MozillaZine

Multiple Gmail accts not authenticating on two devices (Mac)

User Help for Mozilla Thunderbird
Raderick
 
Posts: 16
Joined: May 1st, 2006, 11:45 pm

Post Posted October 29th, 2019, 11:02 am

Hello!

Starting last week, I began having issues where Google Calendar within Thunderbird continued to ask for credentials to update. It would not fully authenticate and update my calendar. I decided to removed the email account from Thunderbird from MacBook Pro 1, and re-add. When attempting to re-add the email account, I went through "Set Up an Existing Email Account", threw in the correct credentials, then I received the Google "Enter credentials for (email account) on imap.gmail.com" window. I again entered the proper credentials, went through the proper 2FA verification step on my mobile device. Got the "Mozilla Thunderbird Email wants to access your Google Account" prompt, which I allowed. However, going back to the initial "Set Up an Existing Email Account" window, I got the message "Unable to log in at server. Probably wrong configuration, username, or password."

For kicks, I plugged in the same credentials on Mac Book Pro 2, and experience the exact same issue. Furthermore, I attempted to plug in two different sets of gmail email credentials (neither of these two accounts have 2FA enabled at the moment), with the same results, on both MacBook Pro 1 and MacBook Pro 2. This leads me to believe that Thunderbird is not fully authenticating something, or not sending over some sort of login token to Google.

I am however not having this issue on Windows computer 1 using Microsoft Outlook. Thunderbird is not installed on this computer.

MacBook Pro 1 is on macOS Mojave
MacBook Pro 2 is on macOS Catalina
Windows computer is on Windows 10 using Microsoft Outlook 2019.
iPhone X is not experiencing authentication issues (not using Thunderbird obviously)

All credentials are confirmed to work.

Is there anything that I can try in order to resolve this issue?
Last edited by DanRaisch on October 29th, 2019, 1:22 pm, edited 1 time in total.
Reason: (Mac) added to Subject line.

sfhowes
 
Posts: 469
Joined: April 1st, 2012, 10:21 am

Post Posted October 29th, 2019, 3:48 pm

I found the same thing today, as did others on the TB support forum. I tried to add an existing gmail account in a new profile with OAuth2 authentication, but received the same error message as you. It does work if you use normal password authentication, but that requires that 'less-secure apps' be allowed in the google account. The same account was already set up in another profile with OAuth, and it still works. Other users seem to be able to add Yahoo accounts with OAuth, so there is something different now with TB and google OAuth.

Raderick
 
Posts: 16
Joined: May 1st, 2006, 11:45 pm

Post Posted October 29th, 2019, 4:31 pm

sfhowes wrote:I found the same thing today, as did others on the TB support forum. I tried to add an existing gmail account in a new profile with OAuth2 authentication, but received the same error message as you. It does work if you use normal password authentication, but that requires that 'less-secure apps' be allowed in the google account. The same account was already set up in another profile with OAuth, and it still works. Other users seem to be able to add Yahoo accounts with OAuth, so there is something different now with TB and google OAuth.


I looked into the "less-secure apps", turned it off on one of the accounts, but the issue persists on both Macs.

Raderick
 
Posts: 16
Joined: May 1st, 2006, 11:45 pm

Post Posted October 29th, 2019, 4:42 pm

Also, do you have links to threads on the TB support forums? That place is so difficult to navigate around.


tanstaafl
Moderator

User avatar
 
Posts: 46014
Joined: July 30th, 2003, 5:06 pm

Post Posted October 30th, 2019, 8:01 am

https://bugzilla.mozilla.org/show_bug.cgi?id=1592407 - "Google services are currently disrupted: OAuth2 failure when using Google Account (Gmail authentication using OAuth2 stopped working) - Affects account creation of IMAP accounts and 3rd-party add-on "Provider for Google Calendar""

"After setting mail.wizard.logging.dump to 'all' and mail.wizard.logging.console to 'all', when Thunderbird makes a request to https://www.googleapis.com/oauth2/v3/token the response is '400 bad request' with {"error": "invalid_grant", "error_description": "Malformed auth code."}"

"I can confirm the bug, at least in 60 (i'm switching to 68 now...), 32bit, Win7. Trouble happen if users change their password, and (i suppose) more generally on token change. If token is valid, all works as expected.Obviously 'normal password' works if enabled on google site."

Raderick
 
Posts: 16
Joined: May 1st, 2006, 11:45 pm

Post Posted October 30th, 2019, 8:35 am

tanstaafl wrote:https://bugzilla.mozilla.org/show_bug.cgi?id=1592407 - "Google services are currently disrupted: OAuth2 failure when using Google Account (Gmail authentication using OAuth2 stopped working) - Affects account creation of IMAP accounts and 3rd-party add-on "Provider for Google Calendar""

"After setting mail.wizard.logging.dump to 'all' and mail.wizard.logging.console to 'all', when Thunderbird makes a request to https://www.googleapis.com/oauth2/v3/token the response is '400 bad request' with {"error": "invalid_grant", "error_description": "Malformed auth code."}"

"I can confirm the bug, at least in 60 (i'm switching to 68 now...), 32bit, Win7. Trouble happen if users change their password, and (i suppose) more generally on token change. If token is valid, all works as expected.Obviously 'normal password' works if enabled on google site."


