oAuth2 and Gmail

User Help for Mozilla Thunderbird
pftavares
Posts: 22
Joined: May 18th, 2022, 3:16 pm

oAuth2 and Gmail

Post by pftavares »

I'm a long time user of Linux Mint. Now on 20.3 and Cinnamon desktop.
Also a long time user of Thunderbird. Now in version 91.8.1
Always used the "allow insecure apps" in my gmail account settings and used normal password stored in Thunderbird.
Google urges to change the authentication method to oAuth2.
Tried everything to no avail. Always "authentication fails when connecting to imap.gmail.com"
Cleared all cookies, allowed them, deleted all saved passwords, followed all published advice I could find, and nothing.
Then I made a brand new profile pointing to an empty dir and entered my gmail address and checked everything. Same result.
In despair I installed Evolution and all run fine at the first try.
Should I really give up on Thunderbird?
Thanks in advance for any help!
User avatar
tanstaafl
Moderator
Posts: 49647
Joined: July 30th, 2003, 5:06 pm

Re: oAuth2 and Gmail

Post by tanstaafl »

Did you get the popup where it asks for your login credentials and permission for Thunderbird to use Gmail via OAuth2? Did it say it succeeded?

That would create a token that gets stored by the password manager. Is there a token there? You should see oauth://accounts.google.com (https://mail.google.com/ https://www.googleapis.com/auth/carddav https://www.googleapis.com/auth/calendar) listed in the provider column if it is. Notice that URL starts with oauth:// (OAuth2), not imap:// (IMAP) or mailbox:// (POP).

The popup is not from a browser, its from Thunderbird. The most common problem is that cookies are disabled for some reason (they're enabled by default). It creates a accounts.google.com cookie. It doesn't create one for gmail.com.

I suggest you delete the password (not the token) for both the gmail account and its smtp server and restart (because the deleted passwords are still stored in memory) before you try again so that its clear that any login failures were due to the token.

See if https://www.supertechcrew.com/thunderbird-oauth2-gmail/ helps. It has screen shots.

If this doesn't help don't give up. Tell us how far you got (what prerequisites succeeded), and we'll try something different.
pftavares
Posts: 22
Joined: May 18th, 2022, 3:16 pm

Re: oAuth2 and Gmail

Post by pftavares »

Thanks for the prompt reply!
Did you get the popup where it asks for your login credentials and permission for Thunderbird to use Gmail via OAuth2? Did it say it succeeded?
I get a first popup with my email already filled in, I click "Next" and I get a second popup asking for password, then I get a third popup telling me to confirm in my phone, then I get a question in my phone asking if it's me that's trying to login and I answer "Yes, it's me", then I get a fourth popup asking if I want to allow Thunderbird to access my Google account and I answer "Allow". Then on the upper right corner appears a black box for a few seconds saying "authentication fails while connecting to imap.gmail.com".
My cookies box are empty and so is my saved passwords box. Cookies are allowed/enabled for all third-party with no exceptions.
My default browser in the system is Chrome, by I changed the provider in Thunderbird to Mozilla with the Config editor (an advice I read somewhere...)
User avatar
tanstaafl
Moderator
Posts: 49647
Joined: July 30th, 2003, 5:06 pm

Re: oAuth2 and Gmail

Post by tanstaafl »

You should not have gotten the third popup telling you to confirm in your smartphone. You should only have gotten the popups described in https://www.supertechcrew.com/thunderbird-oauth2-gmail/

Do you have two step verification enabled? That requires you to use a application specific password (you create one on google.com) instead of your accounts normal password since Thunderbird doesn't know how to enter a security code. However, I suspect you have some other security feature enabled in your google.com security settings that is causing this. Perhaps due to enabling "security checkup".

The popup on your Linux system is not being displayed by whatever browser Thunderbird is configured to use when you click on a link in a message. Thunderbird is creating the popup using its own copy of the Gecko layout engine. So you need to enable cookies in tools -> preferences -> privacy & security in Thunderbird, not Firefox.

http://kb.mozillazine.org/Changing_the_ ... hunderbird
https://www.intego.com/mac-security-blo ... -settings/
pftavares
Posts: 22
Joined: May 18th, 2022, 3:16 pm

Re: oAuth2 and Gmail

Post by pftavares »

I have two steps authentication enabled in my Google account and my smartphone got verified by Google.
Enabling the "two steps" was one of the many advises I read but it changed nothing in relation to the problem.
It only introduced that extra popup to remind me to do the OK in the phone, besides the normal password in the computer.
I've tried to disable it and return to the one step classic authentication and the base problem persist.
As I told you all cookies are allowed in Thunderbird.
pftavares
Posts: 22
Joined: May 18th, 2022, 3:16 pm

Re: oAuth2 and Gmail

Post by pftavares »

This is what error console says during (failed) autehntication in Thunderbird. Don't have a clue of what all this means and don't know if it helps...

NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] OAuth2.jsm:171
onStateChange resource:///modules/OAuth2.jsm:171
NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] OAuth2.jsm:171
onStateChange resource:///modules/OAuth2.jsm:171
Empty string passed to getElementById(). browser-custom-element.js:391:22
TypeError: PopupNotifications is undefined LoginManagerPrompter.jsm:776:24
_showLoginCaptureDoorhanger resource://gre/modules/LoginManagerPrompter.jsm:776
promptToSavePassword resource://gre/modules/LoginManagerPrompter.jsm:141
onFormSubmit resource://gre/modules/LoginManagerParent.jsm:1018
AsyncFunctionNext self-hosted:692
NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] OAuth2.jsm:171
onStateChange resource:///modules/OAuth2.jsm:171
Empty string passed to getElementById(). browser-custom-element.js:391:22
NS_ERROR_XPC_JAVASCRIPT_ERROR_WITH_DETAILS: [JavaScript Error: "PopupNotifications is undefined" {file: "resource://gre/modules/LoginManagerPrompter.jsm" line: 776}]'[JavaScript Error: "PopupNotifications is undefined" {file: "resource://gre/modules/LoginManagerPrompter.jsm" line: 776}]' when calling method: [nsILoginManagerPrompter::promptToSavePassword] LoginManagerParent.jsm:1018
NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] OAuth2.jsm:171
onStateChange resource:///modules/OAuth2.jsm:171
Some cookies are misusing the recommended “SameSite“ attribute 14
Cookie “SIDCC” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/ ... e/SameSite approval
Cookie “SIDCC” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/ ... e/SameSite approval
Cookie “SIDCC” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/ ... e/SameSite 2 log
NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] OAuth2.jsm:171
onStateChange resource:///modules/OAuth2.jsm:171
NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] 2 OAuth2.jsm:171
onStateChange resource:///modules/OAuth2.jsm:171
NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] OAuth2.jsm:171
onStateChange resource:///modules/OAuth2.jsm:171
NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] OAuth2.jsm:171
onStateChange resource:///modules/OAuth2.jsm:171
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified 2
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
Layout was forced before the page was fully loaded. If stylesheets are not yet loaded this may cause a flash of unstyled content. dashboard
Loading failed for the <script> with source “http://localhost/dashboard/javascripts/modernizr.js”. dashboard:19:1
User avatar
tanstaafl
Moderator
Posts: 49647
Joined: July 30th, 2003, 5:06 pm

Re: oAuth2 and Gmail

Post by tanstaafl »

I suggest you disable two step verification until after you've successfully added the account, and try adding the account while running in safe mode (help -> troubleshoot mode) . Safe mode does more than just disabling your add-ons, it also disables hardware acceleration, the two optional user*.css files etc..

Its not clear what those errors mean. They're mainly Oauth2 and cookie related but its common to have errors in the error console that can be just ignored. For example my copy of Thunderbird is working well (and I have a IMAP Gmail account using OAuth2) but I have:

Unexpected event profile-after-change URLQueryStrippingListService.jsm:224
Security Error: Content at chrome://messenger/skin/shared/tabmail.css may not load or link to moz-extension://ad08c68f-3f60-4bcc-ad25-4f8dcf2597bd/soft-paper-persona-header.jpg.
Uncaught TypeError: gFolderDisplay is null
get currentViewValue chrome://messenger/content/msgViewPickerOverlay.js:98
RefreshViewPopup chrome://messenger/content/msgViewPickerOverlay.js:171
RefreshAllViewPopups chrome://messenger/content/msgViewPickerOverlay.js:154
ViewPickerOnLoad chrome://messenger/content/msgViewPickerOverlay.js:293
msgViewPickerOverlay.js:98:9
1652979057093 tbsortfolders.folderPane DEBUG Init
1652979057094 tbsortfolders.folderPane DEBUG Add observer
1652979057104 tbsortfolders.folderPane DEBUG Init 2
1652979057104 tbsortfolders.folderPane DEBUG Add observer 2
Unknown Collection "thunderbird/query-stripping" RemoteSettingsClient.jsm:160
services.settings: thunderbird/hijack-blocklists has signature disabled RemoteSettingsClient.jsm:1027
Win error 2 during operation open on file C:\Users\Eric\AppData\Roaming\Thunderbird\Profiles\i2h0a3a2.default-release\TbSync\accounts68.json (The system cannot find the file specified.

) db.js:51
Win error 2 during operation open on file C:\Users\Eric\AppData\Roaming\Thunderbird\Profiles\i2h0a3a2.default-release\TbSync\folders68.json (The system cannot find the file specified.

