Please keep in mind that this is related not only to gmail.com email accounts but all the corporate/schools/governments which use Google Workspace for the email management. So implementing this feature would be crucial for those use cases.

Thanks :)

I think this is very much needed indeed. I have an increasing amount of customers with Google or Microsoft accounts that need OAuth to connect. Atr this time it's still possible, but the user needs to explicitly allow 'plain' user/pw (or 'unsafe methods' or whatever it's called) to still get this to work. But these providers urge us to use OAuth. I think this will be come a bigger issue when ONLY OAuth is allowed in the future.

I agree this functionality is very much needed indeed. I see that Microsoft is dropping basic authentication support completely by September 2025. From this article: https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-online-to-retire-basic-auth-for-client-submission-smtp/ba-p/4114750 I would hope to see support well before then. Does anyone know if a Mailer settings option to authenticate using OAuth is in the Joomla CMS roadmap?

What do we do when Microsoft stops supporting the older / basic authentication options we now use and does not support oAuth? Will this mean we just can't use Microsoft SMTP anymore? I already got clients that tell me their MS support is warning about this when te ask them how to connect to their SMTP from Joomla.

So I do hope this will be picked up by the Joomla project sometime soon... Unfortunately I am not a coder, so I can't help with that.

@jjnxpct We are very much willing to include something like this, but we aren't a company like M$ or Wordpress and instead work entirely on volunteer base. So you are welcome to volunteer your time and develop this feature. If you are not a coder, as you wrote, you can also hire another developer to do the work for you. Otherwise you would have to wait for someone else to pick this up, which honestly is not guaranteed to happen anytime soon.

@Hackwar I know and you are right. But your comment kinda makes me feel like I did something wrong here...

No, you didn't do anything wrong, but at the same time I can't give you any answer that will make you happy. We don't have people who will work on stuff guaranteed and in worst case we wont have this feature in time. And while I would be willing to work on this, I don't have (volunteer) time to do this. So if you really need this, your best bet would be to hire someone to work on this. I mean, the benefit is, that you get free maintenance after it has been merged initially. 😉

From the google website: https://support.google.com/a/answer/14114704?hl=en

January 2025

• Access to less secure apps will be turned off for all Google Accounts.
• CalDAV, CardDAV, IMAP, SMTP, and POP will no longer work with legacy passwords (basic authentication).

Hi, back on this topic to highlight that without this feature, Joomla websites operating on domains who use Google Workspace (any edition) or Microsoft 365 won't be able to send email. This means, no notifications, no newsletters and no any email coming from the website.
@Hackwar I know that we're short on people, but we've to keep our core features working and still valid.
A CMS which is not able to send notifications and email won't be so successful on the market.

Can we work on a crowdfunding for the initiative?
Can we estimate the effort?
Can we understand what is technically missing?

Thanks!

Can we not utilise https://github.com/decomplexity/SendOauth2

phpmailer has builtin support for using 0auth2 with the decomplexity wrapper. There is an example here https://github.com/PHPMailer/PHPMailer/blob/master/examples/sendoauth2.phps so surely we just need to add configuration options to Joomla to support this.

Or am I missing something here that means everyone is running and hiding?

My two cents: OAuth2 has two main authorization workflows:

Simple Authorization Workflow: This workflow directly provides the credentials, access token, and secret in the provider's UI. These credentials remain consistent over time, making this workflow relatively easy to support in the current Mail Settings. However, this workflow is not commonly used.

Two-Legged Authorization Workflow: This more complex workflow requires client authentication on the provider platform and a callback to the site to generate the access token. Due to the need for user interaction and a callback mechanism, this workflow is more challenging to support within the existing Mail Settings, primarily designed for credentials entry.

For more details on the two-legged authorization workflow, you can refer to the Google Identity / Authorization / OAuth 2.0 / OAuth 2.0 for Client-side Web Applications.

Access Token Renewal: When the access token expires, a refresh token must be used to renew and replace the expired access token.

From what I read they are both supported - it just needs to be implemented

From the Google help pages:

Starting in March 2025, Google Workspace accounts no longer support less secure apps, third-party apps, or devices that ask you to sign in to your Google Account with your username and password. You must use OAuth to let these apps and devices access your account. Third-party email apps that are no longer supported include Microsoft Outlook and the mail app on iOS and MacOS. For detailed instructions and information, visit Transition from less secure apps to OAuth. For the latest dates, visit Google Workspace Updates.

Also I believe the app passwords are not available anymore and OAuth will be the only way to use Google Gmail service for sending emails. For sites that use Google Gmail in the CMS email settings there will be no other alternative then mayb use PHP mail (I thinks that a bad idea...) or a different external email service that still offers 'plain' SMTP connections.

AcyMailing has implemented OAuth for Google and Microsoft so newsletters ka be send using this sending method. I have tested it and it works. But other extensions like Convert Forms and probably others as well use the Joomla e-mail configuration. So websites using those extensions and als Google Gmail will need a solution for their forms as well.

I am not sure about Microsoft. But i think they will have a similar strategy.

I hope someone in the Joomla project will know what to do. Sorry I can't be of anymore use then sharing this info and maybe do some testing when the this is needed.

Update: It is starting to happen for us on sites that use Google E-mail. Now I have to look at alternatives. I think there will be a lot more sites that will encounter this issue now.

This problem is resolved in Wordpress by https://wpmailsmtp.com/ . Also there is another plugin for GMail in Joomla (https://www.web357.com/gmail-smtp-connect-joomla-plugin). So there are some success implemented solutions for this.

If you can implement these in Joomla Core it will be very interesting

@mozaffar The Web357 Joomla plugin looks promising. Thanks for pointing that out! I will check it out. The documentation even handles the Admin Tool htaccess blocking of the return URL from Google. I encountered that issue when setting up Google OAuth for Acymailing.

So this plugin could be a solution for website that need to use Google to send emails through Google servers.

I still think the Joomla project should consider adding Oauth methods (At least for Google and Microsoft) to the CMS mail settings. In the mean time for Google the Web357 plugin might do the trick.

Workarounds:

For anyone that runs into this issue: You could consider creating a mailbox on a different server (maybe you have your own server or hosting environnement) and use that to authenticate / send emails form you (clients) website(s). And the add a reply to (and maybe a forwarder) to make sure the site managers gets any replies to the send CMS e-mails.

Using PHP Mail could be an way to go, but I think you will run into all kinds of spamfilter issues. You at least have to add your server IP to the SPF record. But I don't think you can add DKIM to the CMS emails so you will have issues with Google and Microsoft blocking your emails to their users.

Update: Yiannis from Web357 is also planning to make on a Microsoft OAuth plugin.

Do you guys think Joomla also needs to support OAuth as a core feature of should users that need it this rely on third party plugins like the one from web357?

I opened the issue to avoid the impact on our clients. It was needed a year ago. Today, there is no choice, and third-party plugins are required to implement the latest security practices for the email service.

I'm closing the issue. Thanks.

Why is this issue closed? Because there are third party plugins that can do what Joomla can not do? Without considering the option to add this to the Joomla core? (For MS there is not even no third party solution yet...)

If there are reasons why this should not be in the Joomla core, please inform us about that. But is this could be a good addition to the core isn't this a valid feature request? Even when maybe there is no one (at this point) to add this to the CMS?

i agree

Why is this issue closed? Because there are third party plugins that can do what Joomla can not do? Without considering the option to add this to the Joomla core? (For MS there is not even no third party solution yet...)

If there are reasons why this should not be in the Joomla core, please inform us about that. But is this could be a good addition to the core isn't this a valid feature request? Even when maybe there is no one (at this point) to add this to the CMS?

I think the Mail settings page should at least have a button to redirect to the plugins section, informing that the OAuth authentication for the SMTP email service can be provided through 3rd-party plugins, as is done for the SEO settings.

Something like this:

@jjnxpct In a year, the team couldn't develop the support for this feature. Meanwhile, other features and versions were released. It's clear that the priorities were different.

The window of opportunity has closed. Third-party plugins have already fulfilled the requirement and we've already transitioned to a solution.

Tomorrow, if Joomla starts supporting SMTP OAuth, it would be like a joke to the extension developers and administrators that already invested time and resources to migrate.

P.S. Well, it wouldn't be the first time we've heard that tune. ;-)

thats what happens when people choose personal profit instead of the common good :(

I do think the Joomla project dropped the ball here a bit. That's to bad. But I guess these kind of things happen in an Open Source project. Open Source is great, but dependent on volunteers who can not be blamed when the project fails to deliver. It's just what it is.

I don't know if adding this feature - even though late and while there are third party alternatives (partially at this time) - should just be dismissed. Being able to send e-mails from the CMS using the largest mail providers should be core functionality.

I do think the Joomla project dropped the ball here a bit. That's to bad. But I guess these kind of things happen in an Open Source project.

I thought that we all are "The Joomla! Project"? So feel free to step forward to either:

• develop this feature and contribute it to core
• pay a developer to create this feature and contribute to core
• collect the money from all interested parties to pay a developer (and see previous post)

The fact, that it is not in Joomla! core just means it was not important enough that someone did the investment to get it done. If you need help with creating PRs or need support getting a PR properly tested and, when ready, merged, feel free to reach out to me.

