> IMAP will not work with, say, Google's gmail or Microsoft office365
Except they do, to some degree. It works well enough that my Thunderbird allows me fetching or moving of mails. Not sure about advanced features like search or server-side filtering, never tried them, but this seems to be a bit more wacky with other clients & servicers too.
> They have each implemented their own proprietery out-of-band authentication system that only works over HTTPS using the OAuth2.0 toolkit to build it.
True. Gmail at least had a long while application-passwords. I think they changed this only recently? Or are they still a thing?
Look in the thunderbird source. The devs had to make a many hundreds of lines config for each mega-corp. So, yeah, the mega-corps are covered by major workarounds in major email clients. But for normal email clients it's very hit and miss.
And while OAuth2 is open it is a toolkit for making protocols, not a protocol. And each megacorps implementation is different and handled differently.
OAuth works fine for major providers in Thunderbird...unless you're using hard tokens with pin number requirements right now (the entry form doesn't display).