) db.js:51
Win error 2 during operation open on file C:\Users\Eric\AppData\Roaming\Thunderbird\Profiles\i2h0a3a2.default-release\TbSync\changelog68.json (The system cannot find the file specified.

) db.js:51
Win error 2 during operation open on file C:\Users\Eric\AppData\Roaming\Thunderbird\Profiles\i2h0a3a2.default-release\TbSync\accounts.json (The system cannot find the file specified.

) db.js:108
2147942487 ContentDispatchChooser.jsm:287
Start backup check
2147942487 ContentDispatchChooser.jsm:287
pftavares
Posts: 22
Joined: May 18th, 2022, 3:16 pm

Re: oAuth2 and Gmail

Post by pftavares »

I suggest you disable two step verification until after you've successfully added the account, and try adding the account while running in safe mode
I tried for weeks those exact conditions before coming here and bothering you!
Then in a forum somewhere I read that "two-step" was important to success.
Then I disabled it again and tried again, and nothing changed.
Now I've re-enabled it as it looks like a good idea for security.
Knowing close to nothing, I have a feeling that the secret must be in the Advanced Preferences in the Config editor, but all that I see is chinese to me...
User avatar
tanstaafl
Moderator
Posts: 49647
Joined: July 30th, 2003, 5:06 pm

Re: oAuth2 and Gmail

Post by tanstaafl »

I logged into https://myaccount.google.com/security .

Signing in to Google has both "use your phone to sign in" and "2-step verification" off.

Thunderbird is listed under "Third-party apps with account access"

"Enhanced Safe Browsing for your account" is off.

"Less secure app access" is off and has some text warning that the setting won't matter soon anyways.

"Ways we can verify it's you" is probably irrelevant but I have a recovery phone and email address listed. The email address is verified but the phone# isn't since the verification procedure wants to send a text message (its not a smartphone).

I suggest you try disabling "use your phone to sign in" too. The simpler/more mainstream a configuration the better.
pftavares
Posts: 22
Joined: May 18th, 2022, 3:16 pm

Re: oAuth2 and Gmail

Post by pftavares »

Did all that.
Even tried a beta3 version of Thunderbird 101.
The only thing that changed is the disappearance of the popup asking to confirm on the phone.
The problem remains...
In my Google account the only apps with access are Cardbook and Evolution.
User avatar
BuddhaNature
Posts: 537
Joined: January 3rd, 2008, 9:44 am
Location: Scotland

Re: oAuth2 and Gmail

Post by BuddhaNature »

This might be a long-shot, but I have a Yahoo IMAP account that uses OAuth2. For months I used to get multiple issues with it, sometimes with 'verifying' the account, and often with fails to connect. I did in the end find a fix and detail it in a post in this thread: http://forums.mozillazine.org/viewtopic ... #p14926435

Might be worth a try, you have nothing to lose. (But like I say, it's a long-shot for what you are describing.)
OS: Windows 10 Pro. x64
pftavares
Posts: 22
Joined: May 18th, 2022, 3:16 pm

Re: oAuth2 and Gmail

Post by pftavares »

Tried to use Betterbird but it says it's an old version (that might not be compatible...) although I downloaded the one with "latest" in the title...
pftavares
Posts: 22
Joined: May 18th, 2022, 3:16 pm

Re: oAuth2 and Gmail

Post by pftavares »

Anyway I installed it creating a new empty profile and it says "Unable to login at server. Probably wrong configuration, username or password"
User avatar
tanstaafl
Moderator
Posts: 49647
Joined: July 30th, 2003, 5:06 pm

Re: oAuth2 and Gmail

Post by tanstaafl »

pftavares wrote:Tried to use Betterbird but it says it's an old version (that might not be compatible...) although I downloaded the one with "latest" in the title...
Add a --allow-downgrade command line argument to the shortcut tab in the shortcuts properties as in:

""C:\Program Files\Mozilla Thunderbird\thunderbird.exe" --allow-downgrade

"C:\Program Files\Betterbird\betterbird.exe" --allow-downgrade

The error message is due to either the dedicated profile per instance feature (most common) or due to some schema or file from a different version being detected. I share a profile with Thunderbird 91.9.0 and Betterbird 91.8.0-bb29 with no problems
User avatar
tanstaafl
Moderator
Posts: 49647
Joined: July 30th, 2003, 5:06 pm

Re: oAuth2 and Gmail

Post by tanstaafl »

pftavares wrote:Anyway I installed it creating a new empty profile and it says "Unable to login at server. Probably wrong configuration, username or password"
That's from the new account wizard and usually means either a problem with the mail server name, port number, or the SSL/TLS setting. You have a tcp-ip connection to something, but its useless.

A wrong username , password or authentication method usually gets a different error message.
Post Reply