Unfortunately I am not a developer.

Maybe we could create some kind of crowdfunding for important improvements like this. A Joomla team decides what features are needed in the core and sets a required amount to get that done. This project is placed on a Joomla crowdfunding website. When there is enough money raised for a feature a team of (dedicated / qualified) Joomla developers implements this in the core. This will make it easier for non-developers like me to also contribute to the code development.

@jjnxpct It's a matter of priorities—let's say a problem, related to new security practices, on 10% of active Joomla 4 and 5 websites (120K) isn't a priority for the project, and it's better to develop other features.

You are welcome to organize that. I don't see that in the Joomla project for political reasons, but you are open to create such a crowdfunding right now and find a developer to code this. Who do you think that "Joomla team" or "Joomla developers" are?

Unfortunately I am not a developer.

You don't need to be a developer, you can pay a developer or do the crowdfunding by yourself.

From my experience it's not that easy that e.g. OSM pays certain people because then other high frequent volunteers will be upset why they're not paid.

If there is a need, just gather people and get it paid/done. You're Joomla!, there is no "they".

Maybe we could create some kind of crowdfunding for important improvements like this.

You are welcome to organize that. I don't see that in the Joomla project for political reasons, but you are open to create such a crowdfunding right now and find a developer to code this.

You don't need to be a developer, you can pay a developer or do the crowdfunding by yourself.

Why doesn't @joomla open a fundraiser through the @opencollective service, where you can also open a fundraiser for certain features for Joomla (like SEO, Mail, etc.)?

It's enough to simply add a link to the OpenCollective Joomla page in the GitHub settings and everywhere on the official Joomla resources and open a fundraiser for the necessary features for Joomla.

Just look at how Bootstrap's team did it:

Various companies and users donate money to them for the development of the framework:

I'm working with Joomla since 2005. I believe the root cause is not the money to be fund-raised. Imagine we have an investor. What will be the first questions? Definitely he/she will ask about the plan, roadmap and ROI; Why he/she should pay an amount of money? Is there any roadmap for Joomla in compare with its competitors?

Personally I believe Joomla! is great and despite of the idea of many developers it is the most flexible and the easiest CMS. But developers are migrating to WordPress. Why?

1. Developers can do anything in WordPress with their own signature
2. This will increase the switching cost for the client, so developers prefer to use WordPress more
3. Number of WordPress will increase
4. Non-technical clients cannot find enough developer for other CMSs
5. They will have to choose WordPress because the number of its developers are increasing
6. More developers will create plugins for WordPress because there are more clients for them
7. There are tons of plugins to solve the problem of developers and clients
8. Go to 3

We should think about a convincing roadmap and plan and then we can use fund raising platforms. Joomla! should be able to compete with WordPress + millions of Plugins to be able to receive funds.

I don't mean that it should make all of them built-in, but at least we should have a list of most wanted features. Then we can decide which of them should be implemented inside the Joomla and which of them can be added as extensions. Then we can fund raise for those vital extensions to promote them as free extensions.

the plan, roadmap

I read about what was supposed to be in Joomla 4 back in 2016 and only about 10% of that is what we now have in Joomla 5.3
Joomla has a very confusing roadmap that has nothing to do with reality.

the most flexible and the easiest CMS. But developers are migrating to WordPress. Why?

developers migrate to where new clients appear, where the number of clients increases.
Apparently WordPress can cover the basic needs of beginner website creators, while Joomla cannot.

This CMS is already 20 years old, but it still does not have the multi-category feature out of the box (and this was the most anticipated feature for Joomla all this time).

How can I display one article in different categories?
This question still has no answer!!!
Even as an editor, I do not see the coverage of the basic needs for creating a website with many categories and a thousand articles!

Don't even try to offer me tags!!!
My site exists since Joomla 1.0 (since 2008) and if you offer me to use tags, then writing articles is not something important for you!!!

We should think about a convincing roadmap and plan and then we can use fund raising platforms. Joomla! should be able to compete with WordPress + millions of Plugins to be able to receive funds.

You can create a fundraiser for specific features for Joomla right on the @opencollective page and raise money for different features.

I don't mean that it should make all of them built-in, but at least we should have a list of most wanted features. Then we can decide which of them should be implemented inside the Joomla and which of them can be added as extensions. Then we can fund raise for those vital extensions to promote them as free extensions.

Here is a list of the most anticipated features of Joomla (out of the box), which I have been waiting for as an editor since 2008:

1. Multicategories (not TAGS!!!)
2. SEO. A router that will redirect all 404 error pages to canonical pages.

If these 2 features are out of the box in Joomla, then the number of Joomla customers will increase dramatically, since website creators will be able to create websites with a good structure and will be able to make money if their websites are higher in search engines and if their websites are visited by more users!

It is so EASY TO UNDERSTAND, but not for everyone in the team that develops Joomla!

You complain that Joomla is losing users, but you forget that people who have websites on Joomla are also losing users because of many 404 error pages and bad SEO, because of the inability to make a good structure for their websites right out of the box (multicategories)!

You are suggesting to spend money buying 3d-party extensions only for something that any CMS should have in 2025 right out of the box.
These are not even official extensions from Joomla, but extensions from 3rd-party developers, who very often stop supporting their extensions when there is a migration to a new major version, as it happened during the migration from Joomla 1.5 to Joomla 2.5, and then it happened again during the migration from Joomla 2.5 to Joomla 3.5 and now it happened again during the migration from Joomla 3.10 to Joomla 4/5.

I can't make enough money as an editor and website owner because my website has a lot of 404 error pages which is very bad for my website ranking in Google which is the result of my website getting less traffic.

I can't provide my users with a better website structure because my website doesn't have multi-category.
My website has several thousand articles and about 200 categories but I can't display one article in more than one category!

I spent hundreds of dollars on extensions that are no longer supported, that are no longer available for Joomla 4/5.

I could have spent that money on creating a new official feature for Joomla out of the box, but no one was even raising money for something like that.

I WOULD NEVER SPEND A CENT ON THE TAG FEATURE IN JOOMLA!
It's the most useless feature that Joomla has ever seen in the 15+ years I've been using Joomla!

I'd rather spend my money (that I spent on 3rd party extensions) on implementing the multi-category feature in Joomla (out of the box) and a plugin to redirect 404 error pages to canonical pages (out of the box).

@universewrld

Why doesn't joomla open a fundraiser through the https://github.com/opencollective service, where you can also open a fundraiser for certain features for Joomla (like SEO, Mail, etc.)?

Joomla has no employed developers, the teams consist of volunteers. When Joomla collects money now, who gets it?

To summarize:
Get in touch with the community to see if such a feature has a high probability of being implemented in the core.
Organize your own fundraising if you want to see a feature in Joomla. Look out for developers who can implement it and then create a PR together.

What's not helpful:
Pure expectations and service mentality, and snapping at people who make their work available here free of charge and who voluntarily contribute improvements that they probably also need in their everyday work and therefore make available to the community here.

It may be surprising, but I don't think anyone here can live on air and love alone and almost everyone has to earn money with their work.

And I'm not saying that a feature request doesn't have a chance of being implemented without crowdfunding.
The contributors are great and do as much as they can and do an excellent job!
But if I have the claim that I need it now, I will most likely have to invest more effort and possibly also money.

Joomla has no employed developers, the teams consist of volunteers.
When Joomla collects money now, who gets it?

this money will be received by developers who will create a SEO solution for Joomla.
The management of Joomla (the fund) will distribute this money among those developers who will create the code for the SEO plugin.

Here some people are talking about WordPress, that's why I compared Joomla with WordPress, because WordPress has a commercial part as far as I understand, maybe Joomla could have a commercial part in some future which could support business clients.

Look out for developers who can implement it and then create a PR together.

This is a valid suggestion, but you are forgetting that many developers have come here (IN THE PAST) who suggested adding certain features to Joomla, but their PR was rejected and removed from potential future Joomla releases because "nobody needs it" - that was the explanation from other developers.

I remember how there was a PR for Joomla (IN THE PAST) about adding multicategories to Joomla, but that PR was cancelled by other developers who did not want Joomla to have that feature out of the box!
This has happened many times, when developers came here and offered their code for the CMS, but their help was rejected and their code was not added to the CMS.

Joomla has no volunteers.

My idea #37792 to create an official server for @joomla in @discord was rejected.
Millions of students, young developers all over the world use Discord.
Bootstrap, @adobe, @cloudflare, @microsoft use Discord, but not Joomla.

They suggest using some outdated developer communication platform #37792 (comment) that no one wants to use instead of Discord.

How will Joomla receive new young volunteers, student developers, if Joomla does not have a community on Discord?

If you want to push SEO improvements, here would have been an opportunity to participate as a sponsor or mentor Joomla Acaemy.
Joomla is also part at GSOC 2025.

Maybe you should familiarize yourself better with ways to keep up to date. Infos are present on LinkedIn, there is its own Mastodon instance, Joomla User Groups and yes, the community in Mattermost. And certainly many more channels.

