We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

Ko tenda hembiapoite sa’ivéta oñemba’apokuévo hese hembiapo porãve hag̃ua. Peteĩ jehaipyre nomoĩporãiramo ne apañuái ha eporanduséramo, roguerekohína ore nepytyvõ rekoha ikatútava ndeykeko @FirefoxSupport Twitter-pe ha avei /r/firefox Reddit-pe.

Avatar for Username

Eheka Pytyvõha

Emboyke pytyvõha apovai. Ndorojeruremo’ãi ehenói térã eñe’ẽmondóvo pumbyrýpe ha emoherakuãvo marandu nemba’etéva. Emombe’u tembiapo imarãkuaáva ko “Marandu iñañáva” rupive.

Kuaave

Ko téma oñeñongatúma. Ejapo porandu pyahu eikotevẽramo pytyvõ.

How to make TB NOT store OAuth2 token

  • 2 Mbohovái
  • 0 oguereko ko apañuãi
  • 13 Hecha
  • Mbohovái ipaháva Hollo

Hollo
Hollo
more options

Hi,

I'm using 2SV with OAuth2 and I want Thunderbird to not store the token. I have set the cookie preference to "allow for sesson" but sadly, TB stores an auth token in the passwords section so it will always store the token after one login and never ask for it again, essentially rendering the whole 2SV concept useless, and even worse, it will never ask for the password again either, taking the security risk to a whole new level.

Is there a way to make TB forget the auth token on close? I want it to ask for both the password and the authenticator code on every startup.

Thanks in advance!

Hi, I'm using 2SV with OAuth2 and I want Thunderbird to not store the token. I have set the cookie preference to "allow for sesson" but sadly, TB stores an auth token in the passwords section so it will always store the token after one login and never ask for it again, essentially rendering the whole 2SV concept useless, and even worse, it will never ask for the password again either, taking the security risk to a whole new level. Is there a way to make TB forget the auth token on close? I want it to ask for both the password and the authenticator code on every startup. Thanks in advance!

Opaite Mbohovái (2)

Wayne Mery
Wayne Mery
  • Moderator
  • Top 10 Contributor
more options

I know of no way to change that behavior and I did not find any requests on the bug system. It seems like an edge case, but perhaps someone will decide it is important. You will want to file an enhancement request at https://bugzilla.mozilla.org/enter_bug.cgi?product=Thunderbird

Hollo
Hollo Porandu apoha
more options

Thank you, I have filed a report. Currently you can only choose to not use 2FA or be forced to store the password so let's hope I'm not the only one seeing this as a problem with security. :)