Open Bug 1891560 Opened 11 months ago Updated 1 month ago

oauth2 workflow fails with NS_ERROR_CONNECTION_REFUSED against localhost (gmail)

Categories

(Thunderbird :: Account Manager, defect)

Product:
Thunderbird
Component:
Account Manager
Version:
Thunderbird 115
Type:
defect

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: mqudsi, Unassigned)

References

Details

Attachments

(2 files)

imap log
8.27 KB, text/plain
Details
imap log
8.27 KB, text/plain
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36

Steps to reproduce:

Try to add a Gmail mail account with OAuth2 authentication.

Actual results:

The OAuth2 pop-up dialog is shown, I am able to complete the process on the Google end of things, but then at the last step (when it's supposed to redirect w/ the token to the destination app) the prompt is closed but authentication fails (and I get a thunderbird notification telling me the same).

Expected results:

OAuth2 workflow should have succeeded.

Attached file imap log
Viewing the network requests tab in the debugger reveals that the issue is that no connection can be made to the oauth2 listener on localhost, the network requests reveals the redirect to localhost was emitted successfully on Google's end but Thunderbird cannot load the URL in question, with NS_ERROR_CONNECTION_REFUSED returned. I can confirm that at no point during the oauth2 flow is there anything listening on localhost:443 or localhost:80 Logging `imap:5` reveals the following unhelpful messages (I cannot figure out if there is a separate module for the oauth2 client webserver that I should be monitoring in addition/instead): ```
Attached file imap log
Viewing the network requests tab in the debugger reveals that the issue is that no connection can be made to the oauth2 listener on localhost, the network requests reveals the redirect to localhost was emitted successfully on Google's end but Thunderbird cannot load the URL in question, with NS_ERROR_CONNECTION_REFUSED returned. I can confirm that at no point during the oauth2 flow is there anything listening on localhost:443 or localhost:80 Logging `imap:5` reveals the following unhelpful messages (I cannot figure out if there is a separate module for the oauth2 client webserver that I should be monitoring in addition/instead): ```

Viewing the network requests tab in the debugger reveals that the issue is that no connection can be made to the oauth2 listener on localhost, the network requests reveals the redirect to localhost was emitted successfully on Google's end but Thunderbird cannot load the URL in question, with NS_ERROR_CONNECTION_REFUSED returned. I can confirm that at no point during the oauth2 flow is there anything listening on localhost:443 or localhost:80

Logging imap:5 reveals the following unhelpful messages (I cannot figure out if there is a separate module for the oauth2 client webserver that I should be monitoring in addition/instead): https://pastebin.com/9xaKyUD4

Trying the exact same steps with Thunderbird Daily 126.0a1 works just fine. I don't have any development web servers listening on localhost so this isn't bug #1748416

(In reply to Mahmoud Al-Qudsi from comment #0)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36

Steps to reproduce:

Try to add a Gmail mail account with OAuth2 authentication.

Actual results:

The OAuth2 pop-up dialog is shown, I am able to complete the process on the Google end of things, but then at the last step (when it's supposed to redirect w/ the token to the destination app) the prompt is closed but authentication fails (and I get a thunderbird notification telling me the same).

What is the exact wording, or screen shot?

Does Bug 1858976 - gmail OAuth2 localhost problem - JavaScript error: chrome://global/content/aboutNetError.mjs, line 985: TypeError: document.getFailedCertSecurityInfo is not a function - describe your problem. Or any of https://mzl.la/4cXqcFe ?

Flags: needinfo?(mqudsi)
Summary: oauth2 workflow fails with NS_ERROR_CONNECTION_REFUSED against localhost → oauth2 workflow fails with NS_ERROR_CONNECTION_REFUSED against localhost (gmail)

After enabling further debug logging, I found the closest existing issue to be #1849692, though it's not identical.

I get the same NS_ERROR_ABORT: User canceled primary password entry error with a similar call stack, but I have successful mailnews.oauth messages before (and no other errors, unlike that issue):

mailnews.oauth: Successful response from the authorization server: {
  "access_token": "redacted",
  "expires_in": 3599,
  "refresh_token": "redacted",
  "scope": "https://www.googleapis.com/auth/carddav https://mail.google.com/ https://www.googleapis.com/auth/calendar",
  "token_type": "Bearer"
}

then the NS_ERROR_ABORT followed by the mailnews.oauth logging that failure:

mailnews.oauth: Connection to authorization server failed: [Exception... "User canceled primary password entry"  nsresult: "0x80004004 (NS_ERROR_ABORT)"  location: "JS frame :: resource://gre/modules/crypto-SDR.sys.mjs :: encrypt :: line 87"  data: no]
mailnews.oauth: Interacting with the resource owner to obtain an authorization grant from the authorization endpoint: https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=\<redacted\>

So I guess it's receiving the token as redirected to localhost, but something else is happening. The oauth2 dialog closes on its own after the redirect, is that being interpreted as "User cancellation" somehow?

Flags: needinfo?(mqudsi)

I also experience this error on "comcast" oauth authentication. This is on re-authentication. I was able to authenticate originally about a month ago but now I experience this error immediately on popup.

See Also: → 1748416
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: