How to manually add OAuth2 G-Mail token to Thunderbird?
I don't understand, IMAP clients now must support http/cookies in order to support OAuth2 for IMAP G-Mail? This seems extreme.
Who's fault is it I can't manually download my OAuth2 token from Google and add it to Thunderbird myself? Google's or Mozilla's? Or both? Or neither in that the OAuth2 standard doesn't define or demand this capability?
This where we are? Someone or somebody has made encryption so complicated that it's now broken for most users? Seems like it will get worse and only time will tell.
All Replies (11)
logjamthis said
I don't understand, IMAP clients now must support http/cookies in order to support OAuth2 for IMAP G-Mail? This seems extreme.
Sure is. We had a very long discussion based around should we when Google announced the change
Who's fault is it I can't manually download my OAuth2 token from Google and add it to Thunderbird myself? Google's or Mozilla's? Or both? Or neither in that the OAuth2 standard doesn't define or demand this capability?
I think that would be the latter. Part of the exchange is Thunderbirds key issued by Google. So I do not think you get a look in to the process.
This where we are? Someone or somebody has made encryption so complicated that it's now broken for most users? Seems like it will get worse and only time will tell.
What is so hard. You choose the encryption method in Thunderbird for IMAP and you get prompted for your password. Cookies have been a daily part of the web for 20 years. It is unfortunate that Google chose to go down the path a a web authentication protocol for email, but we had two choices. Use what they chose of not support Gmail. So we bit the bullet and went with the flow. I think most people would expect to be able to get their mail from one of the three biggest mail providers don't you.
I see you have already been to Bug 1176773. Bug 849540 was the implementation bug. Read it and you will know as much as anyone else does. The source code changes are attached if you are that way inclined.
According to Wikipedia, "In July 2012, Eran Hammer resigned his role of lead author for the OAuth 2.0 project,"
I wonder how this relates to the OAuth2 implementation issues mentioned above and overall state of the security/encryption world.
My point is, if I need a web browser to enable OAuth2 whch is required for IMAP G-Mail, why not use the native web version of G-Mail? I know it's only once, but it does seem backwards. Hmm......
Matt said
I see you have already been to Bug 1176773. Bug 849540 was the implementation bug. Read it and you will know as much as anyone else does. The source code changes are attached if you are that way inclined.
The issue is *I* should be able to download the OAuth2 token from Google and add it to Thunderbird *myself*. If OAuth2 doesn't define this, then OAuth2 is broken and Mozilla/Thunderbird should have said no we won't support this. End of story. Google being big doesn't mean everyone should bend to their will/want.
I don't know much about OAuth2, however it took me no time to see this has a major flaw, who isn't doing their job?
Seriously this is the implementation we have. It you do not like it you are free to write some code to improve it and submit it for review and inclusion in Thunderbird through Bugzilla. This is however an internet standard. So anything you write must comply with RFC 6749. I do not see anywhere in the workflow an option to stop, ask the user to download and install something. SO I do not think you will get much to change at all and still be compliant with the standard.
Please address further issues with Oauth to the RFC 6749 working group. We have no input to the standard,
Matt said
Please address further issues with Oauth to the RFC 6749 working group. We have no input to the standard,
Hi Matt,
Please make no mistake I'm frustrated and I do apologize for complaining, however, to ignore complaints and just say, complain there or it's not our fault doesn't really help all that much.
I commented in the bug you pointed out, thank you, however, if the OAuth2 standard requires the 3rd party client to have http/cookie support, that sucks, for everyone because unless TB is ok with just being a shell for G-Mail, this makes no sense.
If you don't like me saying that, it's just an opinion. And since the lead author of OAuth2 quit, I doubt your recommendation will/would do anything.
If you want to avoid using the GMail OAuth2 flow for thunderbird, you can do either of the following:
- Enable the "less secure apps" setting for your GMail account allowing you to use your existing account password: https://support.google.com/accounts/answer/6010255?hl=en
- Create an application-specific password and use that: https://support.google.com/accounts/answer/185833?hl=en
Note that things vary based on whether 2-factor auth is active on your Google account.
asuth said
If you want to avoid using the GMail OAuth2 flow for thunderbird, you can do either of the following:Note that things vary based on whether 2-factor auth is active on your Google account.
- Enable the "less secure apps" setting for your GMail account allowing you to use your existing account password: https://support.google.com/accounts/answer/6010255?hl=en
- Create an application-specific password and use that: https://support.google.com/accounts/answer/185833?hl=en
Thanks asuth, looking into this,
Mozilla/Thunderbird should have went with this recommendation for a while to measure the fallout for either/both Google and Mozilla.
Now, Thunderbird seems to be slowly conforming to the standards any given company uses rather then conform to the standards that created it (Mozilla/TB) or, at least, hold those standards to a higher importance level.
logjamthis said
Matt saidPlease address further issues with Oauth to the RFC 6749 working group. We have no input to the standard,Hi Matt,
Please make no mistake I'm frustrated and I do apologize for complaining, however, to ignore complaints and just say, complain there or it's not our fault doesn't really help all that much.
Tilting at windmills is in my humble opinion a total waste of time. I certainly do not intend to waste any more here.
I commented in the bug you pointed out, thank you,
Then you obviously got nothing from your discussion with Kent James.
"bugzilla is not intended as a support forum, though it often de facto turns out that was as we try to understand whether an issue is associated with a code change. In answer to "Is there a way to manually download the OAuth2 token and attach it to my Thunderbird G-Mail account?" the answer is basically no. I have no idea about Pine, and this is not a good place to ask. The correct place for questions that do not involve a possible flaw in Thunderbird code is support.mozilla.org
What part of Bugzilla is not the appropriate place did you not get the first time. Before posting your opinion on a closed bug so I get more spam from you. Yres I get an email every time you post to those bags. It is called bugzilla spam to those like me, cced to lots of bugs.
however, if the OAuth2 standard requires the 3rd party client to have http/cookie support, that sucks, for everyone because unless TB is ok with just being a shell for G-Mail, this makes no sense.
I think we got that. You think it makes no sense. Cookies are a fact of life. I suggest you build a bridge, because they are not going away. Nor are they going to be optional in the future.
Have a read of the comments on the Google announcement. I do not see one that looks like yours http://googleonlinesecurity.blogspot.co.uk/2014/04/new-security-measures-will-affect-older.html I do see one complaining that it broke Thunderbird though.
I think that you will see it become impossible to use anything but Oauth on gmail in the not to distant future. They have only help off this long to give Microsoft no excuse when they cut off Outlook users is my opinion.
If you don't like me saying that, it's just an opinion. And since the lead author of OAuth2 quit, I doubt your recommendation will/would do anything.
I really do not care what you say. Like Voltair. I may abhor what you say, but I will fight to the death for your right to say it. Having said that you do not get an automatic ear. I reserve the right to ignore you.
I dislike that we are forced to use Oauth. But I am also pragmatic enough to accept that you have to accept what you can not change. Google sets the standard of what everyone else has to do in much the same way as Microsoft used to do. They do it there way and you either wither and die or you fall into line.
In this case you have many clear choices of free mail providers that do not use oauth. So it is simple really. Use one of them instead if you object to Googles preferred authentication method. But stop flogging the messenger, go complain to Google. I am sure they are paying someone that you can talk to. Thunderbird is paying no one.
Modified by Matt
Wow! How rude you are!
Can someone, please, mod this mod?
Edit: Wait, wait, you're telling me I shouldn't have commented in a bug because you don't want the e-mail? Uh, deal with it, seriously,
Modified by logjamthis
No I am telling you you should not have commented on the bugs because you musings were neither relevant nor constructive. They were a waste of time for all the participant in the bug.
Bugzilla etiquette is fairly simple. see https://bugzilla.mozilla.org/page.cgi?id=etiquette.html
Matt said
No I am telling you you should not have commented on the bugs because you musings were neither relevant nor constructive. They were a waste of time for all the participant in the bug. Bugzilla etiquette is fairly simple. see https://bugzilla.mozilla.org/page.cgi?id=etiquette.html
That's your opinion and a flimsy one at that. I'm not sure what's exactly wrong with you, but you're not as important as you think you are. There's nothing wrong with what I did and for you to say so WRONG!
Again, mods, please mod this mod!