Add OAuth2 support for Fastmail. And OAuth2 PKCE (RFC 7636).
Categories
(Thunderbird :: Account Manager, enhancement)
Tracking
(thunderbird_esr102+ affected)
People
(Reporter: mozilla, Assigned: mozilla)
References
(Blocks 1 open bug)
Details
Attachments
(3 files, 1 obsolete file)
Error message if OAuth2 authentication element is present with current TB versions
Steps to reproduce:
Fastmail recently added OAuth2 support and corresponding XOAUTH2/OAUTHBEARER (rfc7628) support to IMAP/POP/SMTP and Bearer token support to CardDAV/CalDAV (rfc6750).
I've written what I think is a fairly complete patch (see attached .patch file) which adds Fastmail as a configured OAuth2 provider. Following modern best practice, Fastmail requires PKCE (rfc7636) support without a shared secret which Thunderbird didn't already have, so I've added support for that as well.
The final part to getting this to "just work" is Fastmail changing it's XML autoconfig file to return an additional <authentication>OAuth2</authentication> element on each <incomingServer> and <outgoingServer> element. I'm hoping this change will be deployed soon on the Fastmail side.
Please let me know if there's anything I can do to help with getting this into the TB code base.
|
||
Comment 1•2 years ago
|
||
Thanks, if possible, can you upload the patch though fabricator? See https://moz-conduit.readthedocs.io/en/latest/phabricator-user.html
It's way easier for review and updating.
When installed set the commit message as "Bug 1785240 - add Oauth2 for fastmail. r=mkmelin". Then moz-phab . will take care of the rest.
|
Assignee | |
Comment 2•2 years ago
|
||
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 3•2 years ago
|
||
(In reply to Magnus Melin [:mkmelin] from comment #1)
Thanks, if possible, can you upload the patch though fabricator? See https://moz-conduit.readthedocs.io/en/latest/phabricator-user.html
It's way easier for review and updating.
When installed set the commit message as "Bug 1785240 - add Oauth2 for fastmail. r=mkmelin". Thenmoz-phab .will take care of the rest.
I've done this now, I've never used moz-phab before so I think I got this right. Let me know if there's anything else I can help with.
|
|
Assignee | |
Comment 4•2 years ago
|
||
Just an FYI, the Mozilla wiki says:
https://wiki.mozilla.org/Thunderbird:Autoconfiguration:ConfigFileFormat
Note that there are two<authentication>elements. This allows a
fallback, in case a client does not support OAuth2 or does not have a
client key for this OAuth2 issuer and therefore cannot authenticate with
this issuer.
I added this recently to so that testing this patch could work. However since then we've had multiple people reporting that they can't currently setup Thunderbird with Fastmail automatically, they get an error (see the attached image).
Because of this, I'm about to remove the <authentication>OAuth2</authentication> element from our generated auto-config data, which should hopefully make this error go away. The downside is it means the moz-phab patch won't work quite correctly either, because it will still try password auth.
Unless I'm missing something, this means at the moment there's no way to gracefully roll out an updated oauth capability for a site right now, so that passwords work fine for older TB users, but newer TB users (once the patch is applied) would get oauth automatically.
|
|
Assignee | |
Comment 5•2 years ago
|
||
|
|
Assignee | |
Comment 7•2 years ago
|
||
Add PKCE (RFC 7636) support in OAuth2.
Add the required issuer details for Fastmail in OAuth2Providers.
Separate CalDavGoogleOAuth into a CalDavOAuth base class for
both google and fastmail support.
Fix a bug where the Authorization header was not being copied
to the next request after a redirect in the oauth caldav
auth adaptor.
|
|
Assignee | |
Comment 8•2 years ago
|
||
(In reply to Wayne Mery (:wsmwk) from comment #6)
Rob, do you have a revision?
I've created a new revision of this that works on the latest hg tip given the oauth issuer format changes since my original version.
I also spent a bunch of time trying to track down why the oauth caldav integration wasn't working and finally tracked it down to a bug where I believe the wrong header was being copied from one request to the next during a redirect. I've fixed that as well.
I was able to get the entire setup process working for mail, contacts and calendars on my Fastmail testbed using these changes. However they won't currently work on Fastmail production because the Fastmail mozilla autodiscovery is returning <authentication>password-cleartext</authentication> rather than <authentication>OAuth2</authentication>. We did try returning both a while back based on the documentation at https://wiki.mozilla.org/Thunderbird:Autoconfiguration:ConfigFileFormat#OAuth2 which says:
"Note that there are two <authentication> elements. This allows a fallback, in case a client does not support OAuth2 or does not have a client key for this OAuth2 issuer and therefore cannot authenticate with this issuer. "
We tried enabling that a while back, but it does not work correctly and causes errors to be displayed to users, so we had to disable it again.
|
|
||
Updated•2 years ago
|
Pushed by mkmelin@iki.fi:
https://hg.mozilla.org/comm-central/rev/04499be83997
Add OAuth support for Fastmail, and OAuth2 PKCE (RFC 7636) support. r=mkmelin
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
Description
•