Here is the documentation from Google: OAuth 2.0 Mechanism | Gmail IMAP | Google Developers
The idea is:
- You start a connection with SMTP, POP, or IMAP. This is secured by SSL as usual
- But Google doesn’t want you to simply send your password here. Instead they send your app some custom headers, saying “hey, please do some HTTP requests to authenticate!”
- The application then does the HTTP things, and come back to the IMAP, POP, or SMTP and sends the resulting token there
So, it’s just a more complicated way to send the password.
Why they do this? Because it allows them to more easily send a notification to your android phone saying “hey, this new app wants to connect to your account, do you want to allow it?”. The HTTP request contains more info and allows to identify the app. It does not mean you have to see a webpage and enter your login there, still. The app knows your password and can send it directly. This also allows them to do two-factor authentication if you have enabled that, etc.
Still, it is not the standard POP/SMTP/IMAP mechanism. Other apps have complied with Google non-standard choices. We have not done the work yet.
I agree it should be done, but saying we use outdated protocols is incorrect. It’s Google using non-standard protocols, and adding extra work for us. And they blame us by saying our application is unsecure, when in fact, it isn’t, it’s just that they were too lazy to implement something in their mail server that could trigger the same things they trigger when an app goes through the HTTP route. But instead they decided that everyone should change how to write an email client. And since they have a huge market share, all email clients had no real choice but to do it.