Closed Bug 1939939 Opened 1 year ago Closed 5 months ago

On bad password, Enter New Password does not pop up dialog to enter new password anymore

Categories

(Thunderbird :: General, defect)

Product:
Thunderbird
Component:
General
Version:
Thunderbird 128
Type:
defect

Tracking

(thunderbird145+)

Status:
RESOLVED FIXED
Milestone:
147 Branch
Tracking Flags:
Tracking Status
thunderbird145 + ---

People

(Reporter: bill.gearhiser, Assigned: darktrojan)

References

Details

(Keywords: regression, regressionwindow-wanted)

Attachments

(1 file)

Bug 1939939 - Make the Retry and Enter New Password buttons do something for OAuth2. r=#thunderbird-reviewers
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36

Steps to reproduce:

Changed the password of one account (AOL), which triggered the need for a new app password to plug into Thunderbird.

Actual results:

Thunderbird, recognizing that the password didn't work anymore, popped up a window with Retry, Enter New Password, and Cancel buttons. When the Enter... button was chosen, Thunderbird paused for a while then popped up the same window.

Expected results:

Thunderbird should have allowed the user to enter a new password, as in previous versions.

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36

Component: Untriaged → General
Keywords: regression, regressionwindow-wanted
Summary: Thunderbird not accepting updated account passwords → On bad password, Enter New Password does not pop up dialog to enter new password anymore

Confirmed on Mint 22, Thunderbird 128.5.2esr (64-bit) just now, 3/3 tries.

See Also: → 1935379

Heya Team, this affects Thundermail / OAuth flows as well. This can occur pretty commonly if a user changes their password. Their only fix right now is to delete the OAuth token from the Saved Passwords dialog in Privacy & Security settings.

Could we get this looked at soon?

This looks to me like there's something weird happening at both ends.

  1. If it was just the SMTP server rejecting the OAuth access token, you would see this dialog, and yes the Enter New Password and Retry buttons achieve nothing useful. (We should at least make them do something or not show the dialog at all.) But the problem would go away when Thunderbird was closed, as access tokens are not remembered across sessions.
  2. If it was just the authentication server rejecting the OAuth refresh token, you would see the OAuth login dialog from the authentication server, and filling it would fix the problem.
  3. If both tokens were bad, that would be the same as 2.

What I think is happening is the authentication server is accepting the refresh token (despite the password being changed, or whatever happened) and returning an access token that the SMTP server does not accept. This would leave us stuck at 1, even after restarting Thunderbird, as the authentication server would just keep giving us access tokens that don't work.

I have this exact scenario in one of our tests, and if I remove the part that automatically cancels the dialog, it behaves exactly as described in this bug and some others.

Can you confirm that diagnosis (e.g. by looking at the HTTP requests) Mel? Perhaps setting mailnews.oauth.loglevel and mailnews.smtp.loglevel to Debug might help too.

Flags: needinfo?(melissa)

Hey there, sorry for the big delay.

For this test I actually couldn't re-create the reset password triggering this, but I think that was user error. (Me, I'm the user.) So after I reset password, I manually cleared the session in keycloak (similar to how a user will eventually be allowed to do so by themselves in the devices page.) and that triggered the issue.

This was done on the release channel's 144.0.1 (64-bit) via Fedora 43 and manual tarball install from thunderbird.net.

Here's the console log

mailnews.smtp: Current auth method: XOAUTH2 SmtpClient.sys.mjs:723:17
mailnews.smtp: Authentication via AUTH XOAUTH2 SmtpClient.sys.mjs:752:21
mailnews.oauth: Found existing OAuth2 object for auth.tb.pro OAuth2Module.sys.mjs:147:13
mailnews.smtp: C: Logging suppressed (it probably contained auth information) SmtpClient.sys.mjs:679:19
mailnews.smtp: S: 454 4.7.0 Temporary authentication failure SmtpClient.sys.mjs:452:17
mailnews.smtp: Command failed: 454 Temporary authentication failure; currentAction=_actionAUTH_XOAUTH2 SmtpClient.sys.mjs:578:19
mailnews.smtp: Error during AUTH XOAUTH2, sending empty response SmtpClient.sys.mjs:1125:19
mailnews.smtp: C: SmtpClient.sys.mjs:683:19
mailnews.smtp: S: 500 5.5.1 Invalid command. SmtpClient.sys.mjs:452:17
mailnews.smtp: Command failed: 500 Invalid command.; currentAction=_actionAUTHComplete SmtpClient.sys.mjs:578:19
mailnews.smtp: Authentication failed: Invalid command. SmtpClient.sys.mjs:790:17

I tried clicking it a few times, oddly enough after a few minutes of clicking it seems like Thunderbird recognized that the token needs to be refreshed. After it recognized that (see following log) it opened up a new login window.

