OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.

OAuth.net

Stop Clinging to SMTP – Embrace the Robustness of OAuth 2.0

Buckle up, Claris FileMaker fans—change is in the air, and it smells like better security! If you’re still clinging to the SMTP-based authentication of yesteryears for your FileMaker email workflows, let’s talk about why it’s high time for an upgrade. Enter OAuth 2.0, the robust authentication protocol that’s making waves in 2023. Gone are the days when sending an email from FileMaker involved exposing sensitive information. From the ease of implementing domain-wide service accounts to the granular control offered by API-based email sending, we’re here to guide you through the ins and outs of OAuth 2.0—and why it’s the missing piece to your FileMaker puzzle.

FileMaker’s Authentication Evolution

Over the years, FileMaker’s approach to email authentication has evolved significantly, transitioning from the simpler but less secure SMTP with Basic Authentication to incorporating the more robust OAuth 2.0 protocol in its 2023 release. This evolution not only enhances security but also extends compatibility with major service providers like Google and Microsoft. Below, we explore the intricacies of these changes.

• Earlier Versions of FileMaker: Primarily, these versions rely on SMTP using Basic Authentication for mail sending functionality. It is a simple method wherein the application sends a username and password with each request to verify identity. The request is often transmitted in an easily-decodable Base64 encoding.

• FileMaker 2023: The latest version of Claris FileMaker, released in 2023, has added support for OAuth 2.0 in its Send mail script step. OAuth 2.0 is an industry-standard protocol that allows third-party apps to access user information without exposing the user’s password. In essence, it provides token-based authentication, allowing for a more secure and flexible method to authenticate and authorize applications.

• OAuth 2.0 for Google and Microsoft: To utilize this type of authentication with Google services via FileMaker, a domain-wide service account is required. A service account is a special type of Google account that belongs to an application, rather than an individual end-user. It allows the application to interact with Google APIs on behalf of users. A similar option is required for Microsoft Graph and FileMaker’s Send Mail script step.

We Recommend Updating Your Email Process to Use OAuth 2.0

OAuth 2.0 offers numerous advantages over traditional SMTP with Basic Authentication, especially in terms of security and flexibility. Here are the primary reasons why Portage Bay recommends an upgrade to OAuth 2.0 for sending email:

Enhanced Security

Basic Authentication involves sending a username and password with each request, which exposes credentials to potential interception. With OAuth 2.0, user credentials are not shared with the application. Instead, tokens are provided, which represent the granted permissions. These tokens can be revoked at any time without changing the user’s password. In the event a token is compromised, access can be terminated quickly.

Limited Scope and Granularity

OAuth 2.0 allows you to define specific scopes, so you can limit an application’s access to only the required features. For instance, if your application only sends, but does not read emails access can be restricted accordingly.

Improved User Experience

With OAuth 2.0, users are directed to the familiar login page of their email provider (such as Google or Microsoft), ensuring trust with the input of their credentials. This interface contrasts with Basic Authentication where users would typically provide their email and password directly to the third-party application.

OAuth provides a seamless experience for users. If a user is already logged into the email service, there is no need to re-enter their credentials.

Expiration and Refresh

OAuth 2.0 tokens come with expiration times. While this might seem inconvenient, it is a proven security feature. Even if someone manages to steal a token, it can only be used for a limited time. Moreover, using refresh tokens allows applications to obtain new access tokens without requiring the user to log in again.

Deprecation of Basic Authentication

Many major service providers are phasing out or have already stopped support for basic authentication due to its security vulnerabilities. For instance, Microsoft has already ended basic authentication for Exchange Online. By migrating to OAuth 2.0, we can ensure future compatibility and a reduction in the need for sudden changes later on.

Reduced Risk of Account Lockouts

Repeated failed login attempts with basic authentication (due to incorrect passwords, for instance) can result in account lockouts. With OAuth 2.0, this risk is mitigated as users authenticate directly with the email provider and not through the third-party application.

Multi-Factor Authentication (MFA) Compatibility

Many organizations are adopting MFA to enhance security. OAuth 2.0 is designed to work smoothly with MFA, ensuring that even if the application does not support MFA, users can still benefit from the added security layer provided by the email service.

Audit and Compliance

OAuth 2.0 provides better mechanisms for logging and monitoring access. Organizations can have a clearer picture of which applications have access to what data, which in turn enhances audit trails and compliance efforts.

