Anyone have more information on why K-9/TB * Thunderbird aren't limited by
Google on OAUth2 token limits per day (set to 60K for 3rd-party MUAs)?

Apparently 3rd-party MUA developers have been forced to remove their apps
from the Google Play Store simply because Google has limited them to an
artificially low (anti-competitive?) limit of, apparently, 60K tokens.
<https://forum.xda-developers.com/t/app-5-0-fairemail-fully-featured-open-source-privacy-oriented-email-app.3824168/post-87195365>

I do not profess to understand this need for OAUth2 tokens, but I am
curious how K-9/TB and Thunderbird 3rd-party MUAs get around this limit?

*Anyone know more why Thunderbird isn't affected by this token limit?*

Here is what Google told a 3rd-party MUA developer when he asked for more
tokens than the 60K he currently has (Google upped it from 20K & then 40K).
"Thank you for reaching out. Looks like you already have sufficient
OAuth tokens for the project requested as shown here."

The developers (longer) response is in the sig below.
(in case you can't access the XDA developers' thread on the topic)

Apparently Google is purposefully limiting competition to its MUAs at the
same time Google is attacking privacy (because Google seems to hate OAUth2,
hence Google is forcing people to provide a "second something" instead).

But my question is isn't about that obvious assessment but my question is
is about the not-so-obvious reason why Thunderbird isn't affected by this
artificial limit on the number of tokens a 3rd-party MUA can access per
day.

*Anyone know more why Thunderbird isn't affected by this token limit?*
--
THIS IS THE RESPONSE TO GOOGLE BY A 3rd-PARTY MUA DEVELOPER JUST TODAY:
(in case you can't access the XDA developers' thread on the topic)

There are currently just enough tokens because I was forced to remove the
app from the Play store for reaching the token grant limit. This is not
good enough and not sufficient.

Lately there were some articles about the app, which resulted in growth of
the number of users of the app. However, this very soon resulted in
reaching the token grant limit. This is seriously limiting the success of
the app. People rate 1 star because they can't configure a Gmail account!
This is also one of the reasons why the app needed to be removed from the
Play store, to prevent reputation damage.

I would like the token grant limit to be removed or set to a high value of
1,000,000 tokens. Limiting the growth of the app is in my opinion abusive
behavior according to EU article 102. For the Gmail app, used by millions
of people, there is no growth limit after all.

Note that less than 1,000 users more caused service denial because the very
low existing limit was reached. Also note that the app was downloaded over
500,000 times.

The current limit of 60,000 tokens is enough for 2,500 Gmail accounts,
which is nothing for an Android app in the Play store. Note that many
people configure multiple accounts, so the actual number of users who can
be served is a lot lower.

You can see the token grant rate too and see that the limit is almost
reached. You can also see that it is about an Android app, it went through
a verification process after all. So, I can't understand that you say that
there are sufficient tokens. The peak of token was already over 88,500
clearly illustration that 60,000 isn't sufficient.

If this doesn't get resolved, I will file a complaint with the EU, also
because there is in my opinion no justifiable reason to impose a limit at
all. All tokens are related to an account. If there is any abuse, the user
should be addressed, not the app. Note that reaching the limit also affects
existing users who a want to reconfigure a Gmail account. More than a few
people complained about this.

Please see also here:

email.faircode.eu
FairEmail in the Play Store
Status and frequently asked questions
email.faircode.eu email.faircode.eu

Please understand that this is a very frustrating situation for me. I
worked for over three years on this app! Basically, you say that the limits
of the app have been reached. This can't be and as argued above you are
also not allowed to say that.

If you don't agree with removing the limit or setting a high limit, please
increase the limit to at least to 120,000, so there is actual room for
growth.

To be very clear, this is about the token grant rate, not the user cap
limit. The app was verified, so the user cap limit isn't applicable.

Andy Burnelli wrote:

> I do not profess to understand this need for OAUth2 tokens, but I am
> curious how K-9/TB and Thunderbird 3rd-party MUAs get around this limit?