mailnews.smtp: Current auth method: XOAUTH2 SmtpClient.sys.mjs:723:17
mailnews.smtp: Authentication via AUTH XOAUTH2 SmtpClient.sys.mjs:752:21
mailnews.oauth: Found existing OAuth2 object for auth.tb.pro OAuth2Module.sys.mjs:147:13
mailnews.oauth: Making a refresh request to the token endpoint: https://auth.tb.pro/realms/tbpro/protocol/openid-connect/token OAuth2.sys.mjs:324:16
mailnews.oauth: Error response from the authorization server: invalid_grant; Offline user session not found OAuth2.sys.mjs:358:20
mailnews.oauth: Error response details: {"error":"invalid_grant","error_description":"Offline user session not found"} OAuth2.sys.mjs:359:20
mailnews.oauth: Interacting with the resource owner to obtain an authorization grant from the authorization endpoint: < the session url > OAuth2.sys.mjs:161:14

Once re-logged in Thunderbird error'd out via timeout

mailnews.smtp: NetworkTimeoutError: a Network error occurred SmtpClient.sys.mjs:476:17
mailnews.smtp: Connecting to smtp://mail.thundermail.com:465 SmtpClient.sys.mjs:141:19
mailnews.smtp: Socket closed. SmtpClient.sys.mjs:550:17
mailnews.smtp: SecurityError info: SmtpClient.sys.mjs:491:21
mailnews.send: Sending failed; The message could not be sent because the connection to Outgoing server (SMTP) mail.thundermail.com timed out. Try again., exitCode=2152398862, originalMsgURI= MessageSend.sys.mjs:343:32

mailnews.oauth: Found existing OAuth2 object for auth.tb.pro OAuth2Module.sys.mjs:147:13
mailnews.smtp: New client instance SmtpClient.sys.mjs:121:17
mailnews.smtp: Connecting to smtp://mail.thundermail.com:465 SmtpClient.sys.mjs:141:19
mailnews.smtp: Connected SmtpClient.sys.mjs:429:17
mailnews.smtp: S: 220 mail.thundermail.com Stalwart ESMTP at your service SmtpClient.sys.mjs:452:17
mailnews.oauth: Found existing OAuth2 object for auth.tb.pro OAuth2Module.sys.mjs:147:13
mailnews.smtp: C: EHLO [192.168.8.124] SmtpClient.sys.mjs:683:19
mailnews.smtp: S: 250-mail.thundermail.com you had me at EHLO
250-SMTPUTF8
250-SIZE 104857600
250-REQUIRETLS
250-PIPELINING
250-NO-SOLICITING
250-ENHANCEDSTATUSCODES
250-CHUNKING
250-BINARYMIME
250-AUTH PLAIN LOGIN XOAUTH2 OAUTHBEARER
250 8BITMIME SmtpClient.sys.mjs:452:17

mailnews.smtp: Possible auth methods: XOAUTH2 SmtpClient.sys.mjs:965:17
mailnews.smtp: Current auth method: XOAUTH2 SmtpClient.sys.mjs:723:17
mailnews.smtp: Authentication via AUTH XOAUTH2 SmtpClient.sys.mjs:752:21
mailnews.oauth: Found existing OAuth2 object for auth.tb.pro OAuth2Module.sys.mjs:147:13
mailnews.smtp: C: Logging suppressed (it probably contained auth information) SmtpClient.sys.mjs:679:19
mailnews.smtp: S: 235 2.7.0 Authentication succeeded. SmtpClient.sys.mjs:452:17
mailnews.smtp: Authentication successful. SmtpClient.sys.mjs:1195:17
NS_ERROR_FILE_NOT_FOUND: Component returned failure code: 0x80520012 (NS_ERROR_FILE_NOT_FOUND) [nsIFile.fileSize] SmtpServer.sys.mjs:598

Unfortunately there was nothing useful in the Stalwart logs, but I can't easily debug that because we don't get much information unless it's set to TRACE, and that's an insane amount of log writes.

Flags: needinfo?(melissa)

Does restarting Thunderbird (after getting the auth failure message) make the problem go away?

I'll put up the patch I've been working on anyway, which makes the buttons in that dialog actually do something useful for OAuth2.

It resolved itself after a few minutes. I'm guessing there was some ddos protection timing me out, but no clue.

While manually poking smtp with telnet/openssl I found Stalwart's SMTP server very strict. I can help you setup a local copy at some point if you'd like for testing. (it's a docker file which needs minimal config.)

Thank you!

Assignee: nobody → geoff
Attachment #9525562 - Attachment description: WIP: Bug 1939939 - Make the Retry and Enter New Password buttons do something for OAuth2. r=#thunderbird-reviewers → Bug 1939939 - Make the Retry and Enter New Password buttons do something for OAuth2. r=#thunderbird-reviewers
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Keywords: checkin-needed-tb
Target Milestone: --- → 147 Branch

Pushed by benc@thunderbird.net:
https://hg.mozilla.org/comm-central/rev/d4fabe6df868
Make the Retry and Enter New Password buttons do something for OAuth2. r=mkmelin

Status: ASSIGNED → RESOLVED
Closed: 5 months ago
Keywords: checkin-needed-tb
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: