Closed Bug 1814823 Opened 1 year ago Closed 7 months ago

Saved scopes or other login info breaks Microsoft OAuth2

Categories

(Thunderbird :: Security, defect, P1)

Product:
Thunderbird
Component:
Security
Version:
Thunderbird 102
Type:
defect

Tracking

(thunderbird_esr115+ fixed, thunderbird118+ fixed)

Status:
RESOLVED FIXED
Milestone:
119 Branch
Tracking Flags:
Tracking Status
thunderbird_esr115 + fixed
thunderbird118 + fixed

People

(Reporter: sancus, Assigned: mkmelin)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression)

Attachments

(2 files)

Bug 1814823 - Handle stale OAuth2 scope. r=leftmostcat
48 bytes, text/x-phabricator-request
wsmwk
: approval-comm-beta+
wsmwk
: approval-comm-esr115+
Details | Review
Bug 1814823 - Don't update stored OAuth2 scope if we had a narrower version of the scope stored. r=leftmostcat
48 bytes, text/x-phabricator-request
wsmwk
: approval-comm-esr115+
Details | Review

We discovered that OAuth scopes are saved as prefs on the account level, which means even if we change scopes in the code, they will be retained and potentially break or continue breaking login.

A workaround is to search for "oauth2.scope" in preferences and delete them.

We should eliminate the use of these saved scopes as they have no value while we're using a fixed list of OAuth providers and scopes.

If you can login on a new profile in Beta or 102.7.1+, but cannot on a profile that was created in 102.6.1 or earlier, you may be affected by this bug.

Blocks: tb-ms-oauth2

This essentially regressed by bug 1685414.

Upgraders from 102 s to 115 - with private type accounts, hotmails etc - are only seeing it now if they since bug 1798875 never migrated them to OAuth2 before upgrade.

Assignee: nobody → mkmelin+mozilla
Status: NEW → ASSIGNED
status-thunderbird118: --- → affected
status-thunderbird_esr115: --- → affected
tracking-thunderbird118: --- → +
tracking-thunderbird_esr115: --- → +
Keywords: regression
Priority: -- → P1
Regressed by: 1685414
Target Milestone: --- → 119 Branch

Add better logging, and always use hardcoded details from the providers we have them for
(everyone, atm. since we don't yet support dynamic registration).

Duplicate of this bug: 1848370
Duplicate of this bug: 1843487

And to add to that, private accounts would not normally have the scopes stored, but if someone fiddled with the settings, they could have got saved...

O365 accounts would be broken, but normal password support was dropped from there since long, so they would have been broken much earlier.

Magnus does bug 1839787 sound like this one ?

Flags: needinfo?(mkmelin+mozilla)

Probably not as originally posted. When you have a bad scope, you do eventually get a "The message could not be sent because the connection to the Outgoing server (SMTP) smtp.office365.com timed out." so some of the smtp timeout complaints may be due to this. But that's not the message the OP got there.

Flags: needinfo?(mkmelin+mozilla)
Keywords: checkin-needed-tb

Pushed by mkmelin@iki.fi:
https://hg.mozilla.org/comm-central/rev/f9be84e0cbec
Handle stale OAuth2 scope. r=leftmostcat

Status: ASSIGNED → RESOLVED
Closed: 7 months ago
Keywords: checkin-needed-tb
Resolution: --- → FIXED

Comment on attachment 9353164 [details]
Bug 1814823 - Handle stale OAuth2 scope. r=leftmostcat

[Triage Comment]
Approved for beta

Attachment #9353164 - Flags: approval-comm-beta+
Duplicate of this bug: 1853503

For anyone who has not done the workaround, or can undo the workaround ...

you can test 118.0b5 build 1 which has the patch from this bug...

Downloads: Linux, Mac, Windows. If you are

  • already on beta, just install this over your existing beta program directory (automatic for Windows users)
  • not already on beta, install in it's own directory, then on first startup it will create a new test profile for you to configure, leaving your production profile untouched

If you encounter a problem please immediately comment here, and if can't then file a new bug report. Note, this is not the final build for 118.0b5.

A couple of candidate 1 testers have so far said everything is OK.

Two users however said something like " wiped the gmail account passwords (imap) and I had to enter them before continuing"

I can confirm, for my personal gmail account I was forced to go through oauth.

So some further tweaking is required.

Flags: needinfo?(mkmelin+mozilla)

To be clear - multiple gmail accounts - about 10.

Ok I see the issue. For accounts created pre version 91, we have the old (partial) scope stored for gmail accounts.

Status: RESOLVED → REOPENED
Flags: needinfo?(mkmelin+mozilla)
Resolution: FIXED → ---

Regarding O365, it looks like the https://outlook.office365.com/IMAP.AccessAsUser.All etc... scopes works there - but NOT for private accounts which need the new ones.
Existing "old" 0365 accounts will now get bumped to the new scopes which work everywhere. Not sure if it's 100% ideal, but it cuts down on the matrix of possible error combinations.

This happens with pre 91 profiles, where we used to have google scope to only "https://mail.google.com/".

Please back out the https://hg.mozilla.org/releases/comm-beta/rev/f4696066bb4e from the beta, until we have the additional fix available as well.

Flags: needinfo?(daniel)

Oh I see, that was the second part. Never mind.

Flags: needinfo?(daniel)
Keywords: checkin-needed-tb

Pushed by martin@humanoids.be:
https://hg.mozilla.org/comm-central/rev/863df499650d
Don't update stored OAuth2 scope if we had a narrower version of the scope stored. r=leftmostcat

Status: REOPENED → RESOLVED
Closed: 7 months ago7 months ago
Keywords: checkin-needed-tb
Resolution: --- → FIXED
Duplicate of this bug: 1844006
Duplicate of this bug: 1784962
Duplicate of this bug: 1852845
No longer duplicate of this bug: 1852845

Comment on attachment 9353662 [details]
Bug 1814823 - Don't update stored OAuth2 scope if we had a narrower version of the scope stored. r=leftmostcat

[Approval Request Comment]
Regression caused by (bug #): bug 1685414
User impact if declined: upgraded hotmail users can't authenticate
Testing completed (on c-c, etc.): c-c, beta
Risk to taking this patch (and alternatives if risky): I don't see much alternative.

Attachment #9353662 - Flags: approval-comm-esr115?
Summary: Saved scopes or other login info breaks Microsoft OAuth → Saved scopes or other login info breaks Microsoft OAuth2

Both patches needed.

Comment on attachment 9353164 [details]
Bug 1814823 - Handle stale OAuth2 scope. r=leftmostcat

[Triage Comment]
Approved for esr115

Attachment #9353164 - Flags: approval-comm-esr115+

Comment on attachment 9353662 [details]
Bug 1814823 - Don't update stored OAuth2 scope if we had a narrower version of the scope stored. r=leftmostcat

[Triage Comment]
Approved for esr115

Attachment #9353662 - Flags: approval-comm-esr115? → approval-comm-esr115+

Perhaps to note for release notes, O365 users who had the old scope stored will have to re-authenticate. This is expected and unavoidable.
The old scopes have apparently been working at least for some accounts.

Duplicate of this bug: 1854264
Duplicate of this bug: 1854694
Duplicate of this bug: 1846240
Duplicate of this bug: 1855766
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: