Closed Bug 1293958 Opened 8 years ago Closed 6 years ago

oAuth2.0 for Yahoo

Categories

(Thunderbird :: Account Manager, defect)

Product:
Thunderbird
Component:
Account Manager
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(thunderbird_esr60 fixed, thunderbird62 wontfix, thunderbird63 fixed)

Status:
RESOLVED FIXED
Milestone:
Thunderbird 63.0
Tracking Flags:
Tracking Status
thunderbird_esr60 --- fixed
thunderbird62 --- wontfix
thunderbird63 --- fixed

People

(Reporter: unicorn.consulting, Assigned: nvikram.iphone)

References

(Blocks 1 open bug,
URL
)

Details

Attachments

(3 files, 2 obsolete files)

Frontier Yahoo App Password option may expire in 2018
48.91 KB, image/jpeg
Details
yahoo.com.xml
1.71 KB, text/xml
Details
Thunderbird OAuth for Yahoo! and AOL
1.29 KB, patch
mkmelin
: review+
jorgk-bmo
: approval-comm-esr60+
Details | Diff | Splinter Review
It would appear Yahoo have joined in with the less secure app thing started by Google and are now requiring that users enable it for a normal password authentication. Further research indicates that the preferred authentication is oAuth. But true references at Yahoo are dismally wanting. But they do offer https://developer.yahoo.com/oauth/guide/ in their authentication section so it may be OPENID is also preferred. Given the stated intent to cease using non preferred authentication I feel we have no choice but to implement this protocol for yahoo.
Thanks for pointing this out.
Microsoft are also pushing Rest with underlying oAuth2.0 for interaction with outlook.com and office365.com When I was filling this bug I was not sure if I should file two, or make this a more general oAuth2.0 lets get secrets bug
Do you think we need this in time for string freeze of version 52?
Flags: needinfo?(unicorn.consulting)
(In reply to Wayne Mery (:wsmwk, NI for questions) from comment #3) > Do you think we need this in time for string freeze of version 52? I think it is something that will bite us without warning one day. Yahoo have done all the warning they will do. So yes I see it as somewhat higher than normal priority. But as for a string freeze issue. Looking at bug 849540 I do not see any strings, but perhaps Kent could comment of that particular point. It looks like he did the patch.
Flags: needinfo?(unicorn.consulting)
Depends on: 849540
We added oauth for mail.ru (actually they did all of the work) in bug 1231642. No strings, just a few lines of code. It Yahoo and Outlook Just Work then it would be that simple. But Mail.ru seemed to be motivated and tested themselves, I doubt if Yahoo and Outlook will Just Work.
We really should include this for Thunderbird 52.0 The backport to 45 is probably going to be fairly easy as well, so we could take it on comm-esr45 if Yahoo keeps being so noisy.
This, or the "less secure apps" setting is certainly starting to pop up in the support forum more and more often.
I investigated doing this, but it does not seem possible to get an app key for yahoo mail. Although the oauth documentation shows an example with mail access (https://developer.yahoo.com/oauth2/guide/openid_connect/getting_started.html#getting-started-setup=) the current version of the page where you get an app key no longer offers an option for email See https://developer.yahoo.com/apps/create/ Various people have asked about this, and there are no answers. I'm going to untrack this for tb45 and tb52 since the path forward is not clear.
tracking-thunderbird52: + → ---
tracking-thunderbird_esr45: ? → ---
I've added a similar bug (1310384) for AOL mail accounts. I can provide the necessary client credentials and config (per that bug) to enable AOL mail accounts.
Blocks: 1310389
Blocks: 1310456
What we need for this bug is some sort of contact on the email team at Yahoo that will get an OAuth account setup for Thunderbird there. If anyone knows of a path to that contact, please mention it.
And those pages in Yahoo support consist of complaints by other developers that there is no way to create OAuth2 tokens for email currently in Yahoo, and those are complaints are not answered.
Did you try with Facebook ? (I have not so I can't try) https://www.facebook.com/yahoodevelopernetwork
