changing Incoming Mail configuration feature to use the OAuth2
service would make it work with Gmail and Outlook.com (they support it,
according to https://msdn.microsoft.com/en-us/library/dn440163.aspx),
but would leave pretty much any other IMAP service that doesn't support
XOAUTH2 authentication unusable (and there quite a few of them).
In addition to that, in Gmail's case, OAuth2 authentication is only
offered/required if the mailbox doesn't have two factor authentication
enabled (2FA). If it is, the IMAP service simply doesn't offer the
authentication option. Using 2FA from an application that doesn't have
the user interacting with it at login time is rather complicated.
That's why, again in Gmail's
case, they offer the option to create static application passwords.
These passwords are special, in the sense that they are not subject to
2FA, and can be used as a valid password. They are auto-generated by
Gmail, and you have to copy them manually to your application. I'm
telling all this for those that are using a Gmail mailbox and don't want
to go all the trouble to configure an OAuth2 service and configure
XOAUTH2 in their moodle site (assuming they have their moodle site
patched to include such functionality). It's less secure than using
XOAUTH2, but it can be more secure than enabling the "less secure
applications" options in Gmail, and using static passwords (the static
application passwords auto generated by Google are longer than most
people's passwords, and thus harder to guess).
So to summarise, we would need to support both XOAUTH2 and
the traditional authentication methods. The good news is that Horde
(the library Moodle uses to access IMAP mailboxes) already includes
support for XOAUTH2. With a few hours of coding and fighting with Google
machinery to create a client API key and secret, I've developed a patch
that works in my test environment, using a Google Suite
In order to use it with a Gmail mailbox, you need to create a OAuth2 Google Service (following the instructions given at https://docs.moodle.org/34/en/OAuth_2_services), with two changes to the default values created by Moodle (see attached image):
In addition to that, you must use a system account
with that OAuth2 Service, as it is intented to be used without any kind
of user interaction. The easiest way is to use the account owning the
Once you have all that in place, you can patch your Moodle site (the
attached patch applies cleanly to Moodle 3.4 current as of today, but
probably applies without too much trouble to other versions). Once you
have patched it, if you go to the "Incoming Mail Configuration" page,
you will find two new configuration settings (see attached image):
- Use XOAUTH2: enable to use XOAUTH2 instead of the traditional authentication methods
- OAuth2 Service: select the OAuth2 Service that you created above, to be used for XOAUTH2
If everything is correctly setup, you won't even need to configure
the real password for the IMAP user, as it's not used by XOAUTH2 at all
(but you still need to put something in there, as otherwise the Horde
IMAP library complains loudly!).
You can now manually run the "Incoming email pickup" scheduled task to see if everything works as expected.
XOAUTH2 patch should work with other email providers, as long as you
create a valid OAuth2 Service entry for that provider, following the
provider documentation (you might need a custom OAuth2 service in many
 That's the name of particular authentication method they use for both IMAP and SMTP.
 Former Google Apps for Business/Education.