Currently it is forbidden to use app password for impersonation (see authentication.rs). This, when combined with OIDC directory, makes it significantly more difficult to automatically access users’ mail, for example for synchronization with other mail server. For such purposes, there could be either a setting or permission that allows impersonation with authentication by app password, not compromising security as it would be disabled by default, while providing an option for automated impersonation for situations that require it, like synchronizing mail.