Closed Bug 1174505 Opened 5 years ago Closed 5 years ago

thunderbird OAuth2 POP access should not offer OAuth2

Categories

(Thunderbird :: Account Manager, defect)

38 Branch
defect
Not set
normal

Tracking

(thunderbird39 wontfix, thunderbird40 fixed, thunderbird41 fixed, thunderbird42 fixed, thunderbird_esr3839+ fixed)

RESOLVED FIXED
Thunderbird 42.0
Tracking Status
thunderbird39 --- wontfix
thunderbird40 --- fixed
thunderbird41 --- fixed
thunderbird42 --- fixed
thunderbird_esr38 39+ fixed

People

(Reporter: hlein, Assigned: mkmelin)

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
Build ID: 20150525141253

Steps to reproduce:

I tried to get mails fromn the gmail account, set to advanced security.


Actual results:

Google rejects Thunderbird's try to access the account (does not accept the password). This happens only, if the gmail/google account is set to advanced security, and maybe created some years ago.
Note: Another test with a new gmail account created today (also advanced security set) seemed to work ok.
The problem seems to occur only with POP3 access (the error message says a web login is required). IMAP access seems to work.
I don't think OAUTH is supported for GMail POP access.
Summary: thunderbird problem with gmail advanced security → OAUTH thunderbird POP access doesn't work if setting gmail advanced security
Component: Untriaged → Security
Component: Security → Account Manager
This bug report doesn't seem to fit with a comment I received from Kent James on the Thunderbird Blog - 38 Release page:

I asked about exactly the same scenario, i.e. POP access with OAuth2 selected and receiving a password error from the Gmail server with Google secure access enabled.

This is his response:

"OAuth2 access was added for SMTP and IMAP in Thunderbird 38, but not for POP3."

When I then asked if it would be added in the future, this was his response:

"There are no specific plans for this. Maybe you should file a bug requesting it."

I am a humble end user, but thought this may be useful to the debate.
I had not checked the status of POP3 access in GMail my blog comment was about what had been added in Thunderbird. Checking, I see at least one blog post that mentions only IMAP and SMTP for Gmail. Can anyone give a more solid reference that says that POP3 access in GMail does not support OAuth?
Summary: OAUTH thunderbird POP access doesn't work if setting gmail advanced security → thunderbird OAuth2 POP access doesn't work if setting gmail advanced security
Another test today showed that Google's behaviuor does not seem to be consistent.

a)
new Gmail account created today with advanced security set
Thunderbird:
POP, SSL/TLD, Authentication password, normal
SMTP with Oauth2
--> ok, mails may be retreived and sent

b)
Gmail account created about 2 or 3 years ago, now changed to advanced security
Thunderbird settings as above
--> Authentification fails when trying to fetch mails

acount b) works ok with IMAP and Oauth2
Just updated a v old (2007) laptop running XP to Thunderbird 38.0.1.

This is set up to access my Gmail through IMAP so I wasnt expecting a problem like that with POP, but as soon as I chnage to Oauth2 the server rejects the connection with or without Google advanced security being enabled.

The Windows 7 notebook I updated a few days ago, after selecting Oauth2 intiated a verification exchange in a browser window that then made everything work.

The desktop I use for POP access is also old and running XP.

Should the OS have any effect on whether Oauth2 will work ?  Does Oauth2 use something in the OS that isnt present in XP ?  I realise that now XP is unsupported I should have moved on but my old machines otherwise do everything I need and being so old, arent worth updating and probably wont run a later OS anyway.

As a reasonably savvy end user I'm finding this and the reality of getting Oauth2 to work very confusing so I imagine there are many more of us !
I'm still confused by this bug. OAuth2 is not expected to work with POP3 as AFAIK Google does not support that. Is anyone disputing that? If not, this is a Google issue, not a Thunderbird issue.

Or do I misunderstand the reports here?
(In reply to Kent James (:rkent) from comment #7)
> OAuth2 is not expected to work with POP3 as
> AFAIK Google does not support that. Is anyone disputing that?

From https://developers.google.com/gmail/oauth_overview

"For non-Gmail clients, Gmail supports the standard IMAP and SMTP protocols. The Gmail IMAP and SMTP servers have been extended to support authorization via the industry-standard OAuth 2.0 protocol."

Seem pretty clear to me, POP3 is not mentioned at all on that page.
Let's morph this bug as reporting that POP3 offers OAuth2 as an option in Advanced account configuration, when there are no valid users of POP3 OAuth2 supported in Thunderbird.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: thunderbird OAuth2 POP access doesn't work if setting gmail advanced security → thunderbird OAuth2 POP access should not offer OAuth2
Assignee: nobody → mkmelin+mozilla
Status: NEW → ASSIGNED
Attachment #8627905 - Flags: review?(rkent)
Comment on attachment 8627905 [details] [diff] [review]
bug1174505_oauth_pop.patch

Review of attachment 8627905 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM It's simple enough we should probably also land for esr38
Attachment #8627905 - Flags: review?(rkent)
Attachment #8627905 - Flags: review+
Attachment #8627905 - Flags: approval-comm-esr38?
Thx. I'll land this with a small modification. (Should also make sure it's visible again if imap)
https://hg.mozilla.org/comm-central/rev/59af84e68db1 -> FIXED
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 42.0
You need to log in before you can comment on or make changes to this bug.