1869122 - Autoconfig fails when unsupported OAuth2 is preferred authentication method

Status: RESOLVED FIXED

(Thunderbird :: Account Manager, defect)

Description

[cketti]

FetchConfig will return a config where OAuth2 is the preferred authentication method, even when OAuth2 isn't supported with the incoming or outgoing server. Account setup will then fail with the error message "Could not get OAuth2 details for hostname=…"

Right now this is a problem for the comcast.net configuration in ISPDB. Thunderbird Daily has the necessary OAuth2 credentials for Comcast (see bug 1844810). However, we can't update the config in ISPDB because stable Thunderbird and older versions (without the necessary OAuth2 credentials) would try to use OAuth2 and fail.

My suggestion is to clean up the AccountConfig instance returned by the Autoconfig parser and strip occurrences of OAuth2 when the app doesn't support OAuth2 with the incoming or outgoing server. If there's an alternative authentication method, the app will fall back to that.

In the future this will allow providers (and ISPDB) to publish configs where OAuth2 is the preferred authentication method, even when stable or older versions of Thunderbird don't support it with that provider. Those app versions will then use a fallback authentication method or let the user know that no supported config was found.

Comment 1

[cketti]

Attachment: Bug 1869122 - Ignore OAuth2 from Autoconfig when not supported with the server. r=BenB,mkmelin

Comment 2

[Ben Bucksch (:BenB)]

Thanks for noticing this bug. I thought we already did that.

Yes, it was always the idea that the client would ignore the OAuth2 authentication option, if the client cannot use it, for whatever reason. That's why it's just the first and preferred option, and there is a fallback.

I will review the concrete patch later.

Comment 3

[Ben Bucksch (:BenB)]

Review done. Waiting for revision of the patch.

Comment 4

[cketti]

Attachment: Bug 1869122 - Part 1 - Refactor reading Autoconfig XML. r=BenB,mkmelin

Comment 5

[Magnus Melin [:mkmelin]]

Instead of processing the xml, wouldn't it be simpler to just remove a possible no-op OAuth2 config after fetching. It shouldn't be many lines to add a check, probably around here: https://searchfox.org/comm-central/rev/20293ca81e7f17705aaaf2a395210daddab44106/mail/components/accountcreation/content/accountSetup.js#817

Comment 6

[Ben Bucksch (:BenB)]

I proposed that as well, but cketti correctly pointed out that this will break the fallback mechanisms, so this is not a good place. Details see the review in Phab.

Comment 7

[Magnus Melin [:mkmelin]]

I see. It depends a bit on how we would allow fallbacks. I think we can say, if a config file was found, it must be usable. I never saw a case where we would find two different configs.

Or, we could do such a check slightly earlier, like at https://searchfox.org/comm-central/rev/20293ca81e7f17705aaaf2a395210daddab44106/mail/components/accountcreation/content/accountSetup.js#649 so a success is never called unless it's all good.

Comment 8

[Pulsebot]

Pushed by geoff@darktrojan.net:
https://hg.mozilla.org/comm-central/rev/d9bb43629625
Ignore OAuth2 from Autoconfig when not supported with the server. r=BenB,mkmelin

Comment 9

[Wayne Mery (:wsmwk)]

Nice that we have a full set of tests!
Uplift to 115 after a full clean cycle of beta?

Comment 10

[cketti]

Uplift to 115 after a full clean cycle of beta?

Sounds good to me. I don't think this will cause any problems.

Comment 11

[Wayne Mery (:wsmwk)]

Comment on attachment 9367779 [details]
Bug 1869122 - Ignore OAuth2 from Autoconfig when not supported with the server. r=BenB,mkmelin

[Triage Comment]
Approved for esr115 per comment 10

Comment 12

[Daniel Darnell [:dandarnell]]

Thunderbird 115.8.0:
https://hg.mozilla.org/releases/comm-esr115/rev/f3684112888f