Closed Bug 1612717 Opened 6 years ago Closed 5 years ago

No way to re-authenticate OAuth2 accounts if the permission is revoked from the server side(?)

Categories

(Thunderbird :: Account Manager, defect)

Product:
Thunderbird
Component:
Account Manager
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(thunderbird_esr68+ fixed, thunderbird74+ wontfix)

Status:
RESOLVED FIXED
Milestone:
Thunderbird 75.0
Tracking Flags:
Tracking Status
thunderbird_esr68 + fixed
thunderbird74 + wontfix

People

(Reporter: frederick888, Assigned: mkmelin)

References

(Regression)

Details

(Keywords: regression, Whiteboard: [regression:TB68.4.2])

Attachments

(2 files)

Screenshot_20200202_232925.png
27.52 KB, image/png
Details
bug1612717_reauth_oauth2.patch
1.54 KB, patch
Fallen
: review+
wsmwk
: approval-comm-esr68+
Details | Diff | Splinter Review

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0

Steps to reproduce:

  1. Log into a Gmail account using OAuth2
  2. Change the password of the Google account to log out all clients
  3. Launch Thunderbird

Actual results:

Only a notification popped up saying 'Authentication failure while connecting to server imap.google.com'.

Expected results:

Apart from the notification, Thunerbird should re-initiate the OAuth2 flow to authenticate itself again.

There is a work around.

If you change your password in Gmail Oauth2 account the old token is still stored in TB.

You must go to tools > options > security > passwords
Show Passwords - identify the offending account and delete the password(s)

Once this is done you can get mail and gmail will demand you to allow third party accounts.

Alternatively, TB should also delete passwords when an account is deleted. Then re-create the account.

@Peter Thanks, the workaround worked for me! And by the way I had to relaunch TB to re-log on otherwise it just failed silently.

I can confirm this bug, but i've hitted them only when i've switch to TB 68.5.0 from 68.4.1 (Win64). I've never had troubles with previous TB versions.

In my setup, users change frequently the password, and via API the password are changed also on GMail: so it happen very frequently that users change their password. This can be very annoying...

Thanks.

I tested this a bit, and can confirm comment 0.

But it seems an easy workaround is to then, either

  • use the Get messages for (the specific account) button. (note bug 1593611)
  • close Thunderbird, and get prompted when it tries to connect

I'm not this is bug though. For (background-ish) getting of new mails, we don't normally prompt for password.

Sorry @Magnus I'm not with you. Did you mean TB should've asked users to log on again in those two scenarios?

I believe we do not ask in case there are auth failures during background mail checks (for other auth methods either).

For the two bullet points listed in comment 4, Thunderbird will ask you if needed.

Do those not work for you?

(In reply to Magnus Melin [:mkmelin] from comment #4)

But it seems an easy workaround is to then, either

This workaround does not work for me, the only way i have is to delete password saved as in comment #1.

Something is strange here. I saw the problem on trunk, then tried 68.5, 68.4.4 (no prompts) and then 68.2.2. On 68.2.2 I got the prompt again, but then trying 68.4.4 once more, I there too get the prompt.

Status: UNCONFIRMED → NEW
Ever confirmed: true

What i can say is:

  • on 10 of January i've upgraded TB in my organization to 68.4.1 (if i remember well, from a 68.3.X series)
  • on 13 of February i've upgraded to 68.5
  • between 10/1 and 13/2 roughly 30 users change their password, NO one call helpdesk for this problem, so plausibly TB worked.
  • between 13/2 and today, 10 users change their password, and ALL call helpdesk for this problem.

Thanks.

There was an incorrect change of logic in https://hg.mozilla.org/comm-central/rev/f962ffd01192 (calling failure instead of success for the failure case)

Assignee: nobody → mkmelin+mozilla
Status: NEW → ASSIGNED
Attachment #9127528 - Flags: review?(philipp)
Keywords: regression
Regressed by: 1597933

Thanks for having spotted this bug.

We are still thinking about 'rolling back' to some 68.4.X version here; it is known when this regression get added, so we can go back to a working version?

Thanks.

Yes it got introduced in 68.4.2.

Some info/hint about a release with a fix? There will be a 68.5.1 soon or we have to wait for 68.6.0?

Thanks.

wanting this for beta 2

Flags: needinfo?(philipp)
Comment on attachment 9127528 [details] [diff] [review] bug1612717_reauth_oauth2.patch Review of attachment 9127528 [details] [diff] [review]: ----------------------------------------------------------------- Looks good to me for the uplift, thanks. As mentioned on Matrix, I think we need to do a followup to clean up the logic here. If there was an error, then it shouldn't be marking it a success. The calling code should handle the appropriate error code and determine if it needs to reauth. The gdata provider has some inspiration.
Attachment #9127528 - Flags: review?(philipp) → review+

Marco: hopefully 68.6.0 in two weeks.

status-thunderbird68: --- → affected
status-thunderbird74: --- → affected
tracking-thunderbird68: --- → +
Keywords: checkin-needed-tb
Target Milestone: --- → Thunderbird 75.0

Pushed by mkmelin@iki.fi:
https://hg.mozilla.org/comm-central/rev/f31e6d153444
the case where the OAuth2 token expired should be handled with success to retrigger the authentication flow. r=Fallen

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Keywords: checkin-needed-tb
Resolution: --- → FIXED
tracking-thunderbird74: --- → +
status-thunderbird74: affectedwontfix
Whiteboard: [regression:TB68.4.2]
Comment on attachment 9127528 [details] [diff] [review] bug1612717_reauth_oauth2.patch (sorry for the churn) (In reply to Magnus Melin [:mkmelin] from comment #17) > Marco: hopefully 68.6.0 in two weeks. Looks like we missed this for 68.6.0, perhaps because of wrong flag, and we still want it. approved
Flags: needinfo?(philipp)
Attachment #9127528 - Flags: approval-comm-esr68+

No, wait, this mean that the patch DOES NOT land on 68.6.0?

I've seen https://www.thunderbird.net/en-US/thunderbird/68.6.0/releasenotes/, particulary:

fixed "Get New Messages for All Accounts" not working for OAuth2-authenticated IMAP accounts

and so i supposed WAS IN for 68.6.0... PLEASE, say me...

There are no checkins mentioned in this bug report since comment 18

Marco, that's another issue.

Sadly this was missed for 68.6.0 due to the wrong flag I set. https://hg.mozilla.org/releases/comm-esr68/shortlog
Wayne, maybe we should monitor the thunderbird68 flag too to make sure there are no confusions with that. (Or get rid of it since it's not needed anymore.)

68.7 will be out next week.

(In reply to Magnus Melin [:mkmelin] from comment #22)

Marco, that's another issue.
[...]
68.7 will be out next week.

OK. :-(

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: