[sf-lug] Fwd: [kwlug-disc] Google with TOTP (Akkana to the rescue...)

Ronald Barnes ron at ronaldbarnes.ca
Tue Jun 14 11:56:28 PDT 2022

Someone on the KWLUG list had their issue with email and Google's OAUTH 
implementation by using something they found on github.com.

Something about the repo looked familiar - it's Akkana's script.

Way to go, Akkana!

It's kind of neat to see two recognizable names from thousands of miles 
apart interact like this.  One of the wonders of the modern world...

Not sure if the minor issue he had of having to cast float(expired) is 
unique to his situation, if he issued a PR, etc.


-------- Forwarded Message --------
Subject: 	Re: [kwlug-disc] Google with TOTP
Date: 	Tue, 14 Jun 2022 13:15:50 -0400
From: 	Khalid Baheyeldin
Reply-To: 	kb at 2bits.com, KWLUG discussion <kwlug-disc at kwlug.org>
To: 	KWLUG discussion <kwlug-disc at kwlug.org>

So TOTP with Google was not an option, because they require you to give them
a phone number and they send an SMS to it (at least initially).

I did not want to go that route. In fact, they did have my cell number
and I removed
it from my account. The reason is not privacy, but something more
dangerous. Someone
I know was the victim of a SIM swap attack, not once, but twice.
Basically an attacker
convinces the cell phone provider that he owns the number, and gets a
SIM. He then
goes into Google and asks for a password reset. Now any other service
that uses the
Google email is also compromised.

What I ended up using for getmail (to backup my Gmail account over IMAP)
is use the
Xoauth2 method supported by getmail. To do this I had to use a Python
program that
renews a token from Gmail using cloud apps

This is the script I used:


I had to make a small change, adding float() around a value:
if time.time() >= float(expired):

In getmail's config, the following is needed:

use_xoauth2 = True
password_command = ("/usr/local/bin/gmail-oauth-tokens.py",

The steps to setup a cloud app with XOauth2 is as follows (from comments
in another

- create a project
- consent screen:
     only external available for non-workspace users.
     [ADD OR REMOVE SCOPE] https://mail.google.com/
     Test User: Add all your emails you want to use with getmail.
- credential:
     [Create Credentials/Oauth client ID] Desktop App / getmail
-  download json

It works well.

But the mailwatch widget for XFCE does not work, and does not have a way
to use
the above tokens

More information about the sf-lug mailing list