Gmail login stuck at permission grant step, Allow" button, in Google OAuth2 flow, when google advanced protection 2fa (two factor) is enabled on Mac
Categories
(Thunderbird :: Security, defect)
Tracking
(Not tracked)
People
(Reporter: kevin, Unassigned)
References
()
Details
(Whiteboard: [closeme 2023-10-01])
Attachments
(1 file)
|
441.92 KB,
image/png
|
Details |
Screenshot 2022-03-22 at 20.12.38.png
Steps to reproduce:
- Use a Google account configured with 2FA via app-based TOTP.
- Add Gmail account to Thunderbird via OAuth2 flow.
- Enjoy using Thunderbird happily for years.
- Enable Google's Advanced Protection Programme on the account.
- Invalidate all existing sessions including Thunderbird one.
- Try re-authenticate with Google when prompted by Thunderbird.
- Authenticate using Gmail address and password successfully.
- Use security key as second factor successfully.
- Click on "allow" button at permission grant step of OAuth2 flow.
Additional context:
- Thunderbird 91.7.0 (64-bit) on macOS 12.3.
- Not using a proxy in Thunderbird's connection settings.
- Thunderbird accepts cookies from sites.
- Same issue persisted when I removed the account and tried again.
Actual results:
- After clicking on "allow", all buttons turn grey.
- The OAuth2 flow gets stuck there and hangs forever.
- I end-up closing the OAuth2 flow window.
- The email account doesn't get set-up
Expected results:
- The permission grant is accepted.
- Thunderbird registers the new email account.
- I can access my Gmail just fine, as I used to.
|
||
Updated•3 years ago
|
|
|
||
Comment 1•3 years ago
|
||
Do you have cookies disabled?d
What other things might be using localhost?
That look to me to be about the point where the flow redirects to localhost so Thunderbird can get the authentication key to save.
Do you host your own mail or web pages on your machine? Anti virus perhaps?
|
|
||
Comment 3•3 years ago
|
||
Kevin ??
|
Reporter | |
Comment 4•3 years ago
|
||
Sorry for the slow reply and thank you for your questions.
Do you have cookies disabled?
Yes, cookies are enabled, as mentioned in my initial message. Also this flow used to work just fine before.
What other things might be using localhost?
I can't think of anything that would interfere here – localhost works as expected. I sometimes run web-applications locally, for development purposes, but they're on specific ports and I don't keep them running over time. I don't have an anti-virus running either.
|
||
Comment 5•3 years ago
•
|
||
Hmm, I am using 100.0 b2 and our org began using Duo 2FA early this year via mobile app (approval/denial). The org account I use with 2FA is a Google Mail account and I got prompted once or twice in the past couple months or so but after allowing TB as a trusted app, I haven't seen a 2FA roadblock since. I've recently recreated all my GMail accounts and TB profile from scratch so my profile is still pretty new.
Kevin, you're on 91.8.0 now, yes?
|
|
Reporter | |
Comment 6•3 years ago
|
||
Kevin, you're on 91.8.0 now, yes?
Yes, I updated the app a couple of days ago. I just tried again and the same error is occurring. I'm tempted to remove Thunderbird completely from my machine and try again with a fresh install, but I'm not sure what difference that would make.
|
|
||
Comment 7•3 years ago
|
||
(In reply to Kevin Plattret from comment #6)
Kevin, you're on 91.8.0 now, yes?
Yes, I updated the app a couple of days ago. I just tried again and the same error is occurring. I'm tempted to remove Thunderbird completely from my machine and try again with a fresh install, but I'm not sure what difference that would make.
No, don't remove it just yet. We can try an experiment if you're up? Doesn't involve touching your existing TB profile and install.
|
|
Reporter | |
Comment 8•3 years ago
|
||
No, don't remove it just yet. We can try an experiment if you're up? Doesn't involve touching your existing TB profile and install.
Yes sure, I'm happy to give it a try!
|
|
||
Comment 9•3 years ago
|
||
(In reply to Kevin Plattret from comment #8)
No, don't remove it just yet. We can try an experiment if you're up? Doesn't involve touching your existing TB profile and install.
Yes sure, I'm happy to give it a try!
Ok great. This might help determine if it's a profile issue or perhaps some stray setting. We can figure this out in a sandbox using Portable TB.
- Close you installed TB and ensure it's fully shut down.
- Go grab TB portable: https://portableapps.com/apps/internet/thunderbird_portable
- Download the .paf file to a temp folder or Desktop
- Double-click the PAF file and let it extract to where you downloaded it
Now you have a self-contained setup of TB to play with in a self-contained folder and it doesn't affect your main profile from your locally installed version.
- Go ahead and launch TB portable and set up the GMail account that's having the issue and try to repro your issue. Then, Just try to repro the 2FA issue, don't use this portable TB to do anything to your emails, etc.