(In reply to Kent James (:rkent) from comment #15) > And those pages in Yahoo support consist of complaints by other developers > that there is no way to create OAuth2 tokens for email currently in Yahoo, > and those are complaints are not answered. yeah. :( like https://forums.developer.yahoo.net/discussion/9175/yahoo-login-app-not-returning-e-mail-address-in-callback#latest and https://forums.developer.yahoo.net/discussion/8044/when-will-oauth-2-0-will-be-implemented-for-accessing-yahoo-mail#latest there are a few tips on stackoverflow and other places, but sparse. https://stackoverflow.com/questions/36058534/how-can-yahoo-mail-be-accessed-by-imap-using-oauth-or-oauth2-authentication
(In reply to nk0885@yahoo.fr from comment #16) > Did you try with Facebook ? (I have not so I can't try) > https://www.facebook.com/yahoodevelopernetwork No I have not. Seems like an unlikely place though. I think that we can assume for now that the removal of this was deliberate, perhaps as part of mitigation of larger issues at Yahoo. If someone can figure this out, I would be willing to try to move forward the Thunderbird part of this. But I would rather spend my time with cooperative providers, like I did for mail.ru
This is perhaps a solution to find contacts with Yahoo developers : I know that the CNET has all informations about Yahoo and yahoo mail developers. For instance they have the knowledge of all problems and the future expected solutions. Explaining what you intend to CNET they probably will give you the link. See : https://www.cnet.com/contact/ You find there E mail addresses and phone numbers (in USA)
@nk0885: Feel free to contact them if you think they have "knowledge of all problems" (for unknown reasons).
Someone posted this today, asking how to set up OAuth in Thunderbird. https://support.mozilla.org/t5/Thunderbird/Yahoo-requiring-OAuth/td-p/1365704 Hi, We noticed that you are accessing your Frontier Mail using a lower security sign-in that is sometimes used in third-party mail applications such as Outlook, IncrediMail, MacMail, Mozilla Thunderbird and others. This can leave your Frontier Mail account vulnerable. Frontier email uses the Yahoo email platform. Yahoo is in the process of moving users using less secure apps to a newer, more secure email access technology. This security technology, known as OAuth, helps prevent unauthorized access to your username and password. With OAuth, your log in credentials are encrypted and better protected from hackers. In connection with this transition, we will be rolling out a change beginning April 1, 2017 through April 30, 2017. You will be impacted at any time during this time period, so we encourage you to take steps outlined here no later than April 1, 2017. Access your mail via frontier.yahoo.com or with a mail client that supports OAuth Upgrade your current mail client to a version that supports OAuth Visit https://security.frontier.com/ and create an app-specific password For more information, a list of clients that support OAuth and step-by-step instructions, please see our help page: https://frontier.com/helpcenter/categories/internet/email/email-security-upgrade Thank you for being a Frontier Mail user.
No one is working on this, so no way to predict when it will happen. Certainly not 52.0. As I read https://frontier.com/helpcenter/categories/internet/email/email-security-upgrade users will still be able to generate/use an application specific password, as an alternative to oauth
tracking-thunderbird_esr52: --- → ?
Why not ask direct Mr Bob Lord I read this : https://investor.yahoo.net/releasedetail.cfm?releaseid=938297 You should be now able to communicate with Bob Lord trough the address of Suzane Philion in order to have the informations of the new security policy of yahoo Other way to reach this man : https://twitter.com/boblord
