Google OAuth+2FA credentials don't persist across TB sessions.

2,001 views
Skip to first unread message

aslamK

unread,
Jun 5, 2015, 12:07:51 AM6/5/15
to provider-for-g...@googlegroups.com
This behavior may have appeared following the TB 31.7 update.

When TB launches, I first get the prompt for the master password. A few seconds later the window for Google OAuth appears and asks for the password followed by the 2FA code. This wasn't the case until recently, I didn't get challenged for the Google creds following the master password.

Sorry if this is already on the list of known bugs, I haven't been able to access bugzilla.mozilla.org for some reason.

Philipp Kewisch

unread,
Aug 10, 2015, 7:11:29 PM8/10/15
to Provider for Google Calendar
As you are using the master password, can you try the startupmaster extension? I've heard reports about having to re-enter every restart, but I haven't been able to reproduce or pinpoint this.

Philipp

Jason Hutton

unread,
Aug 10, 2015, 8:02:09 PM8/10/15
to Provider for Google Calendar
I get the same thing. Works fine; enter credentials, no problems, can use it fine and update Calendar entries without issue.
Restart Thunderbird and boom, prompted for a Google OAuth password again, even though it's saved.

Windows 10 Pro (Happened on Windows 7 as well.)
Using:
Thunderbird 38.1.0
Lightning 4.0.1.2
Provider 1.0.4

Some other things that may be relevant, though do not give me issues with any other extensions or functionality in Thunderbird or Firefox:
Keepass 2.30
Keefox 1.4.8.1-signed
(As far as I know, these actually don't save/provide OAuth tokens, those are saved normally in Thunderbird/Firefox. Mentioning them as they are password-related despite that.)

I do not use a Master Password, though Keepass+Keefox functions like this for non-OAuth passwords.

The startupmaster extension did not have any noticeable effect on this issue.
Disabling Keefox also did not have any noticeable effect on this issue.

Issue occurs with brand new installs of all of the above.

Jason Hutton

unread,
Aug 10, 2015, 8:06:03 PM8/10/15
to Provider for Google Calendar
Ah crap didn't notice the mention of 2FA. I do not use 2FA with my accounts. Nor do I get prompted for a master password as I don't use one. Just constant OAuth prompts when using Provider after each Thunderbird restart. (Other OAuth credentials are fine, just Google Calendar/Provider ones are the issue.)

Philipp Kewisch

unread,
Aug 11, 2015, 4:14:13 AM8/11/15
to Provider for Google Calendar
No Problem at all, I don't think this issue really depends on 2FA. I'm not quite sure what information to ask for to debug this issue yet. Some stabbing in the dark:

* Does it happen with Thunderbird or Postbox (or both?)
* When you create a new calendar, select Google Calendar, continue, there is a screen to select the session. Is there just one entry with your email address, or are there multiple entries, one for each calendar?
* Go to the saved passwords manager in the Thunderbird options, there you should see an entry like: kew...@gmail.com (Google Calendar OAuth Token). Does this entry exist, and does the "password" saved for that entry start with "1/" ? When restarting Thunderbird, before you log in again, is that entry still there?
* Check your cookie settings, are cookies either allowed for everything, or at least an exception created for Google?

Philipp

Jason Hutton

unread,
Aug 11, 2015, 9:31:27 AM8/11/15
to Provider for Google Calendar
1. Never tried PostBox before. Installed 4.0.3 to try now, along with Lightning and Provider. (Keefox appears incompatible, so couldn't replicate that part of my setup over.) The issue did not appear to occur there. I also use gContactSync 2.0.5 in Thunderbird; it uses OAuth tokens to interface with Google as well. Installed that in PostBox too on the off chance something's not liking multiple extensions using OAuth.... Still no issues in PostBox.
2. No duplicate entries appear when creating a new Calendar. (I do however use two email accounts+calendars with Thunderbird. Set them both up in PostBox too. No duplicates in either program, of email addresses or calendars.)
3. Yes, the Google Calendar OAuth Token entry exists in Saved Passwords, one for each account(2) in use. Looks same in both Thunderbird and PostBox. The saved password for each entry do start with a "1/" in both programs. Both remain present after restarting Thunderbird, even if I don't retype them again.
4. Haven't adjusted cookie settings for anything since installing Win10, so it'll be on default. I do have a bunch of Google-related cookies.

Jason Hutton

unread,
Aug 11, 2015, 11:26:11 AM8/11/15
to Provider for Google Calendar
Did some further testing on a completely different computer, and got steps to reproduce this at least in my case:

Windows 7 Pro x64
Thunderbird 38.1.0
Left on "Standard" install.
Unchecked use Thunderbird as my default mail application
Launched Thunderbird
Unchecked Email default client option. Unchecked Always perform this check when starting Thunderbird.
Selected "skip integration"
Selected "I think I'll configure my account later"
Selected "Keep" regarding Lightning extension prompt.
Closed the open source message.
Tools->Addons->Extensions
Checked extensions: Lightning 4.0.1 is included with Thunderbird 38.1.0
Left that as is.
Get Add-Ons->searched for "provider", installed Provider for Google Calendar 1.0.4.
Clicked Restart Now link.
Selected "I think I'll configure my account later"
Closed Addons Manager
Pressed Alt to get menu.
File->New->Calendar->On The Network->Google Calendar->Next
There are no accounts listed already on this screen now.
entered one of my @gmail.com email addresses
Next
Prompted for OAuth credential/permissions.
Logged in, clicked Accept button.
Selected all Calendars(Email account+Birthdays+Holidays in Canada+My name's Task List)
Next
Finish
Exited Thunderbird.
Started Thunderbird again.
Selected "I think I'll configure my account later"
No issues with a repeat OAuth Prompt.
Added my email account(same account I'm using with the calendar):
Alt for menu
File->New->Existing Email Account
Entered email address
Entered password
LEft Remember Password checked.
Continue
Left IMAP selected. Clicked Done.
Prompted for OAuth credential.
Signed in there.
Clicked Accept
Interesting. Thunderbird appears stuck at "Sending LOgin information" for Mail for mye...@gmail.com
Closed Thunderbird and reopened it.
Loaded email fine. Seems okay? No OAuth prompts.
Restarted Thunderbird again.
No issues, no OAuth prompts.
Switched to Calendar tab
Clicked Synchronize button.
No issues, no OAuth prompts.
Closed Calendar tab.
Alt for menu->Tools->Options
Security Tab->Passwords Tab->Saved Passwords
There are 4 saved passwords here:
1. IMAP
2. Google Calendar OAuth
3. OAuth for accounts.google.com
4. SMTP
Clicked Remove All, confirmed Yes, clicked Close, clicked OK.
Quit Thunderbird again.
Restarted Thunderbird again.
Prompted for OAuth for Provider for Google Calendar.
Entered credentials again, signed in. Clicked accept.
Prompted for OAuth for Google Account.
Entered credentials again, signed in. Clicked accept.
Restarted Thunderbird again.
No issues, no OAuth prompts.
Alt for Menu->Tools->Addons
Searched for keefox
Installed Keefox Keefox 1.4.4.1-signed (This machine already has Keepass 2.30 installed.)
Clicked Restart Now link.
Prompted for OAuth for Provider for Google Calendar (Interesting!)
Provided credentials, signed in, clicked Accept
Switched to Extensions tab out of curiousity; Installed extensions: KeeFox, Lightning, Provider for Google Calendar
Closed Add-ons Manager
Restarted Thunderbird.
Prompted for OAuth for Provider for Google Calendar
Provided credentials again, signed in, clicked Accept
Alt for Menu->Tools->Options
Saved Passwords
2 saved passwords here:
1. Google Calendar OAuth Token
2. OAuth for accounts.google.com
Clicked Remove All, confirmed Yes, clicked Close, clicked OK.
Quit Thunderbird again.
Restarted Thunderbird again.
Prompted for OAuth for Provider for Google Calendar.
Entered credentials again, signed in. Clicked accept.
Prompted for OAuth for Google Account.
Entered credentials again, signed in. Clicked accept.
Clicked Get Messages. seems fine...
Quit Thunderbird again.
Restarted Thunderbird again.
Prompted for OAuth for Provider for Google Calendar.
Entered credentials again, signed in. Clicked accept.
Quit Thunderbird again.
Restarted Thunderbird again.
Prompted for OAuth for Provider for Google Calendar.
Entered credentials again, signed in. Clicked accept.
Alt for menu->Tools->Addons
Disabled Keefox
Clicked Restart Now link
Prompted for OAuth for Provider for Google Calendar.
Entered credentials again, signed in. Clicked accept.
Quit Thunderbird again.
Restarted Thunderbird again.
Prompted for OAuth for Provider for Google Calendar.
Entered credentials again, signed in. Clicked accept.
Removed Keefox.
Quit Thunderbird again.
Restarted Thunderbird again.
Prompted for OAuth for Provider for Google Calendar.
Entered credentials again, signed in. Clicked accept.
Quit Thunderbird again.
Restarted Thunderbird again.
Prompted for OAuth for Provider for Google Calendar.
Closed window, uninstalled Thunderbird.

I'll point out as well, I've previously used gContactSync(Which also uses Google OAuth) for a long while without issue with Keefox. Provider for Google Calendar is the new kid on the block for me.

From the looks of this testing, if I had to guess, I'd say there's probably something that gets messed up with Provider if another extension touches how Passwords/OAuth are stored? As you can see, it doesn't seem to get fixed even after uninstalling the other extension, either. (Note in this test Keefox wasn't actually setup to *do* anything, it was just installed, and probably has some sort of handler for how Thunderbird deals with passwords, even if it's not being actively used: it'll change the login prompt for non-OAuth credential gathering in Thunderbird to have a Launch Keefox button, and will auto-fill passwords if it's been linked with Keepass and Keepass is running. Note this does not happen with OAuth credentials, just normal passwords.)

Jason Hutton

unread,
Aug 11, 2015, 2:25:48 PM8/11/15
to Provider for Google Calendar
I've tacked on info from here to a similar Keefox bug report. Let the finger pointing commence? :)

https://github.com/luckyrat/KeeFox/issues/511

David Lechner

unread,
Aug 11, 2015, 2:52:33 PM8/11/15
to Provider for Google Calendar
The problem with using KeeFox is that it sets the `signon.rememberSignons` preference to `false` in Thunderbird. In KeeFox 1.5.x, this setting is reset back to default when you uninstall or disable KeeFox. In older versions, you have to do this manually in about:config.

KeeFox 1.5.x also includes a new feature that will fill in you username and password in the google oauth dialog, however, it still pops up every time you start Thunderbird.

I haven't dug into the Provider for Google Calendar code yet to see what it is actually doing to store the password and if there is a way to work around `
signon.rememberSignons` being set to false.

Julian Sikorski

unread,
Aug 14, 2015, 3:36:11 PM8/14/15
to Provider for Google Calendar
That was it! I have reset signon.remembersignons to default (true) and the problem is gone! Thanks a million! (I did have keefox installed at some point).
Julian

Jason Hutton

unread,
Aug 14, 2015, 4:22:40 PM8/14/15
to Provider for Google Calendar
I'd generally be inclined to suspect the core problem(constant OAuth popups, and lack of using the saved OAuth credentials, would be something on Provider's end of things.

Rationale:
1. gContactSync also uses OAuth in the same installation environment, and saves and uses the OAuth credentials fine. (Within Thunderbird, without Keefox intervening.)
2. gContactSync doesn't pop up OAuth prompts(Other than the initial one.) in this same environment. (Whether it will with KeeFox 1.5.x due to changes there and moving OAuth credential storing out of Thunderbird into Keepass, is a question I can't answer, of course.)

Jason Hutton

unread,
Sep 24, 2015, 1:00:24 AM9/24/15
to Provider for Google Calendar
Same problem as reported here, really...

https://groups.google.com/forum/#!topic/provider-for-google-calendar/emKj7B5U6jw

Also, in my case, Keefox has been updated(1.5.3), and now stores and uses OAuth credentials, so it at least fills in the prompt for credentials that Provider appears to be causing...

Ruslan Andronov

unread,
Oct 16, 2015, 2:14:27 PM10/16/15
to Provider for Google Calendar
It seems, that I found solution after hours.  Can you please try?
When you create new google calendar you MUST enter email address into "pickup an existing session or enter your email address" input field.

So
1. Remove all google calendar
2. Create new calendar
3. Enter email into "pickup an existing session or enter your email address" input field
4. In popup window you should enter only password!

that's all

Keith Clinton

unread,
Oct 22, 2015, 2:42:18 PM10/22/15
to Provider for Google Calendar
Ruslan, 
This works perfectly,
Weird solution but if I don't choose to create a new calendar and just use existing calendar,
every time I start Thunderbird I get bombarded with password requests for every calendar.
Thanks for the suggestion.
--
K.C.

Francesco Munafò

unread,
Oct 26, 2015, 1:28:53 PM10/26/15
to Provider for Google Calendar
Yes, I confirm too.

To reproduce the error, create a new calendar (rough translation from Italian, exact terms may vary):

File->New->Calendar..->From the network ->Continue->Google Calendar->Continue

Here select the field radio button and leave the field *BLANK* (empty).

At this point you should see google logins (once first, then for every calendar), but then they are repeated at every startup, and for every calendar.

If you fill the email field with your gmail address, everything works fine instead.

Gregory Jansen

unread,
Jan 4, 2016, 1:28:07 PM1/4/16
to Provider for Google Calendar
Thanks a lot. I can confirm that this fix worked for me, as did the support forum. Thanks everybody!
Greg


On Friday, October 16, 2015 at 2:14:27 PM UTC-4, Ruslan Andronov wrote:

Florian Kühne

unread,
Oct 9, 2016, 11:10:25 AM10/9/16
to Provider for Google Calendar
Tanks Russlan,

can totally confirm that it worked for me too. But I also had to toggle "signon.remembersignons" back to true, even though i had a new clean install and Keepass Addon >1.5 (1.6.3 installed)

Stanimir Stamenkov

unread,
Oct 30, 2016, 9:54:14 AM10/30/16
to Provider for Google Calendar
I'm experiencing the same with SeaMonkey, and I'm seeing the following in the Error Console:

Timestamp: 30.10.2016 г. 15:42:15
Error: NS_ERROR_MALFORMED_URI: Component returned failure code: 0x804b000a (NS_ERROR_MALFORMED_URI) [nsIIOService2.newURI]
Source File: resource://gre/components/nsLoginManager.js
Line: 445

Timestamp: 30.10.2016 г. 15:42:15
Error: Assert failed: [Exception... "Component returned failure code: 0x804b000a (NS_ERROR_MALFORMED_URI) [nsIIOService2.newURI]"  nsresult: "0x804b000a (NS_ERROR_MALFORMED_URI)"  location: "JS frame :: resource://gre/components/nsLoginManager.js :: getLoginSavingEnabled :: line 445"  data: no]
2: [resource://calendar/modules/calAuthUtils.jsm:129] cal.auth.passwordManagerGet
3: [resource://gdata-provider/modules/gdataSession.jsm:154] getRefreshToken
4: [resource://gdata-provider/modules/gdataSession.jsm:209] get refreshToken
5: [resource://gdata-provider/modules/gdataSession.jsm:233] calGoogleSession.prototype.login
6: [resource://gdata-provider/modules/gdataSession.jsm:370] cGS_asyncItemRequest
7: [file:///C:/Users/stanimir/AppData/Roaming/Mozilla/SeaMonkey/Profiles/2mfjacfh.default/extensions/%7Ba62ef8ec-5fdc-40c2-873c-223b8a6925cc%7D/components/calGoogleCalendar.js:713] calGoogleCalendar.prototype.replayChangesOn
8: [resource://calendar/modules/calUtils.jsm -> file:///C:/Users/stanimir/AppData/Roaming/Mozilla/SeaMonkey/Profiles/2mfjacfh.default/extensions/%7Be2fda1a4-762b-4020-b5ad-a41df1933103%7D/calendar-js/calCachedCalendar.js:340] calCachedCalendar.prototype.synchronize
9: [resource://calendar/modules/calUtils.jsm -> file:///C:/Users/stanimir/AppData/Roaming/Mozilla/SeaMonkey/Profiles/2mfjacfh.default/extensions/%7Be2fda1a4-762b-4020-b5ad-a41df1933103%7D/calendar-js/calCachedCalendar.js:79] calCachedCalendarObserverHelper.prototype.onLoad
10: [resource://calendar/modules/calUtils.jsm -> file:///C:/Users/stanimir/AppData/Roaming/Mozilla/SeaMonkey/Profiles/2mfjacfh.default/extensions/%7Be2fda1a4-762b-4020-b5ad-a41df1933103%7D/calendar-js/calUtils.js:1240] notifyFunc
11: [resource://calendar/modules/calUtils.jsm -> file:///C:/Users/stanimir/AppData/Roaming/Mozilla/SeaMonkey/Profiles/2mfjacfh.default/extensions/%7Be2fda1a4-762b-4020-b5ad-a41df1933103%7D/calendar-js/calUtils.js:1246] calListenerBag.prototype.notify

Source File: resource://calendar/modules/calUtils.jsm -> file:///C:/Users/stanimir/AppData/Roaming/Mozilla/SeaMonkey/Profiles/2mfjacfh.default/extensions/%7Be2fda1a4-762b-4020-b5ad-a41df1933103%7D/calendar-js/calUtils.js
Line: 1021


These two are repeated twice, to be precise.

- Stanimir

b...@riorey.com

unread,
Dec 1, 2016, 12:33:20 PM12/1/16
to Provider for Google Calendar
Stanimir:

I've been struggling with this too. I think this is a newer issue than some of the earlier ones in the thread. Check out this bug, the latest patch in progress fixes things for me: https://bugzilla.mozilla.org/show_bug.cgi?id=1301422

-Ben
Reply all
Reply to author
Forward
0 new messages