thunderbird
Authentication error
Checklist
- [X] I have used the search function to see if someone else has already submitted the same bug report.
- [X] I will describe the problem with as much detail as possible.
App version
6.904
Where did you get the app from?
F-Droid
Android version
13
Device model
POCO X3 GT
Steps to reproduce
1.Open mailbox 2.Add email address 3.Use OAuth2.0 to login 4.Display authentication error
Expected behavior
When I use OAuth2.0 and authorise successfully, the mailbox should login successfully
Actual behavior
After I have successfully authorised using OAuth2.0,it prompts authentication error
Logs
No response
See #8016
Oh,when I try to change the smtp server from smtp.office365.com to smtp-mail.outlook.com according to the microsoft docs,it also display Authentication error.!
Can you try again on Thunderbird or K-9 Mail 8.2 or later? We've made some updates to the authentication especially in Thunderbird, so I am hoping this is resolved by now.
Can you try again on Thunderbird or K-9 Mail 8.2 or later? We've made some updates to the authentication especially in Thunderbird, so I am hoping this is resolved by now.
When I saw this message, I tried to log in to outlook using Thunderbird 9.0, but still got authentication error.
Finally, I logged into outlook using Thunderbird on my computer and backed up my settings and imported them to my phone, then successfully logged into outlook on my phone using Thunderbird.!
Ah hmm, so it sounds like the settings that Thunderbird for Android initially chooses are incorrect, but whatever Desktop does works and when you import it, it continues to work? That might be a good angle to fix this issue.
Ah hmm, so it sounds like the settings that Thunderbird for Android initially chooses are incorrect, but whatever Desktop does works and when you import it, it continues to work? That might be a good angle to fix this issue.
Maybe so, my default browser on both my computer and my phone is Firefox.
Alright. Can you share more info about the info you are entering into Thunderbird for Android that is failing? This is an outlook.com email address, or something else?
Ah I see you closed the issue - does it work now? If not then I'd love to get behind why this occurs.
Alright. Can you share more info about the info you are entering into Thunderbird for Android that is failing? This is an outlook.com email address, or something else?
Oh,yeah.This is an outlook.com email address. When I open Thunderbird for Android and enter my outlook email address, it asks me to jump to the browser for authentication, after successful authentication, it redirects to Thunderbird for Android and connects to the server, but it takes a long time to output to the server, and after waiting for a while a failed authentication screen appears.
Ah I see you closed the issue - does it work now? If not then I'd love to get behind why this occurs.
After logging in to my outlook email address on my computer and exporting the settings to my phone, it finally works on my phone.
I can reproduce this for my outlook.com email. autoconfig gives me these settings: Incoming IMAP Server: outlook.office365.com:993 with SSL/TLS Outgoing SMTP Server: smtp.office365.com:587 with StartTLS
When I continue, it does not use SSL/StartTLS apparently because it shows me the OAuth browser login. When I come back, the incoming server is properly verified, but the outgoing server shows the above error.
I can reproduce this for my outlook.com email. autoconfig gives me these settings: Incoming IMAP Server: outlook.office365.com:993 with SSL/TLS Outgoing SMTP Server: smtp.office365.com:587 with StartTLS
When I continue, it does not use SSL/StartTLS apparently because it shows me the OAuth browser login. When I come back, the incoming server is properly verified, but the outgoing server shows the above error.
Yeah, but it is currently possible to get Thunderbird on mobile to log into outlook.com email addresses by exporting the settings after Thunderbird for Windows logs into outlook.com email address.
Ok, more info on how to reproduce, and I know how to fix it now:
On your outlook.com account, make sure your Microsoft account has a different email than the outlook.com address. My login email (redacted) is [email protected], whereas my outlook.com email is [email protected]. When you try the login flow, you'll see it is unsuccessful.
The last OAuth flow responses will include something like
{
"access_token" : "random_token",
"expires_in" : 3600,
"ext_expires_in" : 3600,
"id_token" : "random_token",
"id_token_claims" : {
"aio" : "random_base64",
"aud" : "random_uuid",
"exp" : 123123,
"iat" : 123123,
"iss" : "https://login.microsoftonline.com/random_uuid/v2.0",
"name" : "Philipp Kewisch",
"nbf" : 123123,
"nonce" : "random_hex",
"oid" : "random_uuid",
"preferred_username" : "[email protected]",
"sub" : "random_stuff",
"tid" : "random_uuid",
"ver" : "2.0"
},
"refresh_token" : "random_token",
"scope" : "https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send",
"token_source" : "identity_provider",
"token_type" : "Bearer"
}
We need to use the preferred_username key from this response, rather than the email the user used to log in, when putting together the XOAUTH2 string.
