OAuth2 for gmail Not Working
TB 91.7.0 (64-bit I used to send/rcv gmail no problm, started having issues ~ Oct 2021 I then setup a 3rd party app password in gmail account for thunderbird. That allowed me to Send Gmails, but, not receive it kept asking for password. Then I read to use OAuth2 and saw that Google will no longer allow 3rd party app passwords, so i deleted it in google, and set both Imap.gmail.com and smpt.gmail.com to use OAuth2 (both set for SSL/TSL). I did this just for smpt first when the 3rd party app password was still enabled, i could recv but, when i went to send, it would ask for password, i enter it, then it would sent msg to my cell phone to Allow thunderbird, i would press Allow on my phone, and Thunderbird would come up with Sending message.. with the progress marked all way to end BUT, it will never complete sending.... I have to hit cancel it then shows Failed message unable to authenticate. After I deleted the 3rd party app password in gmail settings, now when i start thunderbird or try to receive emails, it goes through the same authorization process with my phone, but, then never downloads any new emails. I have spend HOURS on this.. extremely frustrated (I have been forced to us ms mail which i really don't like, i am too used to thunderbird (although I wished thunderbird had check boxes on emails to select via checkboxes for delete, or moving, etc)
Chosen solution
Toad-Hall, Christ1, Matt thank all of you, I FINALLY solved the mystery. After uninstalling reinstalling TB, and deleting all the profile, (which i had backed up) it still failed. I deleted TB from the firewall, and put back in, nothing was working. When i finally found the problem, i gave myself a swift hard kick in A__ for not figuring it sooner. I have been developing a website that included php, so i have XAMPP but only have Apache running (not mercury or tomcat which run mail servers). It was Apache - the localhost server.... And, it only gives problem when setting up the Gmail account, no problem AFTER the gmail account is verified. But, to verify the account, the localhost server must interfere with TB trying to connect to Google's servers for the purpose of account authentication. Since I am developing the site, i automatically start XAMPP and Apache on bootup, and like it said once the google account is set up, no problem reading or sending email. So, I stopped Apache (Xampp window still open) and Wallah, TB authenticated the gmail accounts Turned Apache back on, and no problem reading/sending emails. I never thought about it, because I've had it on and running for months and it gives no problem to read or send emails, and i am not running a local email server. Plus i have it come up and run Apache automatically, so i just never even thought about it. But, after literally trying EVERYTHING else, i kept wondering what is on my laptop that TB can't connect to google...? Anyway, you should add this to your list of things to check for when someone can't authenticate a new gmail account. XAMPP with Apache running - has to be stopped while authenticating. Again, thanks to all of you
Read this answer in context 👍 14All Replies (8)
Info: https://support.google.com/a/answer/9012184?hl=en https://developers.google.com/identity/protocols/oauth2/native-app https://www.phpflow.com/php/how-to-change-xampp-apache-server-port/
It would seem they tend to use same localhost port eg: 443, 8080 and URI 127.0.0.1 But this may well be the google redirect URI - routing localhost to 127.0.0.1 which happens to be Apache
Not really looked into this. The advise is simply switch of localhost to get the authentication working then switch localhost back on.
claude38 said
I really would like to understand why running a web server on localhost gets in the way. Google can certainly not directly send requests to it, so TB may be using some kind of reverse proxying. If that is the case, then there *should* be a way to configure the port TB uses for this purpose.
Because Thunderbird redirects the last of the flow to localhost so it can actually get the data. Something that is actually quite difficult in a web browser. Running your own web browser on localhost "consumes" the information posted to the link. Hence Thunde4rbird gets nothing.
The bottom line is you should not be running a browser on a local computer, except in perhaps some rare development situations. But if you are a developer you would understand why a web browser and something else both consuming information on the web ports would be a problem.
YOu might think there should be a way to configure the port. There is not.
Thank you, thank you, thank you jbeals108 for posting your solution. I also use Apachefriends and have been pulling my hair out trying to get this to work. I turned off Apache, signed in and finally was able to access my account. Very grateful :-)
This worked!! No more tail chasing. Big THANK YOU one and all who contributed to the "Chosen solution".
When setting up the OAuth, after the third page in the popup where you "Allow" the access, the popup then tries to open localhost. I could see my default virtual host address in the url of the popup!!! So turning off apache works, but it's not the solution!!! The popup handling code needs to be fixed. Not sure if that's gmail or thunderbird.
jnrheart said
When setting up the OAuth, after the third page in the popup where you "Allow" the access, the popup then tries to open localhost. I could see my default virtual host address in the url of the popup!!! So turning off apache works, but it's not the solution!!! The popup handling code needs to be fixed. Not sure if that's gmail or thunderbird.
Located some info: https://developers.google.com/identity/protocols/oauth2/native-app https://developers.google.com/identity/protocols/oauth2/web-server
This authorization flow is similar to the one used for web server applications. The main difference is that installed apps must open the system browser and supply a local redirect URI to handle responses from Google's authorization server. Loads more info at link but basically gmail instructs how to access and it requires local redirect uri setup.
It works ok until the installation of another program which is left running and controls the localhost.
Toad-Hall said
jnrheart said
When setting up the OAuth, after the third page in the popup where you "Allow" the access, the popup then tries to open localhost. I could see my default virtual host address in the url of the popup!!! So turning off apache works, but it's not the solution!!! The popup handling code needs to be fixed. Not sure if that's gmail or thunderbird.Located some info: https://developers.google.com/identity/protocols/oauth2/native-app https://developers.google.com/identity/protocols/oauth2/web-server
This authorization flow is similar to the one used for web server applications. The main difference is that installed apps must open the system browser and supply a local redirect URI to handle responses from Google's authorization server. Loads more info at link but basically gmail instructs how to access and it requires local redirect uri setup.
It works ok until the installation of another program which is left running and controls the localhost.
Kind of shows that OAuth2 is not so good. Eran Hammer even left the committee while they were working through over 30 some drafts...
"It works ok until the installation of another program which is left running and controls the localhost."
It's not just localhost, it's localhost port 443. Uhh, most web servers are "left running" so that they can service the port... I realize that now-a-days most developers use some form of virtual machine to run their dev servers - or they have the luxury of several machines running. Not so easy if you're mobile and use a laptop for development.
Here's an interesting, though dated, article: https://medium.com/securing/what-is-going-on-with-oauth-2-0-and-why-you-should-not-use-it-for-authentication-5f47597b2611
@ Toad Hall
Thanks for the links - very helpful.
It would be nice however, for the code to check if a server is listening on that port, before attempting to use it. I could have used some solid feedback about it, instead of scouring the internet for a solution.