Thanks, glad to see that it's getting visibility as a bug, Not glad to see my workflow be thrown in the trash in the process. Hopefully a fix can be found soon.

tanstaafl
Moderator

User avatar
 
Posts: 46014
Joined: July 30th, 2003, 5:06 pm

Post Posted October 30th, 2019, 9:04 am

I'm confused by "I again entered the proper credentials, went through the proper 2FA verification step on my mobile device. Got the "Mozilla Thunderbird Email wants to access your Google Account" prompt, which I allowed. " since you said you were re-adding the account on a MacBook Pro 1 (a laptop).

Thunderbird doesn't support two step verification, you need to create a app password for Thunderbird and use it instead of the normal account password. That allows it to co-exist with other devices (such as a smartphone) that support two step verification, if you enable that feature for your google account.

Perhaps you are actually running into two separate issues (re-adding the account incorrectly, and a bug in Thunderbird that you first ran into with Google calendar)?

Thunderbird 68.* supposedly supports using a Yubikey for 2FA but I'm skeptical how well that will work given the poor support (the focus has been on just implementing FIDO U2F, and not whether its actually usable with any email provider) and the lack of even a SUMO KB article. https://bugzilla.mozilla.org/show_bug.cgi?id=1444101

Raderick
 
Posts: 16
Joined: May 1st, 2006, 11:45 pm

Post Posted October 30th, 2019, 10:51 am

tanstaafl wrote:I'm confused by "I again entered the proper credentials, went through the proper 2FA verification step on my mobile device. Got the "Mozilla Thunderbird Email wants to access your Google Account" prompt, which I allowed. " since you said you were re-adding the account on a MacBook Pro 1 (a laptop).

Thunderbird doesn't support two step verification, you need to create a app password for Thunderbird and use it instead of the normal account password. That allows it to co-exist with other devices (such as a smartphone) that support two step verification, if you enable that feature for your google account.

Perhaps you are actually running into two separate issues (re-adding the account incorrectly, and a bug in Thunderbird that you first ran into with Google calendar)?

Thunderbird 68.* supposedly supports using a Yubikey for 2FA but I'm skeptical how well that will work given the poor support (the focus has been on just implementing FIDO U2F, and not whether its actually usable with any email provider) and the lack of even a SUMO KB article. https://bugzilla.mozilla.org/show_bug.cgi?id=1444101


This is incorrect. Because Thunderbird uses Oauth2, it doesn't require the use of the app password. Ever since Oauth2 was introduced, I never had a need to use an app password. The computers I have the email address that uses 2FA and still get email on do not have an app password.

If I did need an app password, I would have receive an invalid password error when I put in my password when the "Mozilla Thunderbird Email wants to access your Google Account" popup appeared.

Raderick
 
Posts: 16
Joined: May 1st, 2006, 11:45 pm

Post Posted October 30th, 2019, 12:14 pm

For what it's worth, toggling general.useragent.compatMode.firefox to ENABLE allowed me to authenticate and set up a gmail e-mail account and calendar using Provider. This is with my regular password and without an app password.

tanstaafl
Moderator

User avatar
 
Posts: 46014
Joined: July 30th, 2003, 5:06 pm

Post Posted October 30th, 2019, 12:24 pm

The need for an application specific password doesn't depend upon what authentication method (OAuth2 or normal password) you use AFAIK. It depends upon whether two step verification is enabled. Thunderbird has no way for you to enter the code sent to your mobile device. AFAIK if you have two step verification enabled for a google account you need to either use a application specific password in Thunderbird for the corresponding Gmail account or use a security key (such as Yubikey).

Why do you believe you have 2FA enabled?
Where/how do you enter the second factor?

https://www.google.com/landing/2step/

Raderick
 
Posts: 16
Joined: May 1st, 2006, 11:45 pm

Post Posted October 30th, 2019, 1:05 pm

For clarification:
1. I put in Gmail creds in TB or in Provider
2. Gmail authentication popup comes up asking me to put in my creds again
3. Gmail requests 2FA verification (push to my phone via the Gmail app). This is all within the Gmail popup. It is *not* TB that is asking for 2FA. It's still all within the Gmail authentication window.

Hope this helps.

tanstaafl
Moderator

User avatar
 
Posts: 46014
Joined: July 30th, 2003, 5:06 pm

Post Posted October 31st, 2019, 6:06 am

Thanks. https://support.google.com/accounts/ans ... ic=7189145 says "If you're trying to use a less secure app or device with your Google Account, you may be asked to sign in using an app password. You'll only have to do this once for each device and application." Up to now, my impression is it always asked. I'll try to duplicate what you saw after Thunderbird releases a new version.

https://support.mozilla.org/en-US/questions/1201273

Return to Thunderbird Support


Who is online

Users browsing this forum: tanstaafl and 2 guests