Saved scopes or other login info breaks Microsoft OAuth2
Categories
(Thunderbird :: Security, defect, P1)
Tracking
(thunderbird_esr115+ fixed, thunderbird118+ fixed)
People
(Reporter: sancus, Assigned: mkmelin)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression)
Attachments
(2 files)
48 bytes,
text/x-phabricator-request
|
wsmwk
:
approval-comm-beta+
wsmwk
:
approval-comm-esr115+
|
Details | Review |
48 bytes,
text/x-phabricator-request
|
wsmwk
:
approval-comm-esr115+
|
Details | Review |
We discovered that OAuth scopes are saved as prefs on the account level, which means even if we change scopes in the code, they will be retained and potentially break or continue breaking login.
A workaround is to search for "oauth2.scope" in preferences and delete them.
We should eliminate the use of these saved scopes as they have no value while we're using a fixed list of OAuth providers and scopes.
If you can login on a new profile in Beta or 102.7.1+, but cannot on a profile that was created in 102.6.1 or earlier, you may be affected by this bug.
Reporter | ||
Updated•2 years ago
|
Assignee | ||
Comment 1•1 year ago
|
||
This essentially regressed by bug 1685414.
Upgraders from 102 s to 115 - with private type accounts, hotmails etc - are only seeing it now if they since bug 1798875 never migrated them to OAuth2 before upgrade.
Assignee | ||
Comment 2•1 year ago
|
||
Add better logging, and always use hardcoded details from the providers we have them for
(everyone, atm. since we don't yet support dynamic registration).
Assignee | ||
Comment 5•1 year ago
|
||
And to add to that, private accounts would not normally have the scopes stored, but if someone fiddled with the settings, they could have got saved...
O365 accounts would be broken, but normal password support was dropped from there since long, so they would have been broken much earlier.
Assignee | ||
Comment 7•1 year ago
|
||
Probably not as originally posted. When you have a bad scope, you do eventually get a "The message could not be sent because the connection to the Outgoing server (SMTP) smtp.office365.com timed out." so some of the smtp timeout complaints may be due to this. But that's not the message the OP got there.
Assignee | ||
Updated•1 year ago
|
Pushed by mkmelin@iki.fi:
https://hg.mozilla.org/comm-central/rev/f9be84e0cbec
Handle stale OAuth2 scope. r=leftmostcat
Comment 9•1 year ago
|
||
Comment on attachment 9353164 [details]
Bug 1814823 - Handle stale OAuth2 scope. r=leftmostcat
[Triage Comment]
Approved for beta
Comment 10•1 year ago
|
||
bugherder uplift |
Thunderbird 118.0b5:
https://hg.mozilla.org/releases/comm-beta/rev/c3bbdd64fcd2
Comment 12•1 year ago
|
||
For anyone who has not done the workaround, or can undo the workaround ...
you can test 118.0b5 build 1 which has the patch from this bug...
Downloads: Linux, Mac, Windows. If you are
- already on beta, just install this over your existing beta program directory (automatic for Windows users)
- not already on beta, install in it's own directory, then on first startup it will create a new test profile for you to configure, leaving your production profile untouched
If you encounter a problem please immediately comment here, and if can't then file a new bug report. Note, this is not the final build for 118.0b5.
Comment 13•1 year ago
|
||
A couple of candidate 1 testers have so far said everything is OK.
Two users however said something like " wiped the gmail account passwords (imap) and I had to enter them before continuing"
Comment 14•1 year ago
|
||
I can confirm, for my personal gmail account I was forced to go through oauth.
So some further tweaking is required.
Assignee | ||
Comment 16•1 year ago
|
||
Ok I see the issue. For accounts created pre version 91, we have the old (partial) scope stored for gmail accounts.
Assignee | ||
Comment 17•1 year ago
|
||
Regarding O365, it looks like the https://outlook.office365.com/IMAP.AccessAsUser.All etc... scopes works there - but NOT for private accounts which need the new ones.
Existing "old" 0365 accounts will now get bumped to the new scopes which work everywhere. Not sure if it's 100% ideal, but it cuts down on the matrix of possible error combinations.
Assignee | ||
Comment 18•1 year ago
|
||
This happens with pre 91 profiles, where we used to have google scope to only "https://mail.google.com/".
Comment 19•1 year ago
|
||
bugherder uplift |
Thunderbird 118.0b5:
https://hg.mozilla.org/releases/comm-beta/rev/f4696066bb4e
Assignee | ||
Comment 20•1 year ago
|
||
Please back out the https://hg.mozilla.org/releases/comm-beta/rev/f4696066bb4e from the beta, until we have the additional fix available as well.
Assignee | ||
Comment 21•1 year ago
|
||
Oh I see, that was the second part. Never mind.
Comment 22•1 year ago
|
||
Pushed by martin@humanoids.be:
https://hg.mozilla.org/comm-central/rev/863df499650d
Don't update stored OAuth2 scope if we had a narrower version of the scope stored. r=leftmostcat
Assignee | ||
Comment 26•1 year ago
|
||
Comment on attachment 9353662 [details]
Bug 1814823 - Don't update stored OAuth2 scope if we had a narrower version of the scope stored. r=leftmostcat
[Approval Request Comment]
Regression caused by (bug #): bug 1685414
User impact if declined: upgraded hotmail users can't authenticate
Testing completed (on c-c, etc.): c-c, beta
Risk to taking this patch (and alternatives if risky): I don't see much alternative.
Assignee | ||
Updated•1 year ago
|
Comment 28•1 year ago
|
||
Comment on attachment 9353164 [details]
Bug 1814823 - Handle stale OAuth2 scope. r=leftmostcat
[Triage Comment]
Approved for esr115
Comment 29•1 year ago
|
||
Comment on attachment 9353662 [details]
Bug 1814823 - Don't update stored OAuth2 scope if we had a narrower version of the scope stored. r=leftmostcat
[Triage Comment]
Approved for esr115
Assignee | ||
Comment 30•1 year ago
|
||
Perhaps to note for release notes, O365 users who had the old scope stored will have to re-authenticate. This is expected and unavoidable.
The old scopes have apparently been working at least for some accounts.
Comment 31•1 year ago
|
||
bugherder uplift |
Thunderbird 115.3.0:
https://hg.mozilla.org/releases/comm-esr115/rev/e8a762f17c72
https://hg.mozilla.org/releases/comm-esr115/rev/5074b3184820
Description
•