Closed Bug 1597938 Opened 6 years ago Closed 6 years ago

OAuth2 authentication to Gmail-IMAP appears broken in Thunderbird 60.9

Categories

(Thunderbird :: Untriaged, defect)

Product:
Thunderbird
Component:
Untriaged
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1592407

People

(Reporter: andrew.skretvedt, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0

Steps to reproduce:

Pursuant to an external discussion about best authentication methods for Gmail, I did an experiment to show off modern OAuth2 vice old "App Passwords" method using "Normal password" authentication method under account's server setting pane.

  1. Preferences -> Security -> Saved Passwords (button)
  2. In list, located oauth:// token and removed it.
  3. Saved and closed and selected Gmail account to trigger an access.

Actual results:

  1. OAuth2 window appeared with Google's authentication steps
  2. Provided successful auth; shown notice of Thunderbird's access request and button to "Allow" the access.
  3. "Allow" clicked, window disappears, Thunderbird reports IMAP auth failure, no access.
  4. Preferences -> Security -> Saved Passwords (button) -> no oauth:// token was stored here.

Expected results:

  1. IMAP access into gmail should occur
  2. a new oauth:// token should be visible in the saved passwords lists to avoid reauthentication next time.

Clarification: I had been using OAuth2 normally, with the previously stored token, for quite a long time. Part of the reason I went intentionally messing around was to try to trigger the OAuth2 authentication screens on purpose, so I could remind myself how that process looks. I hadn't needed to do this since originally configuring Thunderbird to access my Gmail account quite some time ago.

Since, I have had to change my authentication method for this account in Thunderbird to "Normal password", and generate an "App Password" to use with it from the management interface at accounts.google.com. I cannot make the OAuth2 method in Thunderbird work anymore.

In troubleshooting the fault, I later on took the step to remove Thunderbird's access to my account at accounts.google.com, which I now realize has the effect of invalidating all the other stored tokens for this purpose out in the wild. Thereby, I have managed to break OAuth2 access on all my Thunderbird instances across my PCs. I have had to revert to the described old "App Passwords" based mechanism everywhere. This works, but Google deprecated the use of App Passwords as an account security concern. Google would prefer you to use OAuth2, if you can.

This is fixed in 68.2.2 and 60.9.1 - you need one of those from you distro, or download from the Thunderbird website. Unfortunately bug 1592407 was not listed when you typed in your bug summary.

Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE

(In reply to Wayne Mery (:wsmwk) from comment #2)

This is fixed in 68.2.2 and 60.9.1 - you need one of those from you distro, or download from the Thunderbird website. Unfortunately bug 1592407 was not listed when you typed in your bug summary.

*** This bug has been marked as a duplicate of bug 1592407 ***

Thanks, Wayne. I tried to search out similar bugs before posting. Oh well, sorry to bother. My distro is late for the fixed update, but now I know it's out there waiting for me.

You need to log in before you can comment on or make changes to this bug.