We may also need to update autoconfig so it uses smtp-mail.outlook.com for outlook smtp.
I'm going to use https://bugzilla.mozilla.org/show_bug.cgi?id=1912676 on the desktop side where we need to fix this as well.
Here is a proof of concept script to reproduce. Please excuse the mess, it was purpose built:
from msal import PublicClientApplication
from urllib.parse import parse_qs
from smtp import smtp_script_runner
import base64
import socket
import ssl
import time
import sys
def msal_client():
app = PublicClientApplication(
"9e5f94bc-e8a4-4e73-b8be-63364c29d753",
authority="https://login.microsoftonline.com/common")
result = app.initiate_auth_code_flow(
scopes=[
"https://outlook.office.com/IMAP.AccessAsUser.All",
"https://outlook.office.com/POP.AccessAsUser.All",
"https://outlook.office.com/SMTP.Send"
# MSAL adds offline_access automatically
],
# localhost should work as well, it just didnt for me in this script
redirect_uri="https://login.microsoftonline.com/common/oauth2/nativeclient")
print("Please visit: " + result["auth_uri"])
query = input("Paste query string: ")
res = {x.split("=")[0]: x.split("=")[1] for x in query.split("&")}
result = app.acquire_token_by_auth_code_flow(auth_code_flow=result, auth_response=res)
print(result)
token=result["access_token"]
username = result["id_token_claims"]["preferred_username"]
xoauth2=f"user={username}\001auth=Bearer {token}\001\001"
print(xoauth2)
xoauth2=base64.b64encode(xoauth2.encode("ascii"))
print(xoauth2.decode("ascii"))
smtp_script_runner(
server="smtp-mail.outlook.com",
port=587,
use_tls=True,
commands=[
"EHLO localhost",
"AUTH XOAUTH2",
xoauth2.decode("ascii")
]
)
def smtp_script_runner(server, port=587, use_tls=True, commands=None):
if commands is None:
commands = []
print(f"Connecting to {server}:{port}...")
raw_sock = socket.create_connection((server, port))
s_file = raw_sock.makefile('rb')
print(s_file.readline().decode(), end='')
if use_tls:
raw_sock.sendall(b"EHLO localhost\r\n")
while True:
line = s_file.readline().decode()
print(line, end='')
if not line.startswith('250-'):
break
raw_sock.sendall(b"STARTTLS\r\n")
print(s_file.readline().decode(), end='')
context = ssl.create_default_context()
sock = context.wrap_socket(raw_sock, server_hostname=server)
s_file = sock.makefile('rb')
sock.sendall(b"EHLO localhost\r\n")
while True:
line = s_file.readline().decode()
print(line, end='')
if not line.startswith('250-'):
break
else:
sock = raw_sock
print("\nSending predefined commands...\n")
try:
for cmd in commands:
print(f">>> {cmd}")
sock.sendall((cmd + "\r\n").encode())
while True:
line = s_file.readline().decode()
print(line, end='')
# Stop reading if not a continuation line
if not line.startswith('250-') and not line.startswith('354-'):
break
time.sleep(0.5) # Small delay to allow server to process if needed
finally:
sock.close()
print("Connection closed.")
msal_client()
@Hanxyz13 Can you test 11.0b1 on f-droid and confirm this is now working for you?
@Hanxyz13 Can you test 11.0b1 on f-droid and confirm this is now working for you?
Oh,when I try to log in to outlook.com in this version, it still prompts authentication error.
Ah it appears f-droid is not yet updated, apologies. You'd need to test with the version from GitHub releases which you can find at https://github.com/thunderbird/thunderbird-android/releases/download/THUNDERBIRD_11_0b1/thunderbird-11.0b1.apk
Ah it appears f-droid is not yet updated, apologies. You'd need to test with the version from GitHub releases which you can find at https://github.com/thunderbird/thunderbird-android/releases/download/THUNDERBIRD_11_0b1/thunderbird-11.0b1.apk
Oh, this version is still prompting for authentication error at the outgoing server when logging in to outlook.com.
Can you try with smtp-mail.outlook.com as well?
Oh, I try to use smtp-mail.outlook.com to login my outlook.com, but also display authentication error.
Thanks for checking. Would you be able to provide us with some logs? https://github.com/thunderbird/thunderbird-android/wiki/LoggingErrors
Actually since we already have a PR here, let's continue the conversation in #9160