If it repros with TB portable, then it's likely something that 91.8 isn't handling right.
If it doesn't repro with TB portable, it's likely something in your profile that's gummed up. Just my 2 cents.
|
|
Reporter | |
Comment 10•3 years ago
|
||
This only seems to work on Windows unfortunately and I'm using a Mac. Thanks for suggesting it though! It was a great idea and it made me realise that I could simply try and setup my Gmail account on Thunderbird on my work machine, which runs Ubuntu. The good news is that the Google OAuth2 flow worked perfectly well on there.
With this knowledge, I guess I'll just go ahead and delete my local installation of Thunderbird, then try to setup everything again and report back.
|
|
||
Comment 11•3 years ago
|
||
Ah, I didn't realize it was on a Mac. I'd just create a new profile (you can always delete it later) and test with the new profile: http://kb.mozillazine.org/Profile_manager
|
|
||
Updated•3 years ago
|
|
|
||
Comment 12•3 years ago
|
||
Which 2FA are you using?
|
|
||
Comment 13•3 years ago
|
||
(In reply to Arthur K. [He/Him] from comment #11)
Ah, I didn't realize it was on a Mac. I'd just create a new profile (you can always delete it later) and test with the new profile: http://kb.mozillazine.org/Profile_manager
Ugh. You stated in your first comment that you already tried this, yes?
|
|
Reporter | |
Comment 14•3 years ago
|
||
I completely removed Thunderbird from my Mac, including the Library folder, then I installed it again and tried setting up my Gmail account again. Unfortunately the exact same issue is happening, so I think it's safe to say that this problem doesn't come from my machine, but probably from Thunderbird for Mac, since it worked fine on Ubuntu when I tried.
Which 2FA are you using?
I'm using security keys only on my Google account.
|
||
Comment 15•3 years ago
|
||
I use an application password
|
||
Comment 16•3 years ago
|
||
You mention: I sometimes run web-applications locally,
If you have any program that uses localhost eg: Apache or similar, you must switch it off to get Oauth Authentication to work.
Once OAuth is setup then you can switch localhost program back on.
|
||
Comment 17•3 years ago
|
||
Hi all,
I wanted to mention that this also happens on Windows and Linux builds.
My workaround to make this all work is to flip the switch of general.useragent.compatMode.firefox to be true and then I have no problems with the workflow.
I recently did a training for a bunch of investigative journalists and we ran into this issue on all platforms, the workaround also worked on all platforms.
|
|
||
Comment 18•3 years ago
|
||
(In reply to James Rome from comment #15)
I use an application password
You cannot use app passwords when you're signed up to google advanced protection. It's also provides lesser security than yubikeys.
|
|
Reporter | |
Comment 19•3 years ago
|
||
If you have any program that uses localhost eg: Apache or similar, you must switch it off to get Oauth Authentication to work.
Once OAuth is setup then you can switch localhost program back on.
I tried with Apache server switched off but still no luck. Nothing else is running on localhost as far as I'm aware.
My workaround to make this all work is to flip the switch of general.useragent.compatMode.firefox to be true and then I have no problems with the workflow.
Thanks for sharing this tip. I just tried the workaround you suggested and although the UI looks slightly different, the same issue is still occurring for me: once I click the "Allow" button, the OAuth2 flow hangs there in loading mode forever. I am now on macOS 12.4 and Thunderbird 91.10.0. I can see the same error in the console as per my initial screenshot.
|
|
||
Comment 20•3 years ago
|
||
During a fresh installation of Thunderbird (91.10.0) (I didn't had MacOS on this macbook running Catalina before). I managed to complete the oAUTH2 flow with yubikey without having to resort to a workaround.
Maybe a useful data point.
|
|
||
Updated•2 years ago
|
|
||
Comment 21•2 years ago
|
||
I just had the same issue on Windows 10. The final OAuth redirect was made to something like https://localhost/?code=... but Thunderbird displayed an error page saying that a secure connection could not be established. I do have a development web server running on localhost. Perhaps Thunderbird should use some specific port number in order not to clash with commonly used ports?
That said, before trying to disable my web server and checking if it would work, I tried just the workaround with general.useragent.compatMode.firefox mentioned above and the authentication has completed successfully. I will try it the other way if I encounter the issue again.
|
|
||
Comment 22•1 years ago
|
||
Kevin, Jurre,
Are you still able to reproduce this?
|
|
Reporter | |
Comment 24•1 year ago
|
||
Hi Wayne, thanks for checkin in on this. I don't remember exactly if it happened with v115, but I was able to setup my Gmail account again in recent months indeed. From my perspective, this specific issue is no longer occurring.
|
||
Updated•1 year ago
|
Description
•