outlook.com-mail-account + Thunderbird 115.2.0 and 115.2.1 + OAuth2 => authorization error messages
Categories
(Thunderbird :: Security, defect)
Tracking
(Not tracked)
People
(Reporter: lizvanlee, Unassigned)
Details
(Whiteboard: [k9 causing too many connections to the ms server])
Steps to reproduce:
I have been using four different outlook.com email-accounts with Thunderbird ever since, each with IMAP+TLS+OAuth2 as incoming server and SMTP+STARTTLS+OAuth2 as outgoing server configuration. A gmail.com-account with the same settings is not affected.
I am using Thunderbird on three PCs, all of them are affected:
- Two Windows 10 Pro 22H2 machines with the Thunderbird versions 115.2.0 and 115.2.1
- A Fedora Linux machine where Thunderbird 115.2.0 is installed via Flatpak
The problem occurs when I open Thunderbird or click on a Folder (presumably because Thunderbird is trying to sync it then.)
It seems to be especially triggered by closing thunderbird and opening it again shortly afterwards, though it does happen without doing so too.
For some time it worked without any problem with version 115.2.0 and prior.
Actual results:
Since Saturday, 9th Sept. 2023, ca. 14:00 GMT my Thunderbirds are producing error messages. The error messages are only regarding the outlook.com-accounts, not the gmail-account.
I encounter constantly popups with the following error messages:
- "...user ist authenticated but not connected"
- "the server is offline"
- something like "authentification error while connecting to server outlook.office365.com"
Also the Page where i should enter the password to create the OAuth-Token keeps opening and closing before it could load completely.
The most astounding thing is, the synchroniziation seems to work nonetheless - more or less.
Thunderbird seems to have problems to remember the OAuth-Tokens after being closed and restarted. When I look in the privacy settings at the saved passwords I can see that the passwort seems to change constantly. In contrast, the Google-gmail.com-account keeps the same passwort.
For some time it worked without any problem with version 115.2.0 and prior.
Here is an entry from the Thunderbird error-log:
"mailnews.oauth: Error response from the authorization server: invalid_grant; AADSTS50196: The server terminated an operation because it encountered a client request loop. Please contact your app vendor.
(...) https://login.microsoftonline.com/error?code=50196"
Expected results:
The error messages should not pop up and Thunderbird should be able to authenticate with OAuth2. The Window to log in to outlook.com to create a new OAuth-Token should not appear constantly. Thunderbird should be able to keep the OAuth2 password between closing and starting the app.
Does the information in bug 1843487 comment #7 citing bug 1848370 comment #3 help?
(In reply to Francesco from comment #1)
Does the information in bug 1843487 comment #7 citing bug 1848370 comment #3 help?
Not really. I was able to overcome the issue by changing my authorization method to "password, normal", but this should only be a temporal workaround since OAuth2 is the future.
The problem which the user Isaac Ribeiro states seems to be related to mine but not equivalent:
Whenever there's a connection issue Thunderbrid seems to delete the cookies, as he tells:
("The problem now is that Thunderbird 115.1.1 deletes the cookies when there is an error in connection requests with the POP3 server, especially when the user has many Hotmail email accounts. This causes memorized passwords to be deleted, requiring the user to re-enter the credentials for OAuth2 authentication, even in the same session.")
This is exactly what my problem is, as Thunderbird doesnt seem to be able to keep the OAuth-Tokens.
His other problem, the credential window being closed without the possibility to interact with it, is actually not a problem of mine, I should have stated that clearer. My credential-window closes instantly because I have saved the password (that one to enter in the credential window) with the Thunderbird password manager. So in my case there is instantly created a new OAuth-Token with the saved password whenever the Window is popping up. My problem is actually the need of Thunderbird for creating a new OAuth-Token in the first place.
Updated•1 year ago
|
Updated•1 year ago
|
Ultimately it was K9-Mail's fault. I set up K9-Mail on my Android devices to receive pushes for all folders and to poll all folders frequently. This lead to too many active connections to the microsoft-server.
Then I tried to decrease the "Maximum Number of server connections to cache" from 5 to 1 and it got slightly better, less error-pop-ups, but they weren't gone at all yet.
Since I deactivated the pushing/polling on K9-Mail the problem is completely gone.
So in my case, OAuth2 wasn't actually the problem. Though there may be a problem with Thunderbird creating new OAuth-Tokens everytime an authentication-request fails, but what do I know ;)
Comment 5•1 year ago
|
||
@cketti: ^^^
Description
•