Unable to authenticate with Google mail using OAUTH2 and 2FA if web server is running on https://localhost
Categories
(Thunderbird :: Account Manager, enhancement)
Tracking
(Not tracked)
People
(Reporter: dev, Unassigned)
References
Details
Steps to reproduce:
- Setup a GMail IMAP account with OAUTH2 enabled
- Auth window comes up and asks for the users email and password
- User is then challenged for their 2FA/U2F token
Actual results:
Once the token is accepted the window redirects to a page showing "insecure connection" and the URL bar shows https://locahost/....
I believe this was because I had a process running locally which was listening on port 443 (and 80) which intercepted the connection.
Expected results:
An error or warning should've been displayed saying that the auth process can't be completed because another process is listening on the required port, alternatively the port could be changed to avoid conflicts
|
||
Comment 1•3 years ago
|
||
Our connection to localhost isn't real though, AFAIKT...
|
||
Comment 2•3 years ago
|
||
Same issue here: Ubuntu 20.04 running Thunderbird 91.5.0 (64-bit)
If there's a Docker container running, web service exposed on host to tcp/80 (0.0.0.0:80->80/tcp) then using OAuth2, after a successful 2FA auth Thunderbird reports authentication failure.
Stopping docker container eliminates the issue.
I can confirm this too. I'm not sure if my web server's automatic localhost:80 -> localhost:443 redirect had anything to do with the issue here.
I was able to work around this by temporary shutting down my server.
I ran into this with Office 365's OAUTH2, not Google's.
|
||
Comment 4•3 years ago
|
||
Thunderbird: 91.8.0 / Windows 10
Running Apache (localhost:80 & localhost:443)
Authentication appears to complete all steps correctly, but the OAuth password is not saved.
Pausing Apache temporarily allows authentication to complete correctly.
I imagine this will stump quite a few folk over the next few weeks, which is Google's deadline for this:
May 30, 2022, Google will no longer support the use of third-party apps or devices which ask you to sign in to your Google Account using only your username and password.
|
|
||
Updated•3 years ago
|
|
|
||
Comment 5•3 years ago
|
||
Maybe we can fetch("localhost") before starting the OAuth process. If it responds, tell the user they need to stop that process before proceeding.
xref bug 1174797
|
||
Comment 8•3 years ago
|
||
Would running the access code callback on an alternate, random port be a possible fix? See what ports are in use, pick a random one, run access code workflow there?
|
|
||
Comment 9•3 years ago
|
||
No, not in general. The redirection endpoint is defined at the provider, and they may or my not allow using other ports.
|
||
Comment 11•11 months ago
|
||
Microsoft works around this by using an application protocol redirect (which Google let them set up). The OAuth2 dialog redirects to outlook://foo/bar on Windows, which is registered to launch outlook.exe and pass in the url as a command line argument, which gets routed internally to the correct page.
I don't know if all platforms support custom protocols, but this should be the approach on all platforms that do.
|
|
||
Comment 12•11 months ago
|
||
Actually, please ignore the caveat in my last comment: since the redirect is performed in a webview under gecko/thunderbird control, it can fully handle a redirect to thunderbird://oauth2/authorize?code=... without involving the system protocol handler at all, under any and all supported platforms and I don't see any reason why this can't be the preferred way instead of a localhost redirect (so long as it's possible to configure the oauth2 developer api token to redirect to thunderbird:// with the provider, and that should certainly be doable one way or the other).
|
||
Comment 13•10 months ago
|
||
I guess we found a solution, now need to create a patch.
Yeah, I got some issues with Thunderbird and local webserver too, using Thunderbird = disabling webserver which is not the case for me because it's supposed to run 24/24...
Description
•