Closed Bug 1677845 Opened 5 years ago Closed 4 years ago

Google discontinuing support for OAuth via embedded browsers (starting January 4, 2021, or extended deadline to June 30, 2021)

Categories

(Thunderbird :: Account Manager, defect, P1)

Tracking

(thunderbird_esr78?, thunderbird90?)

RESOLVED WORKSFORME
Tracking Status
thunderbird_esr78 ? ---
thunderbird90 ? ---

People

(Reporter: sancus, Unassigned)

Details

Attachments

(1 file)

We received an email that states: "We are writing to let you know that Google will discontinue support for sign-ins to Google accounts from embedded browser frameworks, starting January 4, 2021.

We have detected the use of an embedded browser framework with one or more of your OAuth clients that may be blocked on or after January 4, 2021. "

Linked was this blog post: https://developers.googleblog.com/2020/08/guidance-for-our-effort-to-block-less-secure-browser-and-apps.html

It seems that Google now requires the embedded browser to be whitelisted, or to use an external browser flow for oauth login.

It's unclear to me if the detection above refers to all versions of Thunderbird, IE Thunderbird is not white listed, or perhaps just older versions. Also not clear if this is resolvable by getting google to whitelist Thunderbird, as we are at least as secure as Firefox, or if we will be forced to change the oauth flow.

An option was provided to submit a request to extend the deadline to June 30, 2021, and I have submitted it just in case we end up needing more time.

stm this should have a priority setting

Flags: needinfo?(mkmelin+mozilla)

Yeah.

Severity: -- → S1
Flags: needinfo?(mkmelin+mozilla)
Priority: -- → P1
Summary: Google discontinuing support for oauth via some embedded browsers → Google discontinuing support for OAuth via embedded browsers (starting January 4, 2021, or extended deadline to June 30, 2021)

Our extension has been granted.

It's still not clear to me what, if any versions of Thunderbird are affected by this. Is there an easy way to run the HTTP header test detailed in the blog post using the console? "Add Google-Accounts-Check-OAuth-Login:true to your HTTP request headers."

It is possible that only older versions are affected, but if 68 or older are affected it'd be good to be aware of that in the case of support requests come June. We can't fix them, but we can warn people about it at least.

Oh right, I meant to comment here. I did a quick-and-dirty test of some HTTP requests with the header added and had no problems. As I can't remember exactly what it was I tested, I will try it again.

AFAICT, OAuth still works (in 78) with the header added to all requests. It doesn't appear to make any difference. It would be nice if the server at least acknowledged we'd sent the header.

(In reply to Geoff Lankow (:darktrojan) from comment #5)

AFAICT, OAuth still works (in 78) with the header added to all requests. It doesn't appear to make any difference. It would be nice if the server at least acknowledged we'd sent the header.

Thanks for testing this. I have sent an email to the contact that approved our extension request, to see if there's any other/better way to confirm that Thunderbird 78 at least won't be affected.

(In reply to Andrei Hajdukewycz [:sancus] from comment #6)

(In reply to Geoff Lankow (:darktrojan) from comment #5)

AFAICT, OAuth still works (in 78) with the header added to all requests. It doesn't appear to make any difference. It would be nice if the server at least acknowledged we'd sent the header.

Thanks for testing this. I have sent an email to the contact that approved our extension request, to see if there's any other/better way to confirm that Thunderbird 78 at least won't be affected.

What's the good word?

Flags: needinfo?(sancus)

I have no idea. They did extend us to June 30, 2021, but never answered any of my other emails on the topic. So I don't see any option but to assume your testing was correct and wait-and-see if we get any problem reports at the end of June. /sigh

Flags: needinfo?(sancus)

(In reply to Andrei Hajdukewycz [:sancus] from comment #8)

I have no idea. They did extend us to June 30, 2021, but never answered any of my other emails on the topic. So I don't see any option but to assume your testing was correct and wait-and-see if we get any problem reports at the end of June. /sigh

You don't sound convinced, which if you are not comfortable with the situation, you might imagine I am even less comfortable. I'm not keen on "seeing if we get any reports at the end of June".

But the test was conclusive, according to their instructions, no? In which case we /should/ be safe. In which case we should just close this bug.

Do you agree Magnus?

Flags: needinfo?(mkmelin+mozilla)

Anyone seen support reports of failures, or can test that oauth is functioning well?

Flags: needinfo?(unicorn.consulting)
Flags: needinfo?(stancestans)
Flags: needinfo?(sfhowes)

I can say mine is working fine. Both oAuth and normal password accounts continue to function. I have not seen any particular uptick in Google issues in support.

Flags: needinfo?(unicorn.consulting)

Good to close?

Flags: needinfo?(mkmelin+mozilla) → needinfo?(sancus)

I think if this was broken we would be receiving massive numbers of reports, so I agree, seems like our major versions are working fine.

Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(stancestans)
Flags: needinfo?(sfhowes)
Flags: needinfo?(sancus)
Resolution: --- → WORKSFORME

I did wonder if the issue might have been with lightning or addons generally using oAuth to access google using the "Thunderbird" Browser Id.

Or people stealing our OAuth credentials which are just sitting there in the code. I've seen one StackOverflow post suggesting just that (not for Google though).

This might be the start of something. It does appear to be talking about outdated embedded browsers.
https://support.mozilla.org/en-US/questions/1343530

(In reply to Matt from comment #16)

This might be the start of something. It does appear to be talking about outdated embedded browsers.
https://support.mozilla.org/en-US/questions/1343530

Exactly, I wrote that. The embedded browser is out-of-date. I can't sign in.

I was at the wrong acc. But yeah, I'm not able to sign in.

Comment on attachment 9231044 [details] The error. (Is in spanish) It says "Browser not supported" The browser isn't supported. Try to install a newer one.

Add-ons disabled? Did you manually change the User-Agent string it's sending?

I can't reproduce any issue with gmail sign-in on 78, at least.

(In reply to Magnus Melin [:mkmelin] from comment #21)

Add-ons disabled? Did you manually change the User-Agent string it's sending?

What do you mean with changing the User-Agent string?

I don't have any type of add-ons in Thunderbird.

(In reply to Andrei Hajdukewycz [:sancus] from comment #22)

I can't reproduce any issue with gmail sign-in on 78, at least.

I have the 90.0b3 version.

(In reply to Pablo from comment #24)

(In reply to Andrei Hajdukewycz [:sancus] from comment #22)

I can't reproduce any issue with gmail sign-in on 78, at least.

I have the 90.0b3 version.

Can't reproduce it on that version either. Have you tried with a fresh profile??

(In reply to Andrei Hajdukewycz [:sancus] from comment #25)

(In reply to Pablo from comment #24)

(In reply to Andrei Hajdukewycz [:sancus] from comment #22)

I can't reproduce any issue with gmail sign-in on 78, at least.

I have the 90.0b3 version.

Can't reproduce it on that version either. Have you tried with a fresh profile??

Mhm. That is a fresh version, totally installed today. A few hours ago.

Is there any way that I can open that OAuth page in Firefox directly?

(In reply to Pablo from comment #27)

Is there any way that I can open that OAuth page in Firefox directly?

No, Thunderbird needs to store the token it receives. And in any case, if there was an actual issue with the browser in Thunderbird then it would be easy to reproduce the problem because every installation of Thunderbird 90 or 78 would be broken, but that's clearly not true.

So, maybe try to delete Thunderbird data? (Via %Appdata)

Wait, are you using POP3 or IMAP?

(In reply to Andrei Hajdukewycz [:sancus] from comment #28)

(In reply to Pablo from comment #27)

Is there any way that I can open that OAuth page in Firefox directly?

No, Thunderbird needs to store the token it receives. And in any case, if there was an actual issue with the browser in Thunderbird then it would be easy to reproduce the problem because every installation of Thunderbird 90 or 78 would be broken, but that's clearly not true.

.

I reinstalled and deleted all the data and still doesn't work. Any solution?

(In reply to Pablo from comment #32)

I reinstalled and deleted all the data and still doesn't work. Any solution?

Bugzilla isn't for support, sorry, I don't have time to go back and forth troubleshooting. Please keep that sort of stuff on SUMO.

(In reply to Pablo from comment #32)

I reinstalled and deleted all the data and still doesn't work. Any solution?

Pablo do you still see this issue? If so, could you please check in the help > more troubleshooting information for the user agent string and post it here.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: