Deprecation of Basic authentication in Exchange Online

Microsoft is deprecating Basic authentication in Exchange Online, as announced here: “This decision requires customers to move from apps that use basic authentication to apps that use Modern authentication. Modern authentication (OAuth 2.0 token-based authorization) has many benefits and improvements that help mitigate the issues in basic authentication. For example, OAuth access tokens have a limited usable lifetime, and […]

New Security Measures taken by Google concerning “Loopback IP Adresses” or “OAuth out-of-band (oob)”

Question:  I would like to know if Chilkat is affected by the new security measures taken by Google concerning “Loopback IP Adresses” or “OAuth out-of-band (oob)” Answer:   Chilkat does not use “oob”, so it’s not an issue. The loopback address, such as “http://localhost:port/”, remains valid if you define your app in the Google Developers Console as a “Desktop […]

SMTP / Office 365 / OAuth2 : SmtpCmdResp: 535 5.7.3 Authentication unsuccessful

Question: A customer wants to send emails with Office 365 and OAuth2 Authentication. The setup of the application in Azure is OK. It works for one user. For another user we have the following error: SmtpCmdResp: 535 5.7.3 Authentication unsuccessful [****.****] For authentication I use the example: What is surprising is that for the second user on same PC, […]

Chilkat 13-April-2022 – OAuth2 authentication for desktop apps.

  OAuth2 authentication for desktop apps. Many developers don’t realize that the Chilkat OAuth2 class is for desktop applications.  Doing OAuth2 in a web application (where your code runs on a web server) is relatively easy and does not require Chilkat (although Chilkat can be used to assist with some mundane tasks).  Working/live examples are provided on the Chilkat Tools […]

Xero Redirect URI for OAuth2 and Desktop Apps

This post is about Xero OAuth2 for desktop apps, but the same concepts generally apply to all other applications (REST API apps) using OAuth2. What many developers don’t initially realize (if new to OAuth2) is that an “App” needs to be defined in the developer portal for the service (i.e. Xero in this case).   For Xero, you would login to […]

GMail IMAP OAuth2 – A Walkthrough

This blog post covers from start to finish the process for getting a desktop application working with GMail using the IMAP protocol with OAuth2 authentication. Start here: (1) The first step is to create credentials.  Your app is a desktop application.  HOWEVER, you will be creating credentials as if your app is a web app. See this YouTube video […]

OAuth2 Request Access Token w/ Basic Authentication

Some OAuth2 token endpoints want the Client ID/Client Secret to be included using HTTP Basic Authentication. For example, we can look at the documentation for the GoToMeeting API at You’ll see this under the “2 – Request Access Token”  in the GoTo API documentation linked above: curl -X POST “” \ -H “Authorization: Basic {Base64 Encoded consumerKey and consumerSecret}” […]

O365 IMAP Authentication: OAuth and MFA Solution

There is much confusion and worry about Microsoft’s plans to disable standard password authentication for the IMAP, and POP3  protocols. Here is the announcement posted on 20-Sept-2019 on the Office 365 blog: Chilkat already supports OAuth2 for the IMAP, POP3, and SMTP protocols. (Microsoft will continue to support basic auth for SMTP)  In all three protocols, an application can […]

Getting OAuth2 Token in Desktop App vs. Web App

Question: I have done some Dataflex development for the UK ‘Making Tax Digital’ functions that require oAuth2 authorisation. I’ve used your example code for the Windows work but I now need to get this working for a Dataflex Web based version. That communication part will all take place from the Web server. Any pointers on how to get oAuth to […]

GMail “Allow Access for Less Secured Apps”

Question: I created a Gmail account and I am SendEmailAsync to send email via that Gmail account through a VB6 program. I had to turn on “allow access for less secured apps” for that Gmail account but otherwise, I am able to get everything working. However, after some weeks of inactivity, Google would automatically turn disable access for less secured […]