mailledger-oauth
| Crates.io | mailledger-oauth |
| lib.rs | mailledger-oauth |
| version | 0.0.2 |
| created_at | 2026-01-14 14:08:53.847668+00 |
| updated_at | 2026-01-17 17:33:22.942263+00 |
| description | OAuth2 authentication library for email protocols |
| homepage | https://github.com/mqasimca/mailledger |
| repository | https://github.com/mqasimca/mailledger |
| max_upload_size | |
| id | 2042880 |
| size | 109,250 |
Qasim (mqasimca)
documentation
README
mailledger-oauth
OAuth2 authentication library for email protocols (IMAP/SMTP).
Features
- ✅ Authorization Code Flow with PKCE support (RFC 7636)
- ✅ Device Flow for CLI/IoT applications (RFC 8628)
- ✅ Token Management with automatic expiration tracking
- ✅ Token Refresh capability
- ✅ SASL Mechanisms: XOAUTH2 (Google/Microsoft) and OAUTHBEARER (RFC 7628)
- ✅ Pre-configured Providers: Gmail, Outlook/Microsoft 365, Yahoo
- ✅ Custom Provider support
Quick Start
Prerequisites
For Microsoft Outlook/Office 365:
- Register application at Azure Portal
- Configure redirect URI (e.g.,
http://localhost:8080) - Note your Application (client) ID
- Obtain necessary permissions (IMAP.AccessAsUser.All, SMTP.Send, offline_access)
For Gmail:
- Create project at Google Cloud Console
- Enable Gmail API
- Configure OAuth consent screen
- Create OAuth 2.0 credentials
- Add
https://mail.google.com/scope
Authorization Code Flow (Desktop Apps)
use mailledger_oauth::{Provider, OAuthClient, AuthorizationCodeFlow};
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
// Configure provider (Microsoft Outlook)
let provider = Provider::microsoft()?;
// Create OAuth client
let client = OAuthClient::new("your-client-id", provider)
.with_redirect_uri("http://localhost:8080");
// Create authorization flow with PKCE (recommended)
let flow = AuthorizationCodeFlow::new(client).with_pkce();
// Generate authorization URL
let auth_url = flow.authorization_url(None, Some("random-state"))?;
println!("Visit: {}", auth_url);
// After user authorizes, you'll receive a code
// Exchange code for token
let code = "authorization-code-from-redirect";
let token = flow.exchange_code(code, None).await?;
println!("Access token: {}", token.access_token);
println!("Expires at: {:?}", token.expires_at);
Ok(())
}
Using with IMAP
use mailledger_imap::{Client, Config, Security};
use mailledger_oauth::{Provider, OAuthClient, AuthorizationCodeFlow, Token};
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
// 1. Obtain OAuth2 token (see above)
let token: Token = /* ... */;
// 2. Connect to IMAP server
let config = Config::new("outlook.office365.com", Security::Tls);
let stream = mailledger_imap::connection::connect_tls(&config).await?;
let client = Client::from_stream(stream).await?;
// 3. Authenticate with OAuth2 (XOAUTH2)
let email = "user@outlook.com";
let client = client.authenticate_xoauth2(email, &token).await?;
// 4. Use authenticated client
let folders = client.list("", "*").await?;
println!("Folders: {:#?}", folders);
Ok(())
}
Token Storage
Store tokens securely using the credential storage:
use mailledger_core::account::{AccountId, credentials};
// Store token
let account_id = AccountId::new(1);
credentials::store_oauth_token(account_id, &token)?;
// Retrieve token later
let stored_token = credentials::get_oauth_token(account_id)?;
// Delete token
credentials::delete_oauth_token(account_id)?;
Token Refresh
// Check if token is expired (with 60-second buffer)
if token.is_expired() {
// Refresh the token
let new_token = client.refresh_token(&token).await?;
// Store the new token
credentials::store_oauth_token(account_id, &new_token)?;
}
Device Flow (CLI/IoT Apps)
For applications that can't easily open a browser:
use mailledger_oauth::{Provider, OAuthClient, DeviceFlow};
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
let provider = Provider::microsoft()?;
let client = OAuthClient::new("your-client-id", provider);
let flow = DeviceFlow::new(client);
// Request device authorization
let auth = flow.request_device_authorization(None).await?;
println!("Visit: {}", auth.verification_uri);
println!("Enter code: {}", auth.user_code);
// Poll for token (automatically retries)
let (_, token) = flow.authorize(None, 120).await?;
println!("Authorized! Token: {}", token.access_token);
Ok(())
}
Providers
Microsoft Outlook/Office 365
let provider = Provider::microsoft()?;
// Scopes:
// - https://outlook.office365.com/IMAP.AccessAsUser.All
// - https://outlook.office365.com/SMTP.Send
// - offline_access (for refresh tokens)
Gmail
let provider = Provider::google()?;
// Scope: https://mail.google.com/
Yahoo
let provider = Provider::yahoo()?;
// Scopes: mail-r, mail-w
Custom Provider
let provider = Provider::new(
"Custom",
"https://auth.example.com/authorize",
"https://auth.example.com/token",
)?
.with_default_scopes(vec!["email".to_string()]);
SASL Mechanisms
XOAUTH2 (Google/Microsoft)
use mailledger_oauth::sasl::xoauth2_response;
let auth_string = xoauth2_response("user@example.com", &token.access_token);
// Use with IMAP: AUTHENTICATE XOAUTH2 {auth_string}
OAUTHBEARER (RFC 7628)
use mailledger_oauth::sasl::oauthbearer_response;
let auth_string = oauthbearer_response("user@example.com", &token.access_token);
// Use with IMAP: AUTHENTICATE OAUTHBEARER {auth_string}
Examples
Run the Outlook OAuth2 example:
export OAUTH_CLIENT_ID="your-client-id"
export OAUTH_EMAIL="your-email@outlook.com"
cargo run --example outlook_oauth2
Security Notes
- Always use PKCE for desktop/mobile applications (enabled by default with
.with_pkce()) - Store tokens securely using system keyring (see
mailledger-core::credentials) - Never commit client secrets or tokens to version control
- Validate state parameter to prevent CSRF attacks
- Use TLS for all token exchanges
Why OAuth2?
Microsoft will permanently disable Basic Authentication (username/password) for IMAP/SMTP in April 2026. OAuth2 is now mandatory for accessing Outlook/Microsoft 365 email accounts.
Benefits:
- ✅ No passwords stored in the app
- ✅ Granular permission scopes
- ✅ Token expiration and refresh
- ✅ User can revoke access anytime
- ✅ Complies with modern security standards