly, creating and maintaining a Google Published App may induce costs:
In order to maintain access to restricted scopes, the app will need to undergo this security assessment on an annual basis, this process is called the security reassessment, also known as annual recertification. The cost of the assessment typically varies between $10,000 - $75,000 (or more) depending on the size and complexity of the application; smaller applications may see costs at a lower threshold of $4,500. This fee may be required whether or not your app passes the assessment and will be payable by the developer.
reference: https://support.google.com/cloud/answer/9110914#security-assessment&zippy=%2Csecurity-assessment

As an alternative solution, did you try using an App Password instead ?
https://support.google.com/mail/answer/185833
ming.yeung

ming.yeung

2022-06-09 07:02

reporter   ~0066707

I'm facing the same problem, I can't use gmail simple password authentication to send email.
For the alternative solution, how to use an App Password to replace simple password authentication. Could you provide some hints and information for setup App Password instead. Thanks.

Any schedule for the long term solution?