Google discontinuing support for OAuth via embedded browsers (starting January 4, 2021, or extended deadline to June 30, 2021)
Categories
(Thunderbird :: Account Manager, defect, P1)
Tracking
(thunderbird_esr78?, thunderbird90?)
People
(Reporter: sancus, Unassigned)
Details
Attachments
(1 file)
71.52 KB,
image/png
|
Details |
We received an email that states: "We are writing to let you know that Google will discontinue support for sign-ins to Google accounts from embedded browser frameworks, starting January 4, 2021.
We have detected the use of an embedded browser framework with one or more of your OAuth clients that may be blocked on or after January 4, 2021. "
Linked was this blog post: https://developers.googleblog.com/2020/08/guidance-for-our-effort-to-block-less-secure-browser-and-apps.html
It seems that Google now requires the embedded browser to be whitelisted, or to use an external browser flow for oauth login.
It's unclear to me if the detection above refers to all versions of Thunderbird, IE Thunderbird is not white listed, or perhaps just older versions. Also not clear if this is resolvable by getting google to whitelist Thunderbird, as we are at least as secure as Firefox, or if we will be forced to change the oauth flow.
An option was provided to submit a request to extend the deadline to June 30, 2021, and I have submitted it just in case we end up needing more time.
Comment 2•5 years ago
|
||
Yeah.
Reporter | ||
Comment 3•5 years ago
|
||
Our extension has been granted.
It's still not clear to me what, if any versions of Thunderbird are affected by this. Is there an easy way to run the HTTP header test detailed in the blog post using the console? "Add Google-Accounts-Check-OAuth-Login:true to your HTTP request headers."
It is possible that only older versions are affected, but if 68 or older are affected it'd be good to be aware of that in the case of support requests come June. We can't fix them, but we can warn people about it at least.
Comment 4•5 years ago
|
||
Oh right, I meant to comment here. I did a quick-and-dirty test of some HTTP requests with the header added and had no problems. As I can't remember exactly what it was I tested, I will try it again.
Comment 5•5 years ago
|
||
AFAICT, OAuth still works (in 78) with the header added to all requests. It doesn't appear to make any difference. It would be nice if the server at least acknowledged we'd sent the header.
Reporter | ||
Comment 6•5 years ago
|
||
(In reply to Geoff Lankow (:darktrojan) from comment #5)
AFAICT, OAuth still works (in 78) with the header added to all requests. It doesn't appear to make any difference. It would be nice if the server at least acknowledged we'd sent the header.
Thanks for testing this. I have sent an email to the contact that approved our extension request, to see if there's any other/better way to confirm that Thunderbird 78 at least won't be affected.
Comment 7•4 years ago
|
||
(In reply to Andrei Hajdukewycz [:sancus] from comment #6)
(In reply to Geoff Lankow (:darktrojan) from comment #5)
AFAICT, OAuth still works (in 78) with the header added to all requests. It doesn't appear to make any difference. It would be nice if the server at least acknowledged we'd sent the header.
Thanks for testing this. I have sent an email to the contact that approved our extension request, to see if there's any other/better way to confirm that Thunderbird 78 at least won't be affected.
What's the good word?
Reporter | ||
Comment 8•4 years ago
|
||
I have no idea. They did extend us to June 30, 2021, but never answered any of my other emails on the topic. So I don't see any option but to assume your testing was correct and wait-and-see if we get any problem reports at the end of June. /sigh
Comment 9•4 years ago
|
||
(In reply to Andrei Hajdukewycz [:sancus] from comment #8)
I have no idea. They did extend us to June 30, 2021, but never answered any of my other emails on the topic. So I don't see any option but to assume your testing was correct and wait-and-see if we get any problem reports at the end of June. /sigh
You don't sound convinced, which if you are not comfortable with the situation, you might imagine I am even less comfortable. I'm not keen on "seeing if we get any reports at the end of June".
But the test was conclusive, according to their instructions, no? In which case we /should/ be safe. In which case we should just close this bug.
Do you agree Magnus?
Comment 10•4 years ago
|
||
Anyone seen support reports of failures, or can test that oauth is functioning well?
Comment 11•4 years ago
|
||
I can say mine is working fine. Both oAuth and normal password accounts continue to function. I have not seen any particular uptick in Google issues in support.
Reporter | ||
Comment 13•4 years ago
|
||
I think if this was broken we would be receiving massive numbers of reports, so I agree, seems like our major versions are working fine.
