implement OAuth 2.0 authentication for POP accounts
Categories
(MailNews Core :: Networking: POP, enhancement, P2)
Tracking
(thunderbird_esr68 fixed, thunderbird73 fixed)
People
(Reporter: unicorn.consulting, Assigned: mkmelin)
References
(Blocks 1 open bug)
Details
Attachments
(1 file, 1 obsolete file)
33.93 KB,
patch
|
benc
:
review+
mkmelin
:
approval-comm-beta+
mkmelin
:
approval-comm-esr68+
|
Details | Diff | Splinter Review |
https://developers.google.com/gmail/imap/imap-smtp
The information at the link states POP is included in the oAuth2.0 authentication process at Google. Given the aggressive approach Google is taking to eliminating accounts with less secure apps enabled, I think we should update the ISPDB to use oAuth for POP as well as IMAP and SMTP.
Comment 1•5 years ago
|
||
+1, see also bug1565708
Comment 2•5 years ago
|
||
Tested with local config file and unfortunately there's no support in Thunderbird for Oauth2 when using POP3.
See comments in bug1174505
(In reply to Petr HroudnĂ˝ from comment #2)
Tested with local config file and unfortunately there's no support in Thunderbird for Oauth2 when using POP3.
See comments in bug1174505
POP oAuth certainly did not work for Gmail but as there is new information it is time to revisit the setup. At least in my opinion. I do not like oAuth, but at least it does not keep getting disabled by Google in their so called security checks designed to fence the ignorant in.
Comment 4•5 years ago
|
||
My above comment meant it's not enough to just change ISPDB.
You need to open enhancement request against Thunderbird's POP3 code, since the support for Ouath is not yet there.
AFAIK, it was implemented only for IMAP and SMTP.
(Yes, there are entries in ISPDB listing Oauth for POP3 [aol, yahoo,..], but since the code is not yet there, they are ignored).
Comment 5•5 years ago
|
||
I didn't check, but from the comments, I presume that OAuth2 is not implemented for POP3 yet, in Thunderbird. It shouldn't be terribly hard to add, because it should mirror the IMAP implementation, but the code needs to be there first, and POP3 is a completely different implementation, which also works differently internally (IMAP: threads, POP3: state machine).
Only once you can manually configure Google servers with POP3 and OAuth2, and it's tested and proven to work in reality, then you can file a bug to enable it in the ISPDB. (Even then, we would need to keep the password-based config, for older Thunderbirds, whereas "older" is any current TB including TB 70.)
Lack of possibility to link Thunderbird + Gmail + POP3 + OAUTH is limiting security of accounts using POP on Gmail.
Can this bug get on some priority list, as Ben B appears to think it is fairly trivial? This functionality is now becoming fundamental to the program actually working for some folks.
Assignee | ||
Comment 8•5 years ago
|
||
It probably isn't super hard to do yes. Some pointers:
https://searchfox.org/comm-central/source/mailnews/base/util/OAuth2Providers.jsm
https://searchfox.org/comm-central/search?q=MSGIOAUTH2MODULE_CONTRACTID&path=
Why is it becoming more important?
Its important if you use POP in gmail and want to use 2auth.
Its impossible to use 2auth with POP if there is no OAUTH possible.
So its important security feature. Please implement it, if somebody have the technical knowledge and is not super hard to do.
Assignee | ||
Updated•5 years ago
|
Comment 10•4 years ago
|
||
Is anybody working on that feature?
I mean does anybody know how to do "open enhancement request against Thunderbird's POP3 code"?
Assignee | ||
Comment 11•4 years ago
|
||
That would be this bug.
Nobody is actively working on it atm. If you want, you're free to take it on.
Comment 12•4 years ago
|
||
(In reply to Magnus Melin [:mkmelin] from comment #11)
That would be this bug.
Nobody is actively working on it atm. If you want, you're free to take it on.
Sorry for spaming than. Unfortunately I dont posses nessecary skill.
Comment 13•4 years ago
|
||
Google has [announced]{https://gsuiteupdates.googleblog.com/2019/12/less-secure-apps-oauth-google-username-password-incorrect.html) that they will be turning off simple authentication for some users in 2020, in favor of enforced OAuth authentication.
For Gmail users who use POP and don't want to change to IMAP, it has become crucial for Thunderbird to implement OAuth for Gmail over POP. Time is running out. Once Google starts to enforce OAuth later in 2020, POP users will have to find another client instead of Thunderbird if OAuth over POP for Gmail isn't implemented by then.
Will someone please consider prioritizing this request, in light of Google's recent announcement?
Thank you.
Reporter | ||
Comment 14•4 years ago
|
||
Please see this support topic. https://support.mozilla.org/en-US/questions/1275810
I am wondering how I am supposed to address this as obviously it will be getting very common over the next 6 months. HAve I gone the right approach?
Doing the sorts of things discussed in the support post with IMAP is a mess, and any "solution" that sees mail routinely moved/copied from IMAP to local folder with filters will eventually lead to data loss. Thunderbird's IMAP implementation just does not cope well with this, the more messages involved at one time the more likely failure.
Successful implementation of this bug well prior to Google stated implementation date of 15th June 2020 is critical to Thunderbird maintaining credibility with those users. I do not feel we can wait for 78, this is going to have to be implements and uplifted to ESR if we want to look in the least proactive.
Assignee | ||
Comment 15•4 years ago
|
||
This is, almost, working. You get the oauth prompt and all that, but something's still wrong. Probably the next state things in nsPop3Protocol::OnSucces. So no mail.
Reporter | ||
Comment 16•4 years ago
|
||
Today's little snippet. This is the text that now appears on Yahoo account settings when you go to access the less secure apps setting.
Allow apps that use less secure sign in (This option will be going away on March 2nd, 2020)
Some non-Yahoo apps and devices use less secure sign-in technology, which could leave your account vulnerable. You can turn off access (which we recommend) or choose to use them despite the risks.
With a link to this useless information
https://help.yahoo.com/kb/account/SLN27791.html?impressions=true
So it would appear that POP access to Yahoo accounts will terminate on the 2nd of March unless something is done very quickly in this bug.
Reporter | ||
Comment 17•4 years ago
|
||
It is very near to a missed deadline on the Yahoo changes. They will enforce oAuth from March the 2nd, which does not leave very long to get this into a production release. I would assume it would have to be in 68.5 to make that march 2nd deadline to be in user's hands.
Assignee | ||
Comment 18•4 years ago
|
||
Alright, this seems to work for me. Tested with yahoo, aol, and gmail.
Sent to try now: https://treeherder.mozilla.org/#/jobs?repo=try-comm-central&revision=ac3bf953bcb9572a716734f60ecdae8e47608b99
Ben, please review ASAP so we could potentially get it into beta this week and get it released in time.
Assignee | ||
Comment 19•4 years ago
|
||
Comment on attachment 9123519 [details] [diff] [review] bug1538409_pop3_oauth.patch Review of attachment 9123519 [details] [diff] [review]: ----------------------------------------------------------------- ::: mailnews/local/src/nsPop3Protocol.h @@ +144,5 @@ > POP3_FINISH_OBTAIN_PASSWORD_BEFORE_USERNAME, // 48 > POP3_OBTAIN_PASSWORD_BEFORE_PASSWORD, // 49 > + POP3_FINISH_OBTAIN_PASSWORD_BEFORE_PASSWORD, // 50 > + > + POP3_SUSPENDED, // 51 Oh, this one I didn't need. I'll remove it locally.
Comment 20•4 years ago
|
||
Comment on attachment 9123519 [details] [diff] [review] bug1538409_pop3_oauth.patch Review of attachment 9123519 [details] [diff] [review]: ----------------------------------------------------------------- Looks good to me, assuming you're happy with the NS_IMPL_ISUPPORTS_INHERITED usage. ::: mailnews/base/prefs/content/am-server.js @@ +99,5 @@ > > + // OAuth2 are only supported on IMAP and POP. > + document.getElementById("authMethod-oauth2").hidden = > + serverType != "imap" && serverType != "pop3"; > + // TLS Cert (External) and OAuth2 only supported on IMAP. // TLS Cert (External) only supported on IMAP. maybe, given that OAuth2 now supported on POP3? ::: mailnews/local/src/nsPop3Protocol.cpp @@ +379,5 @@ > // nsPop3Protocol class implementation > > +NS_IMPL_ISUPPORTS_INHERITED(nsPop3Protocol, nsMsgProtocol, > + msgIOAuth2ModuleListener, nsIProtocolProxyCallback) > + Does this need to list all the inherited classed/interfaces? nsIMsgAsyncPromptListener and nsIPop3Protocol aren't listed here. (I still find the XPCOM macro magic a little bit... uh... magical) @@ +1598,4 @@ > return NS_ERROR_FAILURE; > } > MOZ_LOG(POP3LOGMODULE, LogLevel::Debug, > + (POP3LOG("Rrying auth method 0x%X"), m_currentAuthMethod)); typo
Assignee | ||
Comment 21•4 years ago
|
||
Thx, yes those macros are a bit magic. I just did what i had to to get it to compile ;)
Comment 22•4 years ago
|
||
Pushed by mkmelin@iki.fi:
https://hg.mozilla.org/comm-central/rev/4a36f8aa2ddd
implement oAuth authentication for POP accounts. r=benc
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 23•4 years ago
|
||
Comment on attachment 9123519 [details] [diff] [review] bug1538409_pop3_oauth.patch This is showing some test failures (probably). Hmm... will look into them.
Comment 24•4 years ago
|
||
Pushed by mkmelin@iki.fi: https://hg.mozilla.org/comm-central/rev/499ff502287d followup to pop oAuth2 - re-add nsIMsgAsyncPromptListener impl. rs=bustage-fix
Assignee | ||
Comment 25•4 years ago
|
||
Debug builds weren't happy with that. New try: https://treeherder.mozilla.org/#/jobs?repo=try-comm-central&revision=b3eaf47410e7f41429dd4992a92507be99a248de
Comment 26•4 years ago
|
||
Pushed by mkmelin@iki.fi: https://hg.mozilla.org/comm-central/rev/8da7b1c07139 followup 2 - back to original xpcom magic. rs=bustage-fix
Assignee | ||
Comment 27•4 years ago
|
||
Sorry for the noise. It should be all fine now.
Assignee | ||
Comment 28•4 years ago
|
||
Comment on attachment 9123519 [details] [diff] [review] bug1538409_pop3_oauth.patch Uplift for https://hg.mozilla.org/comm-central/rev/4a36f8aa2ddd https://hg.mozilla.org/comm-central/rev/499ff502287d https://hg.mozilla.org/comm-central/rev/8da7b1c07139
Comment 29•4 years ago
|
||
Thunderbird 73.0b2:
https://hg.mozilla.org/releases/comm-beta/rev/f6219b04be6d83cd8bc0bf968bbf619708b6a2e2
Comment 30•4 years ago
|
||
Comment hidden (obsolete) |
Comment hidden (obsolete) |
Assignee | ||
Comment 33•4 years ago
|
||
Note to self: we need to add the OAuth2 support to pop for gmail. For yahoo it was already there.
Reporter | ||
Comment 34•4 years ago
|
||
Can we uplift this to ESR?
Assignee | ||
Comment 35•4 years ago
|
||
That's the intention. We just have it tried out a bit by beta users first so there's nothing obvious popping up.
Assignee | ||
Comment 36•4 years ago
|
||
Anyone want to verify it's working for them on beta/nightly?
Assignee | ||
Updated•4 years ago
|
Comment 37•4 years ago
|
||
bugherder uplift |
Thunderbird 68.5.0:
https://hg.mozilla.org/releases/comm-esr68/rev/e5a6494618dc
https://hg.mozilla.org/releases/comm-esr68/rev/9f75ed0d779e
https://hg.mozilla.org/releases/comm-esr68/rev/48741788402e
Comment 38•4 years ago
|
||
What exactly do users have to do with existing Yahoo POP accounts in Thunderbird 68.5 to have the accounts working again?
Assignee | ||
Comment 39•4 years ago
|
||
Go to Account Settings | Server Settings. Change Authentication Method to OAuth2.
Comment 40•4 years ago
|
||
Pushed by mkmelin@iki.fi: https://hg.mozilla.org/comm-central/rev/25e74f6bf106 back out wrong authentication method selection change. r=me
Assignee | ||
Comment 41•4 years ago
|
||
(In reply to Pulsebot from comment #40)
The previous patches was causing test failures for 68. The change is wrong, but I can't remember exactly why I put it there.
It didn't cause test failures elsewhere since only on 68 is the "Advanced Config" disabled if Autoselect is selected as authentication method - this was changed in the redesign. It's not actually a problem when it's set to autoselect - but of course you need to set it to something good before you could connect.
Comment 42•4 years ago
|
||
bugherder uplift |
Thunderbird 68.5.0:
https://hg.mozilla.org/releases/comm-esr68/rev/c25a4ce1e756
Description
•