Personally, I also think that the assumption that Joomla! cannot implement features that have already been taken up by the “market” elsewhere is wrong. of course, the ecosystem and the extension developers should not be harmed. But it is simply wrong to expect that a feature needed by the masses should no longer be implemented just because extension developers were faster. I think it's in everyone's interest that the core should be stable and not overloaded - but at the same time cover the needs of the majority of users.
It's great if third party extension developers can earn their living with it to bridge the gap, but that doesn't mean that it shouldn't be implented in the core as soon as the resources are free.
But that's just my personal opinion as a developer on this topic.

the community in Mattermost

This is an outdated way of communication, now developers communicate via Discord or Microsoft Teams, but since Joomla is Open Source, then chat/server/community in Discord would be even more preferable.

I think it's in everyone's interest that the core should be stable and not overloaded

I think that the release of Joomla 6 should be moved by 1 or 2 years, because now even Joomla 5 still does not have all the extensions that users used in Joomla 3. The transition from Joomla 3 to Joomla 5 was the most dramatic for me since 2008, since I first started using Joomla 1.0

When I used Joomla 3, everything was OK, everything worked as it should, I used a very good and most importantly free SEO plugin that helped get rid of all duplicate pages and redirected all duplicate pages to canonical ones, but this plugin, like all other SEO plugins that worked for Joomla 3, were not ported to Joomla 5, so SEO is the biggest problem in Joomla 5.

Before upgrading to Joomla 5.2/5.3, my website on Joomla 5 had a lot of duplicate pages, but these pages were available, the content of the site was available even through duplicate links, after upgrading to Joomla 5.3 these pages return 404 error, the content is no longer available to site users who go to my website via old links that had the old site structure and old category alias. Joomla 5 first brought me the problem with many duplicate pages and now instead of duplicate pages I have many 404 error pages, which is no better than duplicate pages. Joomla 5 is by far the most disappointing version in terms of SEO since 2008, when I started using Joomla.

My site for the last six months since I updated to Joomla 5.2/5.3 has been losing search engine rankings and users, I'm making less money than I could be making and all because of the new router in Joomla 5 because of the SEO issues in Joomla 5, so if Joomla wants editors/creators like me to be able to sponsor something, make a working tool for us so that we can make money from our content, so that our websites don't have problems with multiple 404 errors and the router works properly so that the router can redirect all pages to canonical links.

If you would like to discuss this topic further, please open a Discussion or open a new Issue with a bug report.
I set the last posts to off-topic, as they have nothing more to do with the actual feature request. This makes it unnecessarily difficult for an interested developer to get an overview of the actual feature request.

I just dropped by here to say that I have been using Joomla since it was Mambo. There are many many things to love about it. However, we have not catched up and has a serious technology gap for those we ought to be targetting Joomla with as champions (e.g., companies, agencies, and even freelancers who by the way, develop mostly for businesses regardless of size). From J3, it was apparent that this fundamental issue would drag for some time. This is what made me explore and eventually used Wordpress. In Wordpress, this can be achieved seamlessly using a free plugin called FluentSMTP which I have flawlessly used since then for Microsoft 365 (Entra). From J3, I stopped. I looked at J5 and oAuth2 support seems to be elusive (at least since the last posts on this thread few months ago). whether at the core, or through a readily available extension.

Today, I had another look. Lo and behold, AI has pointed me to Web357's GMail SMTP Connect Pugin for Joomla supporting OAuth 2.0 authentication. While not free, this is promising. It's a shame that it only supports Google (at this time), and not Microsoft (or any other providers requiring OAuth2).

It would be best for this to be considered as part of the Joomla core. The use cases of Joomla for the enterprise is very promising if not unbeatable. Meanwhile, while all these SMTP OAuth2 thing has been left unattended for sometime, it made me explore the Wordpress ecosystem, and I can truly say, there are things to hate and things to love on that side of the fence (e.g., even the simplistic approach of using font clamps by CSS frameworks that works with excellent page builders) is a game changer for me. We can learn from the good ones. Let's protect those whom we already have and not lose them to the other camp. The good things inside Joomla (e.g., solid user management and permissions system, a more structured and flexible articles management, etc.), keeps me coming back, yet hoping for more. For what it is now, and how it can still shape in the near future, I sincerely thank the Joomla team for making a wonderful CMS. We can always be matured enough to look at the other side. Facebook did that with Instagram when it wasn't able to acquire Snapchat, many moons ago, and arguably, there was no shame in it.

We can always be matured enough to look at the other side.

They will never agree with you because developing OAuth2 for Joomla is TOO DIFFICULT, as difficult as launching a spacecraft to the moon.