OT -- or maybe not -- OAuth2 and Gmail

[Nobody]

My telco ISP Telus, the long-time major land-line provider in British
Columbia and Alberta (in Canada), is progressively moving its email
clientele/function to be (as they say) 'powered by Google'.

My account was switched a few days ago... with no major
hiccoughs/hickups.

But one aspect, which has come up in discussion on <m.s.tb> before, is
'OAuth2' authentication.

Telus (and Google-y Mail) claim they both support it... but for the
life of me, I can't configure Thunderbird (latest release 68.10.0 on
Win 10 v2004) to connect employing 'OAuth2'.

Entering 'Normal Password' in TB... and setting Grumble Mail to accept
third-party software... works just fine, but Grumble Mail then
grumbles about T'bird being an insecure app.

NE ideas?

[Mike Easter]

Nobody wrote:
> I can't configure Thunderbird (latest release 68.10.0 on
> Win 10 v2004) to connect employing 'OAuth2'.

In the account's Tb server settings/ security settings/ connection
security SSL/TLS/ Authentication method - OAuth2

--
Mike Easter

[Stans]

What's the problem you're having with changing to OAuth2 authentication
in Tbird? Google is getting rid of the "less secure app" provision, and
you should be using OAuth2 since Tbird supports Gmail's OAuth2. You are
supposed to setup the migrated Telus account afresh on Tbird, even if
you already had your Telus account setup on Tbird. See
https://www.telus.com/en/bc/support/interstitial/set-up-telus-email-on-your-computer-google
for details.

Thunderbird setup instructions are provided here
https://www.telus.com/en/bc/support/article/set-up-telus-email-thunderbird-mozilla

[Stans]

On 10/07/2020 13:48, Onno Ekker wrote:
>
> I think support for OAuth2 is hard-coded in Thunderbird for each known
> supported OAuth2-provider.
> Every OAuth2 provider has its own clientSecret, which aren't really
> secret, because you can find them in the source.
> I don't know why they are hard-coded and not in the mail provider
> database, because now it's much harder to add a single new issuer.
> As far as I know, there is no way to add the needed client secret for
> your own OAuth2-provider yourself, except maybe by writing an add-on if
> there's an API for it.
>
> Onno
>
To make things clear, Telus is not the OAuth2 provider here. Google is,
and Tbird had Google's OAuth2 support added many years ago. This move by
Telus implies that Telus is not willing to implement its own OAuth2, but
would rather use a pre-existing provider (Google) as its new host for
its email accounts.

[Onno Ekker]

Op 10-7-2020 om 13:03 schreef Stans:

K, so basically the OP is using GMail, right? Then there shouldn't be an
problems. But if Telus provides its own mail server names, which
redirect to GMail's mail servers, then it won't work.

GMail OAuth2 only works for the following servers:
imap.googlemail.com
smtp.googlemail.com
pop.googlemail.com
imap.gmail.com
smtp.gmail.com
pop.gmail.com

Onno

[Stans]

That's right. Straight-on Gmail servers are in use, imap.gmail.com and
smtp.gmail.com specifically, not Telus' servers.

[Nobody]

On Thu, 9 Jul 2020 20:57:50 -0700, Mike Easter <Mi...@ster.invalid>
wrote:

Maybe I wasn't being clear enuf! Those, yes, are the settings
employed in my attempt(s).

This olde link shows how the process plays out... though the server
name is 'gmail dot com' not 'googlemail' for my retained Telus address
of 'youknowwho at telus dot net'.

<https://www.supertechcrew.com/thunderbird-oauth2-gmail/>

All's accepted but logging in after re-staritng TB produces rejection.

So I go back to authentication by 'normal password'... still SSL...
tell my Telus-related Google account to allow an insecure app... and
everything works semi-perfectly.. with resumed security warning in the
account!

