[Users] Setting up Claws for Oauth2

Tue Jan 21 21:14:56 UTC 2025

> Hi David
> 
> Tbh i am struggling. I wanted to use claws for the MH mail box.
> Looking on a forum i see i am not the only one who finds setting up
> Oauth2 difficult. Would it not be easier for an automatic process. I
> set up my mail client on the phone without problems.
> 
> james

Hi James,

Which part are you getting stuck on? Did you get Yahoo to issue you with
a Client ID?

You're right that it would be better if this were more automated, but
there's some issues that make that difficult. I've added a short
section to the Oauth2 FAQ about this, but that won't be visible yet as
there's a moderation process.

Below is pretty much the text that I've added for the FAQ. I hope this
helps explain the situation, although it doesn't solve your immediate
problem.

Best regards, David

The set-up of OAUTH2 in Claws Mail requires extra steps relative to some
other popular open source email clients. There's a few reasons for this:

1) Registration of an application with a service provider to obtain a
Client ID is part of the OAUTH2 authentication process. Claws Mail gives
you complete freedom (and responsibility) for linking the application
with your chosen email service provider. By registering it yourself you
ensure that you have full control, as you would expect for open source
software. If you rely on an application that is pre-registered with the
service providers, you also take the risk (however unlikely) that the
developers cancel or change that registration without your involvement.

The actual security of your connection is no different whether you or the
developer registers an email application with the service provider. The
application developers never have any access to your email connection.
But by registering the application yourself you have complete control,
which is a requirement for some users.

2) Registration with some email providers as an application for
distribution requires a security audit of the application. That's to
prove that the application doesn't have any back doors or security
holes. However, such security audits cost money, and it would need to be
re-certified after any code changes. This is not viable for an open
source freely distributed application. Moreover, if you're worried
about security holes you can inspect the code yourself so it's less of
an issue than with distribution of binary code applications.

3) The developers have explored the process of registration with a
security audit and quickly got into forms that required a street
address, and needed someone to sign things off. These requirements are
not straightforward for a small open source project that does not have
an office address or legal structure to sign documents on behalf of the
project. In contrast, others such as Mozilla (Thunderbird) have a legal
organisation, street address, and some funding so they can overcome
these issues to undertake app registration on your behalf.