gmail oauth account setup shows blank contents page if the account has a passkey added
Categories
(Thunderbird :: Security, defect)
Tracking
(Not tracked)
People
(Reporter: mozilla.distinct479, Unassigned, NeedInfo)
References
(Depends on 1 open bug, Blocks 1 open bug)
Details
(Whiteboard: [snnot3p])
Attachments
(1 file)
Screenshot of oauth requesting username and password - no buttons or fields
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
Steps to reproduce:
- Download and install fresh copy of of Thunderbird 114.0b5 (64-bit)
- Enter gmail credentials and login
- Confirm email address in popped up oauth web page
Actual results:
After confirming the email address on the first web page, the browsers is redirected to a blank page with no buttons nor any other way to interact with the page.
Expected results:
There should have been a prompt for a password, totp, or other kind of authentication.
Issue appears to happen due to the gmail account having 2 passkeys added to it.
After removal of the passkeys the authentication continues as normal (webpage asks for password) and succeeds after entering totp code and accepting oauth permissions.
host: macOS 12.4
|
||
Comment 1•2 years ago
|
||
If a passkey is part of the steps to reproduce, it should be listed as one of the steps ;)
I should think this would also happen in version 102
FIDO2 support is enabled in Firefox starting with 114. This is a requirement for passkey.
Passkey support in Firefox appears to still be a work in progress. Bug 1792433 and Bug 1838015
I really do not see how anything can be done in Thunderbird as the Mozilla platform apparently does not support the authentication method.
Do you have any suggestions Wayne?
|
|
||
Comment 3•2 years ago
|
||
I agree.
|
|
||
Comment 5•2 years ago
|
||
Progress was made in Bug 1869374 - let passkey support on macOS ride the trains - linked to Bug 1792433, but it looks like this won't be in a. Thunderbird version until 128 this summer.
|
|
||
Comment 7•2 years ago
|
||
Not sure it is related to this bug, but with 125.0b2 on Mac I am seeing oauth dialogs for most or all of my gmail accounts. And for my thunderbird.net account this blank screen. Account settings are unchanged and appear to all be correct.
Error console has
The IMAP server imap.gmail.com does not support the selected authentication method. Please change the 'Authentication method' in the 'Account Settings | Server settings'.
and
Quota 'imap' is not a valid scheme!: OriginParser.cpp:165
01:04:08.300 Quota Origin 'imap+++mail.lehigh.edu+993+' failed to parse, handled tokens: : OriginParser.cpp:71
01:04:08.301
Uncaught NS_ERROR_FAILURE:
exports https://cdn.sso.mozilla.com/nlx/ef06f95c4fe4faae14fba326d2fccefa83527065/js/main.js:1
|
|
||
Updated•1 year ago
|
|
||
Comment 8•1 year ago
|
||
Wayne, do you still have the problem of comment 7?
Also see bug 1831633 comment 15 and 16. This bug is/was probably about the same thing.
|
|
||
Comment 9•1 year ago
|
||
Reporter, do you still have this issue in Thunderbird v128?
|
||
Comment 10•1 year ago
|
||
It just so happened I did a re-installation fo Thunderbird and hence a re-test of this issue. My current experience, Fresh ThunderBird installation (128.7.0esr (64-bit)) which told to be up to date.
Using a fresh profile, it starts with getting the account. Using my gmail account it works like a charm. After connecting this first account, I open the settings to alter my preferences: Store everything in maildir format in stead of mailbox. And update/alter my privacy settings like cookies and such.
After this I can add other accounts like from my provider and other gmail accounts without any problem. However, my first gmail account is not in maildir format, it still uses the mailbox format.
New, fresh profile. Now skip the account connection and do the prefered settings for mail storage and such (maildir v.s. mailbox, privacy, cookies and such) and then connect mailboxes: The providers mailbox works. However it appears that Google mailboxes (or is it oauth related?) need some cookies or such.
In the end, I nailed it down to the next: Google accounts use webpages to process the oauth settings. This process likes cookies. Hence, for google (or all oauth security/access): you might need to accept cookies from sites. As far as I've discovered, Google does not need third-party-cookies.
Maybe somewhere in the documentation, maybe around the privacy settings or around oauth settings, there might be a message about the possible use of cookies in this authentication process. If there is, I might have missed the message...
For this issue: from my point of view, it can be closed.
|
||
Comment 11•1 year ago
|
||
@ Corné Beerse
Yes, OAuth setup uses cookies. That is why it is documented that way on the support site.
https://support.mozilla.org/en-US/kb/automatic-conversion-google-mail-accounts-oauth20
and https://support.mozilla.org/en-US/kb/thunderbird-and-gmail#w_updating-a-gmail-account-to-use-oauth
|
|
||
Comment 12•1 year ago
|
||
FWIW I haven't seen this in recent months. TBH I've lost track of most of the context.
(In reply to Wayne Mery (:wsmwk) from comment #5)
Progress was made in Bug 1869374 - let passkey support on macOS ride the trains - linked to Bug 1792433,
(In reply to Matt from comment #6)
Should there be user documentation? Who does that? Is it Roland?
Not sure what doc we'd want. FWIW the Mac documentation link has changed. I think the current equivalent would be https://support.apple.com/guide/passwords/passkeys-mchl4af65d1a/mac
|
||
Comment 13•1 year ago
|
||
I've filed a issue to document the SUMO knowledge base: MODIFY:: Thunderbird and gmail article needs to document passkey support #76
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Comment 14•1 year ago
|
||
Not exactly the topic of this bug, but how would Thunderbird support for passkeys look like?
If I could install Bitwarden as an add-on for Thunderbird, fine. Bitwarden is where I manage my passkeys.
If it were like storing passkeys in Thunderbird, I wouldn't use that.
|
|
||
Comment 15•1 year ago
|
||
(In reply to Christian Riechers from comment #14)
Not exactly the topic of this bug, but how would Thunderbird support for passkeys look like?
If I could install Bitwarden as an add-on for Thunderbird, fine. Bitwarden is where I manage my passkeys.
If it were like storing passkeys in Thunderbird, I wouldn't use that.
From a users point of view, I'd say passkeys can be used at multiple levels in ThunderBird. Hoever it is not always the best way to gain access. At the configuration of accounts, it is most likely used only to set the connection. There PassKeys have the disadvantage that their access is time limited. Hence, it is not the most practical way to get connected.
|
||
Updated•1 year ago
|
|
||
Comment 16•6 months ago
|
||
Passkeys still don't work on MacOS, but we know that's blocked on bug 1864920. Since the original issue (a blank page with no errors or ways to continue) seems to no longer occur, I'm going to close this. Further discussion on how passkeys should work on Thunderbird can continue in other existing or new issues.
|
||
Comment 17•23 days ago
|
||
FYI, experiencing "gmail oauth account setup shows blank contents" today on TB 151b1.
This is for the third account to be added, this one has no passkey (but the two others -- functioning -- do).
Note: this is for a Google Workspace email account.
Giving up for now.
Description
•