Please keep in mind that this is related not only to gmail.com email accounts but all the corporate/schools/governments which use Google Workspace for the email management. So implementing this feature would be crucial for those use cases.

Thanks :)

I think this is very much needed indeed. I have an increasing amount of customers with Google or Microsoft accounts that need OAuth to connect. Atr this time it's still possible, but the user needs to explicitly allow 'plain' user/pw (or 'unsafe methods' or whatever it's called) to still get this to work. But these providers urge us to use OAuth. I think this will be come a bigger issue when ONLY OAuth is allowed in the future.

I agree this functionality is very much needed indeed. I see that Microsoft is dropping basic authentication support completely by September 2025. From this article: https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-online-to-retire-basic-auth-for-client-submission-smtp/ba-p/4114750 I would hope to see support well before then. Does anyone know if a Mailer settings option to authenticate using OAuth is in the Joomla CMS roadmap?

What do we do when Microsoft stops supporting the older / basic authentication options we now use and does not support oAuth? Will this mean we just can't use Microsoft SMTP anymore? I already got clients that tell me their MS support is warning about this when te ask them how to connect to their SMTP from Joomla.

So I do hope this will be picked up by the Joomla project sometime soon... Unfortunately I am not a coder, so I can't help with that.

@jjnxpct We are very much willing to include something like this, but we aren't a company like M$ or Wordpress and instead work entirely on volunteer base. So you are welcome to volunteer your time and develop this feature. If you are not a coder, as you wrote, you can also hire another developer to do the work for you. Otherwise you would have to wait for someone else to pick this up, which honestly is not guaranteed to happen anytime soon.

@Hackwar I know and you are right. But your comment kinda makes me feel like I did something wrong here...

No, you didn't do anything wrong, but at the same time I can't give you any answer that will make you happy. We don't have people who will work on stuff guaranteed and in worst case we wont have this feature in time. And while I would be willing to work on this, I don't have (volunteer) time to do this. So if you really need this, your best bet would be to hire someone to work on this. I mean, the benefit is, that you get free maintenance after it has been merged initially. 😉

From the google website: https://support.google.com/a/answer/14114704?hl=en

January 2025

• Access to less secure apps will be turned off for all Google Accounts.
• CalDAV, CardDAV, IMAP, SMTP, and POP will no longer work with legacy passwords (basic authentication).

Hi, back on this topic to highlight that without this feature, Joomla websites operating on domains who use Google Workspace (any edition) or Microsoft 365 won't be able to send email. This means, no notifications, no newsletters and no any email coming from the website.
@Hackwar I know that we're short on people, but we've to keep our core features working and still valid.
A CMS which is not able to send notifications and email won't be so successful on the market.

Can we work on a crowdfunding for the initiative?
Can we estimate the effort?
Can we understand what is technically missing?

Thanks!

Can we not utilise https://github.com/decomplexity/SendOauth2

phpmailer has builtin support for using 0auth2 with the decomplexity wrapper. There is an example here https://github.com/PHPMailer/PHPMailer/blob/master/examples/sendoauth2.phps so surely we just need to add configuration options to Joomla to support this.

Or am I missing something here that means everyone is running and hiding?

My two cents: OAuth2 has two main authorization workflows:

Simple Authorization Workflow: This workflow directly provides the credentials, access token, and secret in the provider's UI. These credentials remain consistent over time, making this workflow relatively easy to support in the current Mail Settings. However, this workflow is not commonly used.

Two-Legged Authorization Workflow: This more complex workflow requires client authentication on the provider platform and a callback to the site to generate the access token. Due to the need for user interaction and a callback mechanism, this workflow is more challenging to support within the existing Mail Settings, primarily designed for credentials entry.

For more details on the two-legged authorization workflow, you can refer to the Google Identity / Authorization / OAuth 2.0 / OAuth 2.0 for Client-side Web Applications.

Access Token Renewal: When the access token expires, a refresh token must be used to renew and replace the expired access token.

From what I read they are both supported - it just needs to be implemented