Thunderbird login to Gmail with OAuth2 fails with "secure connection failed" - how to complete the login?

Question

From 30 May 2022 we will be required to use OAuth2, not normal passwords, to log in to Gmail accounts. How will this Google announcement affect Thunderbird? So, I've tried several times to change the Gmail accounts in my Thunderbird instance (versions 91.7.0, 91.7.1 and 91.8.1 at different times, on Kubuntu Linux 20.04) to use OAuth2.

However, when I try the required steps:

• Account Settings > Server Settings > Authentication method = OAuth2
• Remove existing password
• Restart Thunderbird

after the expected OAuth2 login pages (email address, then password, then "Mozilla Thunderbird Email want to access your Google Account), I get an unexpected "Secure connection failed" page.

Secure connection failed
This could be a problem with the server's configuration, or it could be someone trying to impersonate the server.
If you have connected to this server successfully in the past, the error may be temporary, and you can try again later.
Or you can add an exception...

The add an exception link does not do anything. There is no way past this other than closing the dialogue. The authentication is not successful.

The title bar of this dialogue window shows https://192.168.x.x/?code=... with my own IP address. I'm not clear why the OAuth2 process would need to call a web server on the local machine.

Reverting to "Normal password" enables the account to work correctly in Thunderbird, but this won't be possible after 30 May.

Answer 1

In my case this is what fixed it, or appears to (I can't rule out that I made other changes to the system).

I am running a local web server using apache2 with a self-signed ssl certificate, which would be insecure for a public web server and requires a browser exception. The "Secure connection failed" page is what you normally see in Firefox / Thunderbird connecting to such a server.

If I stop apache2:

sudo systemctl stop apache2

then the Gmail OAuth2 authentication completes and I can receive and send email - starting apache2 again doesn't interfere with this, only with the initial password entry.

Note: The same issue would probably occur with any local web server running on the default port 443 (https) or 80 (http) and with a self-signed, expired or invalid ssl certificate, but I haven't tested it with any others. Others have reported that the same problem can occur with nginx.

(I still don't know why a call needs to be made at all to a local web server.)

Answer 2

This answer is correct but with little extension. This behavior can be caused by any application that listens on port 80 on localhost. On Linux just check what application or service listens on localhost:80. You can run:

sudo netstat -plant | grep 80

and check which application is in your case and just switch it off. In my case it was:

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1628/nginx: master 

calling (on Ubuntu):

sudo systemctl stop nginx

solved problem

Answer 3

PAY ATTENTION THUNDERBIRD USERS if GMail OAuth2 appear not working properly.

https://support.mozilla.org/en-US/questions/1373706

It appear that if you have anything responding locally to port 443 thunderbird refuses to login using oauth2 even if the popup credential request is satisfied.

In my case, i had IIS installed and running in my laptop, but i added a bind to https/443 using a self signed certificate (this to test incoming connections using secure protocol). This also interfere with thunderbird, and may led to fail gmail authentication using oauth2 (the only option today).

As far as i have shutted down iis (or removed the https2/443 binding), thunderbird restarted to authenticate properly the gmail IMAP server.

Answer 4

If you have a proxy server running (or simply active) on your machine, this will also interfere with Thunderbird detecting the redirection. In my case, I'm a developer running Fiddler, a web debugger that can act as the default system proxy and start automatically.

Apparently anything on localhost that respondson http port 80 is enough to derail Thunderbird's initial authentication attempt.

Thanks to @JoeP and @MarekPodyma for the clues to look "outside the box".

Answer 5

In my case, Thunderbird was also trying to redirect to localhost and refused to connect, with error: "Thunderbird detected a potential security threat and did not continue to localhost"

I had to stop Apache service to get past this, and turn it back on again after Google authentication completed.

Answer 6

I had a similar Problem. But it so happened that I also had a self signed certificate that thunderbird didnt like, so I was in a loop of not getting redirected back to my local machine after successfully authenticating with google. Not until I had to temporarily stop apache sever.

systemctl stop apache2

Login to the account remotely and get redirected back,finish the setup and

systemctl start apache2

I hope this helps. :)