[Nobody]

On Fri, 10 Jul 2020 13:13:07 +0200, Onno Ekker <o.e....@gmail.com>
wrote:

>Op 10-7-2020 om 13:03 schreef Stans:
>> On 10/07/2020 13:48, Onno Ekker wrote:
>>>
>>> I think support for OAuth2 is hard-coded in Thunderbird for each known
>>> supported OAuth2-provider.
>>> Every OAuth2 provider has its own clientSecret, which aren't really
>>> secret, because you can find them in the source.
>>> I don't know why they are hard-coded and not in the mail provider
>>> database, because now it's much harder to add a single new issuer.
>>> As far as I know, there is no way to add the needed client secret for
>>> your own OAuth2-provider yourself, except maybe by writing an add-on if
>>> there's an API for it.
>>>
>>> Onno
>>>
>> To make things clear, Telus is not the OAuth2 provider here. Google is,
>> and Tbird had Google's OAuth2 support added many years ago. This move by
>> Telus implies that Telus is not willing to implement its own OAuth2, but
>> would rather use a pre-existing provider (Google) as its new host for
>> its email accounts.
>
>K, so basically the OP is using GMail, right? Then there shouldn't be an
>problems. But if Telus provides its own mail server names, which
>redirect to GMail's mail servers, then it won't work.

That possibly is the answer.

As I said originally Telus mail is now 'powered by Google'. My
address remains as 'youknowwho at telus dot net'.

Logging into mail on-line (what Telus used to call 'webmail') launches
a Gmail interface but labelled with the Telus logo along with the
settings icon etc. in the top right.

[Onno Ekker]

Op 10-7-2020 om 18:26 schreef Nobody:

No, that shouldn't be the problem. According to this page, Telus works
with Thunderbird with your nob...@telus.net email address and
imap.gmail.com / smtp.gmail.com as mail servers:

https://www.telus.com/en/on/support/article/set-up-telus-email-thunderbird-mozilla

Maybe you're not using the latest version of Thunderbird? In the past
GMail has changed their OAuth2 protocol and it has only changed in
Thunderbird 52 and higher, I think...

Onno

[Nobody]

On Fri, 10 Jul 2020 20:06:38 +0200, Onno Ekker <o.e....@gmail.com>

[Nobody]

On Fri, 10 Jul 2020 20:06:38 +0200, Onno Ekker <o.e....@gmail.com>

Absolutely NOT my address prefix.
>
>https://www.telus.com/en/on/support/article/set-up-telus-email-thunderbird-mozilla

Yairs, read and inwardly disgested! <g> That's how I knew both
paties supposedly supported 'OAuth2'.

>
>Maybe you're not using the latest version of Thunderbird? In the past
>GMail has changed their OAuth2 protocol and it has only changed in
>Thunderbird 52 and higher, I think...
>

<sigh> As snipped and forgotten? <g>

"Telus (and Google-y Mail) claim they both support it... but for the

life of me, I can't configure Thunderbird (latest release 68.10.0 on

Win 10 v2004) to connect employing 'OAuth2'."

And I just noticed somehow an un-replied reply slipped through the
cracks... apologies.

[Stans]

Telus says you go to mail.google.com (Gmail's webmail address) to access
your migrated account via webmail. Telus says if you use the old webmail
address, you will still be redirected to Gmail's webmail address. After
migration, what you have is a Google account, although the primary alias
is still your old Telus address. Everything at this point going forward
is Gmail. As soon as you understand this, the faster you'll get things
working right. Google is getting rid of the "less secure apps access"
provision. Moving forward, you shouldn't have to lower the security of
your new Gmail account just to grant Thunderbird access. Use an
app-specific password for that, but since Gmail's OAuth2 is built into
Tbird, there is no point in using an app-specific password in Tbird.

>
> All's accepted but logging in after re-staritng TB produces rejection.
>
> So I go back to authentication by 'normal password'... still SSL...
> tell my Telus-related Google account to allow an insecure app... and
> everything works semi-perfectly.. with resumed security warning in the
> account!
>

Telus says, disable the old Telus account in Tbird, then setup the new
Google powered account as a new account in Tbird, and use OAuth2 with
gmail servers. Did you open the links I posted in my earlier reply?

Also, in Tbird, open the password manager (Saved Passwords) and remove
the entries for the old (Telus) servers. The only entries that should be
saved and used are for working accounts. Also, if you have disallowed
cookies in Tbird, you need to allow them for OAuth2 to work, otherwise
you will have to perform the OAuth2 process on each restart of Tbird.

[Nobody]

On Fri, 10 Jul 2020 20:21:51 +0300, Stans <stans....@outlook.com>
wrote:

As I've written, migration was successful. TB and Gmail talk to each
other, and 'tween you and me, that Telus a lot! <g>

All I'm trying to do is straighten out the security 'nag' in the
Google account by attempting OAuth2.

Asking or telling me to read what you've sent (which are the same
instructions for migration as achieved) is superfluous.

Coincidentally, I see from a sudden flurry of upset T'birders on a
Gmail forum back in November 2019 that this issue ain't unknown, but
was supposed to have been rectified with an early update to v68. and
I'm on 68.10.0.

The blame seems to go to Gmail. And the work-around was to resort to,
as I've done, simply use 'normal password' and accept the Google
'insecure' nag.

>Also, if you have disallowed cookies in Tbird, you need to allow them
>for OAuth2 to work, otherwise you will have to perform the OAuth2
>process on each restart of Tbird.

Now that's a New Hint: cookies in TB... Well, I added all the
probables... no effect.

Timw to accept what works... and ignore a nag that is probably
over-stated by Grumbly Googly anyway.

[Stans]

On 11/07/2020 02:45, Nobody wrote:
>
> All I'm trying to do is straighten out the security 'nag' in the
> Google account by attempting OAuth2.

You've got two options. Restore Tbird's default settings as far as
cookies are concerned and Gmail OAuth2 will work as intended, or use an
app-specific password for "Normal Password" authentication.

> Coincidentally, I see from a sudden flurry of upset T'birders on a
> Gmail forum back in November 2019 that this issue ain't unknown, but
> was supposed to have been rectified with an early update to v68. and
> I'm on 68.10.0.

It is only yesterday that I helped someone else here
https://support.mozilla.org/en-US/questions/1294362 with Gmail OAuth2
issues, disallowing cookies was the problem. There are many other
threads with Gmail Oauth2 issues, thanks to TB users blocking cookies.

> The blame seems to go to Gmail. And the work-around was to resort to,
> as I've done, simply use 'normal password' and accept the Google
> 'insecure' nag.

Sure, it's easier to blame Gmail. I must be super lucky then, to have
all six Gmail accounts of mine working flawlessly with Tbird since long
before TB68.

> Now that's a New Hint: cookies in TB... Well, I added all the
> probables... no effect.

What are these "probables"?

> Timw to accept what works... and ignore a nag that is probably
> over-stated by Grumbly Googly anyway.

Well, that's your call, but if you've been listening, Google is getting
rid of the "less secure apps access" provision. Know what that means? It
means, sooner or later you'll be back here with Gmail login issues when
Gmail servers no longer allow basic authentication ("Normal Password"
authentication) using your primary Gmail password. Many other providers
are taking this direction and not just Google.

[Nobody]

On Sat, 11 Jul 2020 11:17:24 +0300, Stans <stans....@outlook.com>
wrote:

>On 11/07/2020 02:45, Nobody wrote:
>>
>> All I'm trying to do is straighten out the security 'nag' in the
>> Google account by attempting OAuth2.
>
>You've got two options. Restore Tbird's default settings as far as
>cookies are concerned and Gmail OAuth2 will work as intended, or use an
>app-specific password for "Normal Password" authentication.

You're repeating what I've already stated.

>
>It is only yesterday that I helped someone else here
>https://support.mozilla.org/en-US/questions/1294362 with Gmail OAuth2
>issues, disallowing cookies was the problem. There are many other
>threads with Gmail Oauth2 issues, thanks to TB users blocking cookies.

>

>What are these "probables"?

Allowing (https://) gmail.com -- googlemail.com -- google.com.

The TB cookie jar was as default... installed... a list of 'blocked'
with none related to Mister Google... but no 'allows'. Frankly, I
never even realised it existed.
>
>> Time to accept what works... and ignore a nag that is probably

>> over-stated by Grumbly Googly anyway.
>
>Well, that's your call, but if you've been listening, Google is getting
>rid of the "less secure apps access" provision. Know what that means? I

I don't think you appreciate that is what I was trying to achieve.

Note the change in tense.

I bit the bullet... backed up my profile elsewhere... killed TB's
completely... re-constructed a new one... created accounts...
connected to Gmail... OAuth2 works... turned the nag off in Google
Account.

Then transferred my chrome.css... and mail data... and address books.

And it all works as it's supposed to. Mysterious Mister Something
must have visited during the original requirement of removing the
Telus accounts and re-creating for Gmail.