I haven't read any of the XDA forum on this

the little I know about oauth2 tokens, is that when you do the web sign-in using
your username/password, you get back a token that "proves" you authenticated to
the account, and that token can then be used by the app instead of the
username/password to access the mailbox, but the token has a limited life
(weeks/months/who knows?) and has to be re-issued.

I think I've had one "token reissue" event where thunderbird asked me to jump
through the web sign-in again, but others say they haven't had that, and the
reissue should somehow be transparent to the end-user.

Andy Burns wrote:

> the little I know about oauth2 tokens, is that when you do the web sign-in using
> your username/password, you get back a token that "proves" you authenticated to
> the account, and that token can then be used by the app instead of the
> username/password to access the mailbox, but the token has a limited life
> (weeks/months/who knows?) and has to be re-issued.

Thanks Andy, as that's way more than I understand, simply because I never
cared about this stuff until early March when Google sent me a notice the
venerable 3rd-party MUA login/password for was to be deprecated May 30th.
<https://i.postimg.cc/MGfN2Z7r/gmailpasswd01.jpg> Google March notice
<https://i.postimg.cc/2yBvxJhJ/gmailpasswd02.jpg> Login/passwd deprecated

From then 'till now, I've been forced to care because of what Google did.
a. First Google just shut off the login/passwd pipeline
b. At the same time, Google "pretended" there were many Android options
c. Since _all_ Android options _required_ a "second something"

Every single one!

Notice this key point which I know you are aware of, but almost everyone
else is not... which is that at that time, there were _zero_ choices for
Android that did not require a "second something" (despite Google
pretending that there were).

That "second something" meant there were only two Android choices:
a. Either 2SV/2FA (& then "App Passwords", "OTP", or whatever)
b. Or, OAUth by setting up an *on-device account* on your phone
<https://i.postimg.cc/YqWvzF4W/fairemail02.jpg> Android OTP options

That's anathema!

Notice on the PC platform, there was an _additional_ third choice!
c. Or OAuth2 over the web (_without_ setting up an on-device account!)

But that non-second-something choice did not exist until you and gym
informed us that Christian Ketterer (aka cketti), a key K-9/TB Mail
developer added it, and until I found that Marcel Bokhorst (aka M66B)
of Fair Email worked with that K-9 Mail team to implement it in Android.

For Android, that means there are still fundamentally only two methods:
A. Either a "second something" (2SV/2FV or on-device OAUth), or,
B. web-OAuth

Hence, as of this week only, for the first time, those who are privacy
conscious on an Android phone, have finally a solution to recover from
Google's unilateral attack on privacy that occurred on May 30th, 2022.
<https://i.postimg.cc/Jz0TvyKQ/fairemail01.jpg> FairEmail auth options

> I think I've had one "token reissue" event where thunderbird asked me to jump
> through the web sign-in again, but others say they haven't had that, and the
> reissue should somehow be transparent to the end-user.

I don't think anyone but Google understands OAuth token use since, as
you're likely aware, even the MUA developer for Fair Email is saying that
the numbers are bouncing up and down without him knowing why.

And Google isn't telling him why his token count went from over 30K one day
and then suddenly to half that, but at times to double that (where his
limit was reached - which is why he was forced to pull his app from Google
Play Store repository - given the users wouldn't know this detail).
<https://forum.xda-developers.com/t/app-5-0-fairemail-fully-featured-open-source-privacy-oriented-email-app.3824168/post-87202201>

For the poor user, all he knows is his email won't work with 3rd-party
MUAs, at the same time his email works just fine with the Google GMail MUA.

What Marcel finally did, was put back Fair Email with a permanent warning
that Google can capriciously stop it from working at any time; but then he
decided to make that warning removable (which is how the latest version
is).
<https://i.postimg.cc/nhHFRK3L/fairemail03.jpg> web-OAuth example

There's some pretty good fodder here for brazen anti-competitive practices,
along with Google blatant attack on privacy by requiring personal info.
--
Posted out of the goodness of my heart to disseminate useful information,
which, most likely, almost nobody knows unless they are directly affected.