They continue to send warnings (I'm Thunderbird user in Pop 3 mode) Receaved today 15H40 : From :Yahoo@communications.yahoo.com Object : RAPPEL: Sécurisez votre compte Yahoo Answer to : replies@communications.yahoo.com Body of the mail : Norbert, Nous vous rappelons que vous devez prendre les mesures nécessaires pour améliorer la sécurité de votre compte Yahoo Mail. Vous avez récemment accédé à votre compte à partir d’une application de messagerie n’appartenant pas à Yahoo et qui utilise peut-être une connexion moins sécurisée. Cette action a pu rendre votre compte Yahoo plus vulnérable. Nous vous recommandons vivement d’améliorer la sécurité de votre compte en suivant les étapes ci-dessous. 1. Sur un appareil mobile, effectuez la mise à niveau vers l’application Yahoo Mail pour Android ou iOS: https://overview.mail.yahoo.com/app 2. Sur un ordinateur, utilisez Yahoo Mail via: https://mail.yahoo.com 3. Désactivez l’accès des applications utilisant une méthode de connexion moins sécurisée en suivant le lien ci-dessous: https://login.yahoo.com/account/security#other-apps Pour connaître les autres options d’accès à Yahoo Mail, consultez notre page d’aide: https://help.yahoo.com/kb/index?page=content&y=PROD_ACCT&locale=fr_FR&id=SLN27791&actp=productlink Si vous avez déjà pris les mesures nécessaires, vous pouvez ignorer ce mail. Merci pour votre fidélité à Yahoo Mail. Cordialement, Yahoo Voir comme une page web Yahoo Données Personnelles | Balises Web RefID:
Someone pointed out that Frontier (using Yahoo), says that the option to use an App Password "is subject to expire in 2018". Screen capture attached. Source: https://frontier.com/helpcenter/categories/internet/email/email-security-upgrade/email-programs/generate-application-specific-password
Verizon has been shifting its users from its own proprietary email platform over to AOL Mail, and it'll be lights-out for the old email system next month. I wonder if they'll do the same for existing Yahoo Mail users. In that case, wouldn't this bug be largely moot.
(In reply to Victor Escobar from comment #30) > Verizon has been shifting its users from its own proprietary email platform > over to AOL Mail, and it'll be lights-out for the old email system next > month. I wonder if they'll do the same for existing Yahoo Mail users. In > that case, wouldn't this bug be largely moot. Very likely. However, AOL is only available in English -at least it is not in Spanish, which is my own language- while Yahoo Mail is available in more languages, including Spanish. What I believe will happen is that they will move International staff of Yahoo into a new International team in AOL so they could work in a new Internationalized version of AOL Mail and after that finally shuting down Yahoo's service. There is not been too many changes in Yahoo Mail web service although they are clearly doing the more they can to force users to access via web instead of SMTP/IMAP. I also believe not many efforts should be put into this bug as nobody knows what will happen in the next months. (In reply to Wayne Mery (:wsmwk, NI for questions) from comment #29) > https://developer.yahoo.com/support/oauth/ and > https://stackoverflow.com/questions/36058534/how-can-yahoo-mail-be-accessed- > by-imap-using-oauth-or-oauth2-authentication now seem to be the key > locations. Some of the other links no longer work Yahoo has been removing most of their documentation sites after launching their Yahoo Mobile Developer Suite. That happened before the Verizon acquisition after buying Flurry. Yahoo is also stoping to maintain dedicated team for other projects, like Pure. I think that is what will also happen to Yahoo Mail service.
I am trying to get OAuth setup for Thunderbird. I was told that we need to whitelist your official yahoo account for providing mail access. Is there an official Yahoo account for Thunderbird or Mozilla Foundation? Let me know or I can get an account setup to get the appid created.
The linked page provides an internal yahoo email that might help getting their attention. https://developer.yahoo.com/mail/
(In reply to Javi Rueda from comment #31) > ... > I also believe not many efforts should be put into this bug as nobody knows > what will happen in the next months. Do you think instead that efforts should be put into Bug 1310384 - Add OAuth2 support for AOL mail accounts ?
Flags: needinfo?(foss)
I can be wrong, but putting more efforts into the oAuth2 protocol with AOL could be better than doing the same with Yahoo's. Again, nobody knows what will happen with mail services in the new Verizon conglomerate. I would prefer they keep Yahoo's one. I don't mind what they would do with AOL. But Yahoo Mail service leaks are not good for whatever Verizon decides to do. So, yes. I would put more efforts into bug 1310384, instead. I have a working AOL email address, from the time I had the one from netscape.net. They sadly removed the netscape.net domain and replaced it with the aol.com. I am going to CC me there if there is something I could help with.
