Open Bug 1769402 Opened 3 years ago Updated 2 years ago

Expired OAuth token - No auto reauthentication - produces error ("The STAT command did not succeed .. Invalid credentials") - manual delete of Oauth required.

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Version:
Thunderbird 91
Type:
defect

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: mozbz, Unassigned)

References

(
URL
)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0

Steps to reproduce:

I doubt this is easily reproducible.

Win 10-pro x64 21H2.
I have 4 gmail accounts (2 Google workspace domains) are using Oauth2 and I have several imap to a local Dovecot server.
Gmail accounts have always been set up with Oauth2.

-- at this point, see "what happened" description--

Debugging steps (following googled hints for older issues):
*Cookies were initially off, with an exception for accounts.gmail.com. Enabling cookies made no difference.
*javascript was on.
*useragent.compatMode.firefox option was tried default (false) and true- no difference.

I switched the account to plain IMAP and immediately (in a separate browser window to GMail) got a warning about blocked access attempt. Restarted TBird, switched back to Oauth2 and it failed as before. Interestingly, there was no warning email from google, as if thunderbird did not even try.

I tried with a fresh profile and had no problem connecting.

Saved passwords saved for the 3 accounts in one domain were to imap://imap.gmail.com (dated 25 Oct-2021).
The two accounts that still worked had saved passwords for oauth://accounts.gooogle.com dated 24 and 25-Apr-2022, but the one that was failing was dated 2-Nov-2021.
So there was some sort of 6-month renewal required (I remember the oauth2 windows appearing then and wondering why). But for some reason the 3rd account did not go through the renewal process.
I deleted the oauth saved password and thunderbird then went through the authentication process and the account started working as normal.

Following Bug 1768542 notes, I checked pkcs11.txt and it was dated 6-Nov-2018.

Actual results:

At some recent time (possibly just after upgrading to 91.9) one of my Google workspace accounts started failing with the pop-up message "Authentication failure while connecting to server imap.gmail.com".
Thunderbird would make no attempt to ask for password re-entry, so it just kept popping up the error message at intervals, or whenever I tried to select a folder for that account.

Similar to Bug 1768542, except that in my case the re-auth window never pops up.

Expected results:

Either a normal connection is established, or Thunderbird should take me through the authentication process again.

Following Bug 1768542 notes, I checked pkcs11.txt and it was dated 6-Nov-2018.

You say you checked the pkcs.txt file, but did you exit Thunderbird and delete the files mentioned in bug 1768542 and restart Thunderbird ?

Flags: needinfo?(mozbz)

I vaguely recall deleting the older cert8, key3 db files some time ago, following up a different problem. I could be wrong, but they were not present in any of my profiles when I checked recently.
Secmod.db was not present,
session.json was present in all profiles.

I only found that bug report 1768542 after my system was working properly again, so I mentioned it only to suggest it was possibly not related to my problem. I did not follow any of the steps mentioned in Bug 1768542 .

Flags: needinfo?(mozbz)

There is a report of a similar case in Support Forum.
https://support.mozilla.org/en-US/questions/1377675

User says:

My organization uses Google Workspaces/GSuite, and my supervisor needs about forty mailboxes on his laptop (macOS Monterey). These are accessed through POP, with OAuth2 authentication.

Previously, when one of these OAuth tokens expired or otherwise became invalid, attempting to check mail on that account would pop up the Google authentication page. Now, it just produces an error message ("The STAT command did not succeed .. Invalid credentials"). In order to re-authenticate to the account, I have to manually go into saved passwords and delete the invalid OAuth token. At that point, attempting to check the mailbox will pop up the authentication page.

Summary: oauth2 fails and does not try → Expired OAuth token - No auto reauthentication - produces error ("The STAT command did not succeed .. Invalid credentials") - manual delete of Oauth required.

Another : https://support.mozilla.org/en-US/questions/1373879
The STAT command did not succeed. Error getting message number and sizes. Mail server pop.gmail.com responded: Invalid credentials.
On this occasion they were forced to delete all stored Oauth both current and expired.

User reported:

I finally solved this problem by just totally deleting ALL both old and new passwords for the problem account which forced the Google page to appear asking for the login details.

Just a clarification - the error messages are different, but this probably just relates to whether the connection is via POP or IMAP.

URL: https://support.mozilla.org/questions...
Component: Untriaged → Security

6 months have passed and this problem has reappeared.
Thunderbird 102.5.0 (64-bit) windows 10.
It seems to be affecting only one account, and only in one profile. I will refer to the failing account as bad@domain1 and the other account as good@domain1

When I attempt to look at the inbox (or at 10 minute intervals) I see the following in the error log:

 POST https://www.googleapis.com/oauth2/v3/token           returns      [HTTP/2 400 Bad Request 344ms]

The post content includes

client_id = "xxx",  
client_secret  = "xxx",  
grant_type = "refresh_token",
refresh_token = "xxx"

The client strings are constant within the thunderbird profile; the refresh_token varies with account, but is constant for each imap folder within that account.
The response from the google server is

error	"invalid_grant"
error_description	"Token has been expired or revoked."

Upon receiving this, Thunderbird appears to do nothing.

same profile, different account

I went into the Google workspace admin as an experiment and did a "reset sign-in cookies" for account good@domain1.
Selecting a folder for that account then may or may not generate a token refresh request, but that probably depends on whether Thunderbird has previously obtained a token that has not reached its 1 hour expiry time.
Selecting a different folder will eventually find one that gets a 400 response to a token refresh and the login process gets done.

If I try the same process with bad@domain1 I just see repeated token refresh requests getting status 400 replies and Thunderbird does nothing.

same (bad) account, different profile.

I still had the test profile I created when I first encountered this problem - so I opened that profile, and immediately got the login box to enter the credentials for bad@domain1. This succeeded and allowed normal access to the account.

The error log offers the following errors ands warnings

about 10 of these:
 NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name]
    onStateChange resource:///modules/OAuth2.jsm:171
Followed once by
 Loading failed for the <script> with source “chrome://global/content/netError.js”.  neterror:128:4
Also warnings...
Some cookies are misusing the recommended “SameSite“ attribute
Not showing popup notification password with the message Save login for google.com?

However these messages are similar whether reauthentication is done or not, so I don't suppose they point to the cause.

Comparing entries in pref.js does not throw up anything obvious.

You need to log in before you can comment on or make changes to this bug.