OAuth2 access to gmail fails in Thunderbird
I have been successfully using Thunderbird (TB) with gmail for years, including via OAuth2 after gmail started requiring it. However, recently one of my gmail accounts stopped working. This seems to have happened when gmail incorrectly thought that I was attempting access from a new client or a new computer and required that OAuth2 authorization be re-established. Now any attempt to access the account from Thunderbird (receiving or sending mail) results in the OAuth2 pop-up window requesting that I allow Thunderbird to access my gmail account. I select "allow", the pop-up closes, and Thunderbird shows "Host contacted, sending login information..." but it never succeeds. After about 2 minutes, it times out with no further message. I have a second gmail account configured in the same instance of Thunderbird, and it continues to work without difficulty; for that account, gmail has not required that OAuth2 authorization be re-established. I am running TB 114.4.1 on Windows 10. I have ensured that cookies are enabled in TB and local storage of passwords in TB is disabled. In my Google account (the one that does not work in TB), I see that access for Thunderbird has been enabled.
I have tried many things, including moving my TB profile to a different folder and uninstalling/installing TB cleanly (no pre-existing profile). Attempting to set up the gmail account in the new installation fails in the same way, when trying to get OAuth2 authorization. Attempting to set up the other gmail account, which was previously working, now also fails. By moving my old profile back to its normal location and re-installing TB, I can get back to where I was (one gmail account works, the other fails).
I have access to another computer, belonging to a friend, also running Windows 10 and having TB installed. In that instance of TB, I tried creating an account tied to the gmail account that is not working in my computer. There I was able to set up OAuth2 access successfully. That TB installation is old, running version 91.7.0. I tried installing TB 91.7.0 on my computer, but there the OAuth2 authorization process still fails.
I have read RFC 6749, which describes how OAuth2 works. It says:
"The abstract OAuth 2.0 flow illustrated in Figure 1 describes the interaction between the four roles and includes the following steps: (A) The client requests authorization from the resource owner. The authorization request can be made directly to the resource owner (as shown), or preferably indirectly via the authorization server as an intermediary. (B) The client receives an authorization grant, which is a credential representing the resource owner's authorization, expressed using one of four grant types defined in this specification or using an extension grant type. The authorization grant type depends on the method used by the client to request authorization and the types supported by the authorization server. (C) The client requests an access token by authenticating with the authorization server and presenting the authorization grant. (D) The authorization server authenticates the client and validates the authorization grant, and if valid, issues an access token. (E) The client requests the protected resource from the resource server and authenticates by presenting the access token. (F) The resource server validates the access token, and if valid, serves the request."
Apparently the failure is occurring at step (C) or (D). Either TB fails to request the token correctly, or the authorization server fails to issue the token. Step (B) succeeds; the pop-up requests my username and password, and those are accepted; if I intentionally type the wrong password, it fails.
I still have access to my mail in the problematic gmail account using gmail's web client, but I really need access via a client on my own computer, preferably TB, so that I can store messages locally and sort/access them in more flexible ways.
Please help. I've been struggling with this for many weeks, and I've spent countless hours trying to fix it.
--Larry
כל התגובות (7)
Are you running a local web server on the troubled computer? If so, stop it before attempting to re-authenticate the Gmail account.
השתנתה ב־
No, there is no web server running on that computer. However, just out of curiosity, why does that matter?
Authentication using Oauth2 uses the local host IP address of 127.0.0.1:80 to pass information back to the local machine about your choices in the web browser component of Thunderbird.
One more thing you can do: Try to start Windows 10 in safe mode with networking enabled. Does the problem go away?
I am running TB 114.4.1 on Windows 10.
Then you're running an outdated beta. Why would you want to do this? Get the latest release version at https://www.thunderbird.net/
Dear Christ1,
You said: > Try to start Windows 10 in safe mode with networking enabled. > Does the problem go away?
Yes! Thanks very much for that suggestion. In safe mode, TB got the OAuth2 token from gmail, and I was able to download new mail. After re-booting into normal mode, TB still has the token, so it continues to work. However, I was not able to diagnose the underlying problem, so if TB ever needs to get a new OAuth2 token then I expect it to fail again. Any suggestions on what the underlying problem might be, or on methods for further diagnosis?
>> I am running TB 114.4.1 on Windows 10.
> Then you're running an outdated beta. Why would you want to do this? > Get the latest release version at https://www.thunderbird.net/
My apologies. That was a typo in my original post. I am actually running 115.4.1, and TB claims that it is "up to date".
Regards, Larry
Any suggestions on what the underlying problem might be, or on methods for further diagnosis?
Windows safe mode disables anti-virus software, which is almost certainly the culprit.
These are some generic suggestions to avoid problems with anti-virus software.
Create an exception in your anti-virus software for the Thunderbird profile folder, so that the anti-virus real-time scanner will not scan it. https://support.mozilla.org/en-US/kb/profiles-where-thunderbird-stores-user-data#w_how-to-find-your-profile
Don't let your anti-virus software scan incoming and outgoing messages.
Don't let your anti-virus software scan attachments.
Don't let your anti-virus software intercept your secure connection to the server.
Remove any add-ons your anti-virus software may have installed in Thunderbird.
Keep it working. http://kb.mozillazine.org/Keep_it_working_-_Thunderbird
And last but not least, backup your Thunderbird profile on a regular basis. https://support.mozilla.org/kb/profiles-where-thunderbird-stores-user-data#w_backing-up-a-profile
Dear christ1,
> Windows safe mode disables anti-virus software, which is almost certainly the culprit.
I do not have any anti-virus software installed, other than what is included with Windows Security, and the Virus Protection component of Windows Security has always been turned off. However, the Network Firewall component has been turned on. I tried temporarily turning Network Firewall off, and it made no difference; TB was still unable to get an OAuth2 token when attempting to set up a new account. Thus, the underlying problem remains undiagnosed and therefore not fixed.
After using Safe Mode With Networking to get an OAuth2 token for the problematic gmail account, it worked in normal mode for a few days. Then gmail inexplicably required a new OAuth2 authorization, which again failed. At the same time, a new problem arose: when attempting to SEND email from the same account, the process never completes. The "Sending mail..." popup remains displayed forever (until I press 'cancel'). Nevertheless, the email has been sent. This problem persists even in safe mode. In my other email accounts configured in the same instance of TB (including another gmail account), this problem is absent; sending mail works normally.
I was able to go back into Safe Mode and get another OAuth2 token so that I can again operate in normal mode, but I don't know how long that will last. Getting into Safe Mode is not easy on this computer, since it requires me to type in a 42-digit "Bitlocker recovery key". Further, it seems that Safe Mode With Networking does not support wifi, so I have to connect via a copper Ethernet port; I can do that, but it's another step.
Any other ideas?
Regards, Larry
Any other ideas?
Well, you've been given a list with suggestions to avoid problems with anti-virus software. That basically also applies to Windows Defender. There is no need to turn off the real-time anti-virus scanner if you do follow the suggestions above. I don't think there is any need to mess with the Windows firewall.