In summary, transitioning from SMTP with basic authentication to OAuth 2.0 for sending emails aligns with modern security practices, ensures better protection for both users and applications, and offers more control and flexibility over data access.

What OAuth 2.0 Process Should I Use for Sending Email from FileMaker?

There are two main approaches for sending email from FileMaker using OAuth 2.0. The first is to use the built-in Send Mail script step and the second is using the API of the email service you use.

(1) Send Mail Script Step, Using a Service Account with OAuth 2.0

With the latest update in Claris FileMaker 2023, the Send mail script step has been enhanced, allowing us to use OAuth 2.0 directly in the script step. Is it the best choice for your needs though? It is crucial to understand how this script step operates before making a decision. To utilize this function, organizations must establish a service account within their Google Workspace or its equivalent in Microsoft. This approach is not without its challenges, however.

Risks of a Domain-Wide Service Account in Google

• Overly-Broad Access: Service accounts that are domain-wide have the potential to access any user’s data within that domain. If the account credentials are compromised, the attacker could have extensive access.

• Audit Challenges: Activity by a service account may not be associated with a specific user, making it challenging to determine who did what in the event of complications or breaches.

• Maintenance Issues: Over time, as applications and services change, it can be difficult to determine why a service account was given certain permissions. This disconnect can lead to potential security risks if permissions are not regularly reviewed and updated.

Benefits of This Approach

• Ease of Implementation: For some developers, using a service account might be quicker and easier to set up initially; bear in mind however, the potential security risks and long-term considerations can outweigh the initial convenience.

(2) API-Based Email Sending

Alternatively, we have the option of leveraging Google’s API, Microsoft’s Graph API, Mail Chimp, Amazon SES, Mailgun, or other third-party applications for email dispatch. With these APIs, you can choose the service account method or opt to authenticate individual user accounts for API access. By doing so, you grant not only email sending capabilities but also open up a plethora of functionalities that the API offers.

Risks

• Dependency on External Services: Using APIs means you are relying on an external service’s uptime and reliability. If the API experiences downtime or changes, it can affect your email sending capabilities.

• Complexity and Learning Curve: APIs can have a steep learning curve, requiring a certain level of expertise to set up and manage properly. Mistakes in implementation can lead to security vulnerabilities.

• Token Management: While using OAuth tokens increases security, improper storage or transmission of these tokens can lead to potential security risks. 

• Rate Limiting: Many APIs have restrictions on the number of requests that can be made within a given timeframe, such as 1,000 calls per hour. Exceeding these limits can disrupt not only email services but also other functionalities that rely on the API.

• Compliance and Data Privacy: APIs may store or process data differently, potentially affecting compliance with data protection laws like GDPR. 

• Cost: Some API services are not free, especially at higher usage levels. These fees could add an additional layer of ongoing cost to your email sending operations.

Benefits

• Flexibility: Using an API provides more granular control over the sending process and the data being transmitted.

• Security: Sending emails using an API may not require domain-wide permissions. You can utilize user-specific OAuth tokens or other mechanisms to provide narrower scopes of access, which will reduce potential risks.

• Maintenance: APIs may require more upkeep in terms of ensuring compatibility with newer versions and handling potential changes in endpoint specifications.

Weigh the Pros and Cons of Each OAuth 2.0 Approach

While FileMaker 2023’s addition of OAuth 2.0 support provides a more secure authentication method than its predecessors, the use of domain-wide service accounts with Google and Microsoft can bring its own set of challenges and risks. Organizations need to weigh the pros and cons of using a service account versus an API-based approach, keeping in mind both security considerations and operational efficiency.

For additional information, take some time to review these articles:

• How To Ensure Safe Automated Emailing In FileMaker With OAuth 2.0
• Exchange Online deprecating Basics
• Deprecation of Basic Authentication

We’ve also previously written about overall security audits and how they can pinpoint areas of improvement in your database and workflow approaches.

Portage Bay is Adept at Email Integrations

We have helped many of our clients incorporate well-functioning email workflows into their solutions. This article addresses certain types of internal Claris FileMaker integrations, but there are a variety of third-party options that may be a great fit, such as XodoSign, MailChimp, Constant Contact and Workato. Schedule some time with our team so we can understand your needs and create a customized plan to get you there.

About the Author

Xandon Frogget is a Senior Application Developer at Portage Bay and brings sixteen years of corporate experience to the table. He excels in designing FileMaker solutions and loves helping businesses thrive in the digital landscape.