Cant login to Gmail with OAuth2, unsupported browser error
I am using the latest Thunderbird 91.8.0.8126 and latest Firefox 99.0.1.8136. I am having the same issue as reported in these posts:
https://support.mozilla.org/en-US/questions/1343530 https://support.mozilla.org/en-US/questions/1344530 https://support.mozilla.org/en-US/questions/1350244.
I have 5 Gmail accounts that I manage for different family members. All accounts in Thunderbird access Gmail via IMAP, and are configured to login with OAuth2.
This week, Google removed Thunderbird access from 2 of the accounts, I do not know why. When I login to the accounts via the web in Firefox, Thunderbird was no longer listed under their 3rd party access. The other 3 accounts are fine.
1 of the accounts does not have 2FA enabled. I was able to re-login with Thunderbird when prompted, and I was presented with a window to grant Thunderbird access, which worked, no problem. So Thunderbird's browser was clearly recognized.
But the other account does have 2FA enabled, and that is where the problem lies. Thunderbird prompts for login, and the username and password are accepted, but when I enter the 2FA verification code, Thunderbird presents a window saying "Your browser is not supported anymore. Please update to a more recent one." (https://bugzilla.mozilla.org/show_bug.cgi?id=1677845). There is no option presented to grant access to Thunderbird. Yet, the verification did work, because my primary email receives notification that the account was logged in from a new device.
For the record, the failing 2FA account is managed by Family Link (the other non-2FA account is not). According to https://support.google.com/mail/thread/127545584/, such accounts cannot login to email clients. But that has never been a problem before, and 1 of the other still-working accounts in Thunderbird is also managed by Family Link and works just fine, so that can't be the culprit.
Also, I do have AVG installed with Email Shield enabled, but disabling that makes no difference.
Thunderbird's UserAgent is "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.8.0". And yes, cookies are enabled in both Thunderbird and Firefox.
Is there a way to get Thunderbird to use Firefox properly for Gmail login, instead of its own integrated browser?
Chosen solution
This happened to me yesterday. My gmail account worked fine but my sons part of Google Family Link wouldn't authenticate by OAuth2. After i set general.useragent.compatMode.firefox = True in the config suddenly authentication went through successfully and updated Thunderbirds saved passwords. It basically fools google into thinking Thunderbird is firefox and then the standard OAuth2 with family link accounts works. This literally took me hours to work out but found solution buried deep within a google forum and it worked! You can switch it back to false after if want to and still works once authenticated though i'm experimenting with leaving it on as i'll never remember how i did it when need to reauth! Hope it helps!
Just to add the useragent changed from:
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.8.1" to:
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Thunderbird/91.8.1"
I dont have firefox installed at all though and the latest thunderbird build.
Read this answer in context 👍 3All Replies (16)
Do you think you could post a screen shot of the window you enter this 2fa code in? I have never seen one, because I have never used 2fa I assume. I see it as just another bit of my data I have to surrender to achieve nothing I need. As these pages are served by Google, not Thunderbird (it is acting as a browser here). It is not something anyone can just look up.
Here are the screenshots
I wonder, could this have anything to do with Thunderbird requesting a "legacy" OAuth URL, even though the account is set to use OAuth2?
As you can see in the screenshots, Thunderbird is logging in using the URL "https://accounts.google.com/signin/oauth/legacy/...", which is NOT the URL described in Google's OAuth2 documentation (https://accounts.google.com/o/oauth2/v2/auth, and https://oauth2.googleapis.com/token).
I just updated to Thunderbird 91.8.1, but the one Gmail account is still not working correctly. Exact same symptoms as before.
I have opened a new bug for this: https://bugzilla.mozilla.org/show_bug.cgi?id=1766071
See if this helps. https://support.mozilla.org/en-US/kb/automatic-conversion-google-mail-accounts-oauth20
1 of the accounts does not have 2FA enabled.
With OAuth2 authentication you do not need to have 2-step authentication enabled. It is a recommended security measure though.
the failing 2FA account is managed by Family Link
What is Family Link and what does it do?
I do have AVG installed with Email Shield enabled
Try to start Windows 10 in safe mode with networking enabled.
Does the problem go away?
christ1 said
See if this helps. https://support.mozilla.org/en-US/kb/automatic-conversion-google-mail-accounts-oauth20
As I had already stated up front, all of my Gmail accounts are using OAuth2 with cookies enabled. It is only this one account that I am currently having trouble with.
christ1 said
What is Family Link and what does it do?
Parental control for child Google accounts: https://families.google.com/familylink/
christ1 said
Try to start Windows 10 in safe mode with networking enabled.
I'm using Windows 7, not 10. But either way, using Safe Mode did not help. Same problem.
I don't know if it matters, but there are several errors related to OAuth in Thunderbird's Error Console (amongst other errors):
NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] 3 OAuth2.jsm:171
onStateChange resource:///modules/OAuth2.jsm:171
NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] OAuth2.jsm:171
onStateChange resource:///modules/OAuth2.jsm:171
NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] 4 OAuth2.jsm:171
onStateChange resource:///modules/OAuth2.jsm:171
POP, IMAP and SMTP are not allowed for gmail family link accounts.
As I said earlier, this troublesome account was working just fine in Thunderbird a couple of weeks ago, and I have another Gmail account that is also managed by FamilyLink which is still working just fine in Thunderbird. And besides, that FamilyLink restriction only applies to child accounts, which these are not.
In any case, that is not my issue. My issue is that Thunderbird is not using a supported browser to complete the OAuth2 login, even though Google is allowing the login to proceed. It is only the final step (submitting the 2FA validation code) that Thunderbird is failing on, because it can't get a confirmation from Google even though the login is actually successful. Without that confirmation, it is not getting authorized for 3rd party access.
Modified by gambit47
gambit47 said
I wonder, could this have anything to do with Thunderbird requesting a "legacy" OAuth URL, even though the account is set to use OAuth2? As you can see in the screenshots, Thunderbird is logging in using the URL "https://accounts.google.com/signin/oauth/legacy/...", which is NOT the URL described in Google's OAuth2 documentation (https://accounts.google.com/o/oauth2/v2/auth, and https://oauth2.googleapis.com/token).
Sorry to not have solutions to the other aspects, but no.
I am pretty sure it is under legacy because it gives access to emails, something google thinks of as a "core" part, and of Thunderbird as an "insecure oauth service". They do not allow email access or insecure services to the newer api.
FYI, I just tried using https://accounts.google.com/DisplayUnlockCaptcha, as described here:
It did not help. Thunderbird still received the "unsupported browser" error.
Chosen Solution
This happened to me yesterday. My gmail account worked fine but my sons part of Google Family Link wouldn't authenticate by OAuth2. After i set general.useragent.compatMode.firefox = True in the config suddenly authentication went through successfully and updated Thunderbirds saved passwords. It basically fools google into thinking Thunderbird is firefox and then the standard OAuth2 with family link accounts works. This literally took me hours to work out but found solution buried deep within a google forum and it worked! You can switch it back to false after if want to and still works once authenticated though i'm experimenting with leaving it on as i'll never remember how i did it when need to reauth! Hope it helps!
Just to add the useragent changed from:
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.8.1" to:
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Thunderbird/91.8.1"
I dont have firefox installed at all though and the latest thunderbird build.
Modified by AndyB-UK
Good job finding a solution!
attn:gambit47 Please mark the above as a solution if it helped you!
Thank you! Setting general.useragent.compatMode.firefox = True is what I needed. Now the login uses more modern screens, and prompts my phone for approval and all of that jazz, and I can access the account again.
Glad it worked for you. It worked for POP as well as IMAP. It's just that final step of the web client sending back confirmation to Thunderbird to store the encrypted password that didn't seem to work and nothing was getting put into Saved Passwords. I hadn't used Thunderbird for a couple of weeks and just been checking email via android phone so something changed sometime in last couple of weeks and thunderbird updates. I see bugzilla report has been updated too as just looked.
Modified by AndyB-UK