Flags: needinfo?(foss)
My suggestion would be not to implement for AOL. AOL & Yahoo Mail are part of same company now. I am working on getting an oAuth token for Yahoo!. I just need to figure out how to provide a pull request for the changes. (In reply to Javi Rueda from comment #35) > I can be wrong, but putting more efforts into the oAuth2 protocol with AOL > could be better than doing the same with Yahoo's. > > Again, nobody knows what will happen with mail services in the new Verizon > conglomerate. I would prefer they keep Yahoo's one. I don't mind what they > would do with AOL. But Yahoo Mail service leaks are not good for whatever > Verizon decides to do. > > So, yes. I would put more efforts into bug 1310384, instead. I have a > working AOL email address, from the time I had the one from netscape.net. > They sadly removed the netscape.net domain and replaced it with the aol.com. > I am going to CC me there if there is something I could help with.
I created an official Thunderbird Yahoo account with the name thunderbird-accounts@mozilla.org (which is the email we use for this purpose), and send an email to imap-service@yahoo-inc.com asking that this account be whitelisted. Their OAuth2 documentation though is pathetic. I'm not sure even with the client name and secret if I will be able to make this work.
Here is the documentation for oAuth 2.0: https://developer.yahoo.com/oauth2/guide/ Client ID (Consumer Key) dj0yJmk9NUtCTWFMNVpTaVJmJmQ9WVdrOVJ6UjVTa2xJTXpRbWNHbzlNQS0tJnM9Y29uc3VtZXJzZWNyZXQmeD0yYw-- Client Secret (Consumer Secret) f2de6a30ae123cdbc258c15e0812799010d589cc I am still having difficulty understanding the mozilla/thunderbird source code to provide a patch.
Attached patch thunderbirdOAuth.diff (obsolete) — Splinter Review
I am trying to test this locally. Meanwhile, please take a look and let me know if the diff looks good.
Attachment #8898070 - Flags: feedback?
I reached out to Yahoo! Mail using the imap-service@yahoo-inc.com address and received a response 08-23-2017 from one Manjunatha Bellur Mruthyunjaya saying that they are working with Thunderbird for this integration. Hopefully we'll eventually stop getting sniffy messages from Yahoo! about using the less secure connection. BTW, not sure how this thread managed to get assigned to this email identity, which I use for occasional market research purposes and usually has a dismissive 'out of office' response when not in use. I don't want to reveal my personal email address here, is there any way I can change the routing for this thread without doing so?
I have already reached out to Manjunath and got the consumer key & secret for requesting and creating oauth keys. The patch is also attached to bug ticket. So far I haven't seen any reviews or comments about the changes. Is there something missing that allows this to go through a faster review process? How do I figure out who is the owner that will review and merge my patch?
(In reply to nvikram.iphone from comment #41) > I have already reached out to Manjunath and got the consumer key & secret > for requesting and creating oauth keys. The patch is also attached to bug > ticket. So far I haven't seen any reviews or comments about the changes. Is > there something missing that allows this to go through a faster review > process? > > How do I figure out who is the owner that will review and merge my patch? I am probably the person that will move this forward officially, though Magnus, jcranmer, or Jörg could also do it. At this point, my concern is getting a consumer key and secret that is tied to an official Thunderbird account, and not to a personal account. This has been a big issue in the past, where we had to trace down who owned a particular relationship, and almost lost control of a key issue. So, two questions. 1) Does your patch work for you? Your last response was "I am trying to test this locally". 2) The client key and secret need to be communicated via our official email address for this sort of thing, thunderbird-accounts@mozilla.org I also need to understand what account the key is attached to. If it is attached to a Yahoo account, it needs to be attached to the official account that I create for this purpose, and not to your personal account. So I need to be able to login to that account to see the keys, and not rely on communication of those keys through a third party. I appreciate you working on this, and sorry that it is confusing. It seems though like Yahoo feels like they are working through you officially at this point. If so, then you need to transfer that relationship to an official channel.
(In reply to Kent James (:rkent) from comment #42) > (In reply to nvikram.iphone from comment #41) > > I have already reached out to Manjunath and got the consumer key & secret > > for requesting and creating oauth keys. The patch is also attached to bug > > ticket. So far I haven't seen any reviews or comments about the changes. Is > > there something missing that allows this to go through a faster review > > process? > > > > How do I figure out who is the owner that will review and merge my patch? > > I am probably the person that will move this forward officially, though > Magnus, jcranmer, or Jörg could also do it. > > At this point, my concern is getting a consumer key and secret that is tied > to an official Thunderbird account, and not to a personal account. This has > been a big issue in the past, where we had to trace down who owned a > particular relationship, and almost lost control of a key issue. > > So, two questions. > > 1) Does your patch work for you? Your last response was "I am trying to test > this locally". Answer: Yes, I am working on setting up local autoconfig server but a basic setup with just yahoodns.net did not work. It feels like the autoconfig server also gives the content-type for Thunderbird to consume xml from files named without xml extension. I need time to test this part. It might take me another couple of days as this has to be on my free time. > > 2) The client key and secret need to be communicated via our official email > address for this sort of thing, thunderbird-accounts@mozilla.org I also > need to understand what account the key is attached to. If it is attached to > a Yahoo account, it needs to be attached to the official account that I > create for this purpose, and not to your personal account. So I need to be > able to login to that account to see the keys, and not rely on communication > of those keys through a third party. Answer: I have created the keys on a Yahoo! Mail account that is used for getting keys from Yahoo! identity/membership team. Technically, the account should exist until we stop calling Yahoo! identity servers. I understand the concerns about not owning the keys and agree with you that it is better if associated with Mozilla organization. For you to get keys associated with your own accounts, you need to create a yahoo account that ends with "yahoo.com". You can associated it with your official thunderbird account. Once you give me the account info, I can get "Mail" permissions added to that account. > > I appreciate you working on this, and sorry that it is confusing. It seems > though like Yahoo feels like they are working through you officially at this > point. If so, then you need to transfer that relationship to an official > channel. I am working unofficially. We would like to get oAuth set up to reduce password usage. For now, you can communicate with Manjunatha/imap-service@yahoo-inc.com. You can cc me on my non-official email.
Can you let me know once you have a yahoo account for creating keys for thunderbird? Update on my side: I have tested with a local oAuth config and that doesn't seem to work. I will have to test by setting up a local nginx for downloading autoconfig xml.
What's the status here? Toni from bug 1059988 reports that Yahoo accounts can no longer be set up with Thunderbird 52+. Is it this bug?
(In reply to Thomas D. (currently busy elsewhere) from comment #45) > What's the status here? > > Toni from bug 1059988 reports that Yahoo accounts can no longer be set up > with Thunderbird 52+. Is it this bug? Most folk that complain about that have not allowed less secure apps in their Yahoo account settings on Yahoo. Yet others have anti virus that prevents the new account wizard running correctly (Norton). But a real live bug. I doubt it.
