oAuth requires that the program have a "secret" that is offers to server as a part of the authentication. So Thunderbird and Dovecote supporting oAth is not enough. A secret for the server in question needs to be built into Thunderbird.

This source needs to ne changed https://searchfox.org/comm-central/source/mailnews/base/util/OAuth2Providers.jsm

SO you need to file a bug https://bugzilla.mozilla.org

Just for completeness. oAuth is not a good choice to implement 2fa as it may actually issue a key that is valid for 6 months (google) so even without your password Thunderbird can continue to use the key exchange to check your mail for up to 6 months without any reference to the base password used.

Thanks for the reply! If the "secret" referred here is the "Client Secret" for exchange of access_token with authorization server, that is stored/configured in Dovecot, I'd think. What we'd like to ultimately achieve is that we have in-house authorization server with which we have the control for the access_token expiration date. I will go ahead and take your suggestion to open a bug request. Thank you so much!

I have filed a bug to implement the dynamic client registration protocol which would allow automatic registration of clients. But implementation is probably a long way off at this point in time.

https://bugzilla.mozilla.org/show_bug.cgi?id=1602166

What bug did you file?

I filed https://bugzilla.mozilla.org/show_bug.cgi?id=1602895 , not sure if this is a bug or enhancement, since the method is available from the 'authentication method' drop-down and it's not working so I filed as a bug. Thanks for following it up and I appreciate your advice!