How does "If This Then That" implement access to third party user accounts (so called "Channels")?

897 views Asked by At

In the widely known If This Then That app (IFTTT) you can create workflows such as:

If I get an email with an attachment, add that attachment to Evernote.

For this to work you can authorize so called "channels" such as Gmail and Evernote. In practice this means that you need to enter your username and password for for example Gmail, after which the IFTTT app can freely scan the incoming email within.

I now wonder how this system works? Is there a specific API within iOS/Android to allow such interaction between apps with specific triggers upon receiving email, or does IFTTT store the usernames and passwords in cleartext and regularly poll the email boxes (which I cannot imagine)?

Could anybody shed some more light on the inner workings of this process? Any information or tips would be welcome (a description, names of API-endpoints, code examples, FLOSS alternatives that implement this, anything else)..?

1

There are 1 answers

0
Matt Gibson On BEST ANSWER

It'll vary per provider, but many of them, including the Gmail flow, use OAuth for the authentication part. After authentication, they'll use whatever APIs are provided by each individual service.

The clue with Gmail is the way you're redirected to Google themselves for authentication, and the URL has "OAuth" in it. When I just tried it, the authentication URL was:

https://accounts.google.com/o/oauth1/auth?oauth_callback=http%3A%2F%2Fifttt.com%2Fchannels%2Fgoogle_callback&oauth_token=[REDACTED]&btmpl=mobile

What'll happen is that Google will authenticate your credentials, so they're never given to a third party like IFTTT. Instead, on successful authentication, Google will "call back" ifttt on the "oath_callback" URL provided, and effectively give them a token that will allow access. At any point, you can go and revoke that token (somewhere in Gmail's preferences) to prevent IFTTT accessing your account, so control of your account is always in your and Google's hands, and IFTTT only get the access they're granted as long as the token lasts. (Here are Gmail's auth scopes). Your username and password are only ever authenticated with Google's servers, and never stored by the third party.

As with authentication, how IFTTT monitor and respond to events once that authentication has taken place is up to the specific service's API. In some cases they'll poll, where possible they'll probably register for event callbacks. According to this Quora answer from Linden Tibbets, one of IFTTT's creators, for Gmail they use OAuth for obtaining an IMAP login, then use that for polling.