Can't login to Gmail with OAuth2, unsupported browser error. (solved by setting "general.useragent.compatMode.firefox = True")
Categories
(Thunderbird :: Security, defect)
Tracking
(Not tracked)
People
(Reporter: remy, Unassigned)
References
()
Details
Attachments
(1 file)
|
170.57 KB,
application/x-zip-compressed
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Steps to reproduce:
See https://support.mozilla.org/en-US/questions/1374493#answer-1499359
I have 5 Gmail accounts that I manage for different family members. All accounts in Thunderbird access Gmail via IMAP, and are configured to login with OAuth2.
Last week, Google removed Thunderbird access from 2 of the accounts, I do not know why. When I login to those accounts via the web in Firefox, Thunderbird was no longer listed under their 3rd party access. The other 3 accounts are fine.
Actual results:
I am having the same issue as reported in these posts:
https://support.mozilla.org/en-US/questions/1343530
https://support.mozilla.org/en-US/questions/1344530
https://support.mozilla.org/en-US/questions/1350244.
1 of the failing accounts does not have 2FA enabled. I was able to re-login with Thunderbird when prompted, and I was presented with a window to grant Thunderbird access, which worked, no problem. So Thunderbird's browser was clearly recognized by Gmail.
But the other failing account does have 2FA enabled, and that is where the problem lies. Thunderbird prompts for login, and the username and password are accepted, but when I enter the 2FA verification code, Thunderbird presents a window saying "Your browser is not supported anymore. Please update to a more recent one." (bug 1677845). There is no option presented to grant access to Thunderbird. Yet, the verification did work, because the browser shows me as logged in, and my primary email receives notification that the account was logged in from a new device.
See attached screenshots.
For the record, the failing 2FA account is managed by Family Link (the other non-2FA account is not). According to https://support.google.com/mail/thread/127545584/, such accounts cannot login to email clients. But that has never been a problem before, and 1 of the other still-working accounts in Thunderbird is also managed by Family Link and works just fine, so that can't be the culprit.
Also, I do have AVG installed with Email Shield enabled, but disabling that makes no difference.
Thunderbird's UserAgent is "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.8.1". And yes, cookies are enabled in both Thunderbird and Firefox.
Is there a way to get Thunderbird to use Firefox properly for Gmail login, instead of its own integrated browser?
I wonder, could this have anything to do with Thunderbird requesting a "legacy" OAuth URL, even though the account is set to use OAuth2?
As you can see in the attached screenshots, Thunderbird is logging in using the URL "https://accounts.google.com/signin/oauth/legacy/...", which is NOT the URL described in Google's OAuth2 documentation (https://accounts.google.com/o/oauth2/v2/auth, and https://oauth2.googleapis.com/token).
Expected results:
I expected the browser used to be recognized by Google, and the 2FA OAuth2 login to be fully successful so Thunderbird can access the account.
|
||
Comment 1•3 years ago
|
||
There is no way to use an external browser. The /legacy thing is something google itself will redirect to. Thunderbird uses the right urls: https://searchfox.org/comm-central/rev/02c6840fd366b6e13c06f8266fad4ae921f5dadc/mailnews/base/src/OAuth2Providers.jsm#89
OK, well, that doesn't change the fact that whatever browser Thunderbird is using internally, it is not able to complete the Gmail OAuth2 login in this situation. I can access the account in question on the same machine over the web just fine, I'm just not able to access it via Thunderbird anymore, even though it was working fine a couple of weeks ago.
Problem solved by setting "general.useragent.compatMode.firefox = True" in Thunderbird's Config Editor.
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
|
||
Comment 4•3 years ago
|
||
FWIW, the reporter at https://support.mozilla.org/en-US/questions/1344530 states "Since I have recently started using Family Link to limit screen time on my phone, it seems that it prevents me from accessing Google Mail on Thunderbird."
Which relates to "Accounts managed by Family Link are not allowed to sign in via email clients. I was unable to get my test child account added to Thunderbird. " source https://support.google.com/mail/thread/127545584/i-have-created-a-supervised-account-and-i-m-want-to-add-it-to-my-mail-app-in-mac-but-its-offline?hl=en&msgid=128001398
|
|
||
Comment 5•3 years ago
|
||
(In reply to Wayne Mery (:wsmwk) from comment #4)
FWIW, the reporter at https://support.mozilla.org/en-US/questions/1344530 states "Since I have recently started using Family Link to limit screen time on my phone, it seems that it prevents me from accessing Google Mail on Thunderbird."
Likely unrelated. I tried this and adding a child account kind of worked. (Had to wait for some timeouts to "try another way"), since I don't usually use the "security key" auth.
Description
•