Comment 14•4 years ago
|
||
I did wonder if the issue might have been with lightning or addons generally using oAuth to access google using the "Thunderbird" Browser Id.
Comment 15•4 years ago
|
||
Or people stealing our OAuth credentials which are just sitting there in the code. I've seen one StackOverflow post suggesting just that (not for Google though).
Comment 16•4 years ago
|
||
This might be the start of something. It does appear to be talking about outdated embedded browsers.
https://support.mozilla.org/en-US/questions/1343530
Comment 17•4 years ago
|
||
(In reply to Matt from comment #16)
This might be the start of something. It does appear to be talking about outdated embedded browsers.
https://support.mozilla.org/en-US/questions/1343530
Exactly, I wrote that. The embedded browser is out-of-date. I can't sign in.
Comment 18•4 years ago
|
||
I was at the wrong acc. But yeah, I'm not able to sign in.
Comment 19•4 years ago
|
||
Comment 20•4 years ago
|
||
Comment 21•4 years ago
|
||
Add-ons disabled? Did you manually change the User-Agent string it's sending?
Reporter | ||
Comment 22•4 years ago
|
||
I can't reproduce any issue with gmail sign-in on 78, at least.
Comment 23•4 years ago
|
||
(In reply to Magnus Melin [:mkmelin] from comment #21)
Add-ons disabled? Did you manually change the User-Agent string it's sending?
What do you mean with changing the User-Agent string?
I don't have any type of add-ons in Thunderbird.
Comment 24•4 years ago
|
||
(In reply to Andrei Hajdukewycz [:sancus] from comment #22)
I can't reproduce any issue with gmail sign-in on 78, at least.
I have the 90.0b3 version.
Reporter | ||
Comment 25•4 years ago
|
||
(In reply to Pablo from comment #24)
(In reply to Andrei Hajdukewycz [:sancus] from comment #22)
I can't reproduce any issue with gmail sign-in on 78, at least.
I have the 90.0b3 version.
Can't reproduce it on that version either. Have you tried with a fresh profile??
Comment 26•4 years ago
|
||
(In reply to Andrei Hajdukewycz [:sancus] from comment #25)
(In reply to Pablo from comment #24)
(In reply to Andrei Hajdukewycz [:sancus] from comment #22)
I can't reproduce any issue with gmail sign-in on 78, at least.
I have the 90.0b3 version.
Can't reproduce it on that version either. Have you tried with a fresh profile??
Mhm. That is a fresh version, totally installed today. A few hours ago.
Comment 27•4 years ago
|
||
Is there any way that I can open that OAuth page in Firefox directly?
Reporter | ||
Comment 28•4 years ago
|
||
(In reply to Pablo from comment #27)
Is there any way that I can open that OAuth page in Firefox directly?
No, Thunderbird needs to store the token it receives. And in any case, if there was an actual issue with the browser in Thunderbird then it would be easy to reproduce the problem because every installation of Thunderbird 90 or 78 would be broken, but that's clearly not true.
Comment 29•4 years ago
|
||
So, maybe try to delete Thunderbird data? (Via %Appdata)
Comment 30•4 years ago
|
||
Wait, are you using POP3 or IMAP?
Comment 31•4 years ago
|
||
(In reply to Andrei Hajdukewycz [:sancus] from comment #28)
(In reply to Pablo from comment #27)
Is there any way that I can open that OAuth page in Firefox directly?
No, Thunderbird needs to store the token it receives. And in any case, if there was an actual issue with the browser in Thunderbird then it would be easy to reproduce the problem because every installation of Thunderbird 90 or 78 would be broken, but that's clearly not true.
.
Comment 32•4 years ago
|
||
I reinstalled and deleted all the data and still doesn't work. Any solution?
Reporter | ||
Comment 33•4 years ago
|
||
(In reply to Pablo from comment #32)
I reinstalled and deleted all the data and still doesn't work. Any solution?
Bugzilla isn't for support, sorry, I don't have time to go back and forth troubleshooting. Please keep that sort of stuff on SUMO.
Comment 34•4 years ago
|
||
Another report: https://support.mozilla.org/en-US/questions/1344530
Comment 35•4 years ago
|
||
Another report: https://support.mozilla.org/en-US/questions/1350244
Comment 36•4 years ago
|
||
(In reply to Pablo from comment #32)
I reinstalled and deleted all the data and still doesn't work. Any solution?
Pablo do you still see this issue? If so, could you please check in the help > more troubleshooting information for the user agent string and post it here.
Description
•