Sorry, this dropped out of my tasks for a while. I have messaged on the thunderbird-accounts@ account. Please send an email or call once you look at my email.
(In reply to nvikram.iphone from comment #47) > Sorry, this dropped out of my tasks for a while. I have messaged on the > thunderbird-accounts@ account. Please send an email or call once you look at > my email. I can't understand what you are talking about. Who should contact you ? Thanks
Please contact me. My official email address is nvikram@oath.com and my contact number is on the email sent to thunderbird-accounts@mozilla.org.
You can give me your contact numbers or email addresses and I can email or call as well.
I'd just like to add that both AOL and Yahoo are handled by the same infrastructure (both brands owned by Oath). So enabling OAuth2 support for Yahoo and AOL should be the same work. Please support both via OAuth2. You can reach out to me ( gffletch at aol dot com ) as well.
Hi George, Plan is to add OAuth2 support for Yahoo! and Aol with this change.
Attached patch thunderbirdOAuth.diff (obsolete) — Splinter Review
Working Yahoo! OAuth flow. Attaching the ISPDB configuration file separately.
Attachment #8898070 - Attachment is obsolete: true
Attachment #8898070 - Flags: feedback?
Attachment #8989271 - Flags: review?(mkmelin+mozilla)
Attachment #8989271 - Flags: feedback+
Attached file yahoo.com.xml
Auto configuration file to enable OAuth for Yahoo!.
Attachment #8989272 - Flags: review?(mkmelin+mozilla)
Assignee: nobody → nvikram.iphone
Status: NEW → ASSIGNED
Comment on attachment 8989272 [details] yahoo.com.xml For this config entry, please file it under Webtools | ISPDB database entries. You probably just want a diff from the current yahoo entry. Flag :asuth to review it and Cc me.
Attachment #8989272 - Flags: review?(mkmelin+mozilla)
I have created a ticket for the config entry: https://bugzilla.mozilla.org/show_bug.cgi?id=1474694. I am not sure how to add :asuth flag.
Comment on attachment 8989271 [details] [diff] [review] thunderbirdOAuth.diff Review of attachment 8989271 [details] [diff] [review]: ----------------------------------------------------------------- ::: mailnews/base/util/OAuth2Providers.jsm @@ +47,5 @@ > + 'dj0yJmk9NUtCTWFMNVpTaVJmJmQ9WVdrOVJ6UjVTa2xJTXpRbWNHbzlNQS0tJnM9Y29uc3VtZXJzZWNyZXQmeD0yYw--', > + 'f2de6a30ae123cdbc258c15e0812799010d589cc', > + 'https://api.login.yahoo.com/oauth2/request_auth', > + 'https://api.login.yahoo.com/oauth2/get_token', > + 'http://localhost/callback' So why does yahoo need http://localhost/callback instead of http://localhost?
Blocks: 1474694
As of now, our identity team whitelisted "http://localhost/callback". I have to go back and check if they will allow whitelisting "http://localhost". I agree that because of this there are more code changes. I can go back and check with the identity team to see if they are willing to change if it is a blocker.
Our identity team has accepted whitelisting "http://localhost". I will update the diff once that is deployed in production.
This covers OAuth for Yahoo! and AOL.
Attachment #8989271 - Attachment is obsolete: true
Attachment #8989271 - Flags: review?(mkmelin+mozilla)
Attachment #8993037 - Flags: review?(mkmelin+mozilla)
Comment on attachment 8993037 [details] [diff] [review] Thunderbird OAuth for Yahoo! and AOL Review of attachment 8993037 [details] [diff] [review]: ----------------------------------------------------------------- Seems to work. Great! r=mkmelin
Attachment #8993037 - Flags: review?(mkmelin+mozilla) → review+
Comment on attachment 8993037 [details] [diff] [review] Thunderbird OAuth for Yahoo! and AOL You want this for TB 60 ESR? I think so.
Attachment #8993037 - Flags: approval-comm-esr60+
Attachment #8993037 - Flags: approval-comm-beta+
Yes please
Pushed by mozilla@jorgk.com: https://hg.mozilla.org/comm-central/rev/bbc34a95dc62 Add OAuth2.0 for Yahoo and AOL. r=mkmelin
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 63.0
Thanks for the merge. Can you also resolve https://bugzilla.mozilla.org/show_bug.cgi?id=1310384 for AOL OAuth2?
Attachment #8993037 - Flags: approval-comm-beta+
See Also: → 1678722
See Also: → 1697117
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: