Unable to setup GMail account - Error 401: disabled_client Topic is solved

[Bilbo47]

set up an app password for GMail when using Thunderbird ... It's not difficult ... OAuth is overrated ... app passwords work

Looking for more detail on the following wrinkle. I already know how to do Ggl app passwords. For some of my GMail accounts, they continue to work. But for others of my GMail accounts, they have stopped working over the past coupla years. Navigating the Ggl account-settings to turn on allowing app passwords in the non-working accounts, Ggl says like 'app passwords are no longer supported.'

How can I revert the accounts where app passwords worked in the past but seem to be no longer available, so as to re-enable app passwords and once again use email clients that don't (need to) support OAuth?

[athenian200]

How can I revert the accounts where app passwords worked in the past but seem to be no longer available, so as to re-enable app passwords and once again use email clients that don't (need to) support OAuth?

I'm actually not sure that you can. I've seen situations before where Google allows people who are "grandfathered in" to some kind of functionality use it for varying periods of time, before it's eventually disabled on everything. For instance, I once had PayPal as a payment method on Google, but then made the mistake of removing it and trying to add it back because of a problem I was having... only to find I wasn't allowed to add it back because of a new policy and I had been grandfathered in. You could try enabling 2FA, but if that's already enabled on those accounts, then "app passwords are no longer supported" is probably just the way it is going to be from now on. My thinking is that Google may not allow app passwords forever, and will eventually require OAuth2, meaning there won't be a non-hacky way of using Epyrus with GMail, period. That's why I've left the OAuth2 code in Epyrus and left the door open for people to work around the issue by creating their own OAuth2 key.

It's worth noting that some OAuth2 e-mail providers never supported app passwords, and Google probably won't support them forever. Google can pull the plug on that at any time, and the situation really is only marginally better with other major e-mail providers.

[Bilbo47]

Well crap on a stick. Was trying to prove that the manually-entered prefs about:config => oauth2.google.clientid and oauth2.google.clientsecret were working for the Ggl account that is set for OAuth access only. Except I screwed up because the browser was logged in to a different, similarly named Ggl account. Dropped and re-added 2-Step Verification using the same phone number, and only saw the mistake when updating the password vault with duplicate info from the "other" account.

So now because of updating the security on the Ggl account that had App Passwords yesterday, it now no longer has them, and Ep can't do email with that account (unless I somehow get OAuth to work). A different non-Moz-ish client was able to receive email from that account, but not send through it, even after closing and re-opening the program. Whoops, that hang-over auth method stayed alive for only a few minutes before Ggl started refusing that client.

Aside: re-doing the security also dropped the Backup Codes, even without changing the Ggl account's main password, so had to re-generate them for just-in-case purposes.

Anyway it looks like the manually-entered OAuth2 prefs apply to all accounts and not on a per-account basis, is that right?
Edit: Where are these two prefs stored? Can't find them in the profile files.

[athenian200]

Anyway it looks like the manually-entered OAuth2 prefs apply to all accounts and not on a per-account basis, is that right?
Edit: Where are these two prefs stored? Can't find them in the profile files.

Not all accounts, but all GMail accounts. It wouldn't apply to a non-GMail account. You would only need one clientid/clientsecret set for all GMail accounts, there really shouldn't be a reason to set them on a per-account basis. In the future, I will likely have to introduce similar preferences for other major e-mail providers as they start phasing out IMAP support. So you might also see oauth2.aol.clientid and oauth2.aol.clientsecret, etc...

I have no idea where preferences are stored in user profiles (I'm totally clueless about user profile data and how it's structured, I've never worked with that side of things), but the preferences themselves are oauth2.google.clientid and oauth2.google.clientsecret. You can change them to different values, and if you want to not use OAuth2 at all for a given GMail account in Epyrus, you would have to select IMAP for that account manually in Account Settings).

I really do feel way out of my element with Epyrus, though. I feel like I know less about it than a lot of the people that use it, if I am being honest (which is why I'm glad this is a community forum rather than just people e-mailing me questions I don't know the answers to). I feel like I am just somehow getting it to compile and work around various limitations without really understanding it very well... like, a lot of what it can do and a lot of the underlying foundation is Thunderbird stuff I know nothing about as a user or a programmer but have inherited.

[Moonchild]

I have no idea where preferences are stored in user profiles

That would be prefs.js in the profile directory.

I really do feel way out of my element with Epyrus, though.

Don't feel bad. I've had the exact same feeling initially with Pale Moon because it's so large and complex, and I'm still sometimes running into things I didn't know yet, even after almost 15 years of doing this!

[Bilbo47]

I have no idea where preferences are stored in user profiles

That would be prefs.js in the profile directory.

Yes I know the settings have to be in that file; yet the only reason I asked here is because I didn't find them in there. Oh wait! I have a custom-config glitch where two Epyrus profile folders come up, but only one is live and the other is unused / vestigial. One is on an HDD and one is on an SSD. That's gotta be the problem; will confirm tomorrow.

[One prefs-set for all Ggl OAuth accounts] Okay but how does that make sense? Yes the email address is different between those accounts. But how does GMail know that I authorize Epyrus to log in for all my Ggl accounts using just those same OAuth keys, if it never went through the usual silly authorization dance that Ggl wants so much? Wouldn't Ggl normally want separate auth keys for each email address/account?

A different client here "used" to work with setting up GMail OAuth, but it seems like it breaks all the time, until an update is released, because Ggl keeps moving the goalposts of how the API works etc. The support forum is always full of threads like "OAuth is broken again" and this always means GMail, because Ggl is the only place insisting on forcing everyone to use OAuth. YGWYPF = You get what you pay for: GMail costs zero dollars, but it is definitely not free, in any sense. I'm sooo much happier using paid email services.

[athenian200]

[One prefs-set for all Ggl OAuth accounts] Okay but how does that make sense? Yes the email address is different between those accounts. But how does GMail know that I authorize Epyrus to log in for all my Ggl accounts using just those same OAuth keys, if it never went through the usual silly authorization dance that Ggl wants so much? Wouldn't Ggl normally want separate auth keys for each email address/account?

Well, I can't really justify Google's decisions, but let me explain briefly what OAuth2 does.

Those keys are not meant to authorize a specific account, they are meant to authorize a specific client to use OAuth2 with an e-mail service hosted by a given server. It's an e-mail client developer to e-mail service provider thing that has nothing to do with the user at all, period. If you look at how even Mozilla has implemented this, they have one set of keys for every provider. One of the bugs related to OAuth2 on Epyrus that I was actually able to address, in fact, was that we weren't using our Google keys for a non-Google domain that used Google servers for their corporate e-mail or something.

Now, obviously everyone using the e-mail client doesn't share the same tokens, and would need a different password, which is what I think you are referring to.

Google authorizes Outlook and Thunderbird to send OAuth2 requests for tokens using Google's API, because they are trusted. On top of that, the user also has to enter a password and confirm that they want the token to be issued. So both Google and the user have to agree to trust Epyrus, independently, for OAuth2 to work.

The problem for me is, Google doesn't trust my client. So I have to find workarounds, like having each user issue themselves a temporary development key or something. This is NOT how OAuth2 is supposed to work, at all. It is supposed to authenticate a client, not a user. I'm trying to work around that because my client isn't trusted. That is to say, this isn't about authenticating the user, this is about you even having the right to get that screen asking if you trust Epyrus and are willing to grant it permissions. You will get that screen on each GMail account separately, and when you confirm you are issuing a token.

What Google is doing with OAuth2, is denying Epyrus and any other client that isn't trusted by them, from even having the right to be granted permissions upon request. They are preemptively saying no, and saying you aren't allowed to give Epyrus permissions to access your account because it isn't a client that meets their standards. It's about protecting their servers, their interests. Not yours... normal passwords with TLS already covered that, this is something totally different.

So the reason why Google assumes you authorize Epyrus to use that OAuth2 key for all the Google accounts? It's because what you're technically claiming to Google when you generate an OAuth2 key and try to use it, is that you're an Epyrus developer and are investigating getting OAuth2 working with it in the future. You're using a developer-focused API to generate a type of key that you as a user are never even supposed to see. You're supposed to be oblivious to this layer of the transaction, and just see username and password prompts like always. It's technically supposed to be my responsibility, which is why Epyrus work is so depressing. Because I know I don't meet those standards Google has laid out, and have no choice but to involve the users directly in this mess of using hacky workarounds that were never intended for users in the first place. Or else eventually find Epyrus limited to random obscure self-hosted e-mail services, which isn't what I want.

So, if this were being done legitimately, here's what the process would look like:

1. I incorporate Epyrus, LLC and pick a registered agent.
2. I create a business-related account with Google.
3. I pay Google (or possibly someone on a short-list of Google-approved auditors) to do a rather stringent third-party audit of the Epyrus codebase (that can cost thousands or millions of dollars).
4. If the audit shows that Epyrus is secure, Google gives Epyrus, LLC an OAuth2 key to be used with Epyrus.
5. I put the OAuth2 key into Epyrus.
6. Users are then given the right to send their username and password through Epyrus (now trusted by Google) to access their Google account, after seeing a screen confirming that's what they want to do and detailing what permissions they are giving it. The user can still have the chance to deny Epyrus permissions, but without the OAuth2 key, the user can't even say no because Google is saying no for them, because they are rejecting the application and its developer from their service as a whole.

Obviously, step 3 is kind of the sticking point... that third-party audit. So we are doing this in a way where each user of the application has to setup a Google developer account and create a "testing" key, as if they were the application's developer. This is the workaround every open-source implementation of OAuth2 that doesn't have big money backing it has to rely on.

They've grandfathered in a lot of the older Google accounts run by people who would complain about this, giving them features like app passwords and use less secure clients that aren't offered to everyone, so it mostly affects younger people who cannot opt-out of OAuth2... and then they tighten their grip, and suddenly all those options go away and people just notice their stuff is broken on less popular clients, so they give up and use the popular ones.

[back2themoon]

Would using Epyrus on a different PC require a different set of clientid/clientsecret? It's the same profile folder (copy/pasted the entire Roaming/athenian200 folder) but I guess they will never be exactly the same since they are used independently (all accounts are IMAP).

[athenian200]

Would using Epyrus on a different PC require a different set of clientid/clientsecret? It's the same profile folder (copy/pasted the entire Roaming/athenian200 folder) but I guess they will never be exactly the same since they are used independently (all accounts are IMAP).

No, again if Epyrus were doing this correctly, there would only be one clientid/clientsecret for all users, it would be used to identify Epyrus as a client to Google, just like Mozilla's identifies Thunderbird as a client to Google for all TB users. The only reason each user needs to generate their own is because Epyrus isn't a proper application and you have to create a Google developer account and say that you're using Epyrus as your own personal application... that you're working on to be able to use OAuth2 with it.

But you see how effective Google's strategy here is, right? They've put this at a level that goes over most user's heads... they are used to thinking of authentication as being about the user, about the account, or even about the PC with Windows activation. The idea of a key to authenticate a client to a service without user involvement is so counter-intuitive that they won't quite believe or get that this is how it works (or at least is supposed to work)... and it is intended to be transparent to them, so much so that users do not get it even when it is explained to them. Pobably that's exactly what Google was counting on. They put the OAuth2 implementation at a level that goes over most user's heads but which manages to make developers and applications look very bad...

Here, maybe it would help to see what I'm seeing on my side...

Oauth2restrictedscopes.png

Oauth2usercap.png

Essentially telling users to create their own developer account is to get around a user cap that is intended for the developer. It has nothing to do with accounts or the number of PCs.

[back2themoon]

Ok, thank you for the extra info. Don't worry too much. Epyrus does it just fine and it IS a proper application.

All problems stem from Google. I am not really worried about setting this up, but about compatibility with their OAuth2 implementation/version/flavor or whatever it is.

I had some seemingly random glitches and issues again which I know are related to OAuth2. Never did they occur with the Normal password authentication. One more reason to migrate away from Gmail. I've tried it in the past and failed (lack of time etc.). Will try again soon.

[athenian200]

To underscore how much of a nightmare this is for open-source e-mail clients, I think I should show you this...

https://blog.thunderbird.net/2023/01/im ... ise-users/

While normal Microsoft accounts still work with IMAP seemingly, Enterprise ones do seem to require either Exchange or OAuth2 support, and Thunderbird has never supported Exchange (which in my opinion was the better protocol, but that's neither here nor there).

It took Thunderbird about a month earlier this year, to get OAuth2 working reliably with Microsoft enterprise accounts. If an organization like Mozilla has to work that hard and fumble around that much to meet OAuth2 publisher requirements, then you can imagine how much harder it would be for a project like Epyrus.

[back2themoon]

I see. The OAuth Controversy Wikipedia entry is an interesting read, too.

Also, this article from the OAuth 2.0 lead author is mentioned:

OAuth 2.0 and the Road to Hell

[Bilbo47]

[One prefs-set for all Ggl OAuth accounts] Okay but how does that make sense? Yes the email address is different between those accounts. But how does GMail know that I authorize Epyrus to log in for all my Ggl accounts using just those same OAuth keys... Wouldn't Ggl normally want separate auth keys for each email address/account?

Let me explain briefly what OAuth2 does. [Those keys are to authorize the client to use OAuth2 with an e-mail service hosted by a given server.]

Yes that all makes sense, thank you. My question, now that we have drilled down to it, has to do with getting the client to talk to all my various GMail accounts. Like, I created "my developer key" while logged in to *one* Ggl account, so I would certainly expect that key to allow OAuth access from [any client I can set up with my developer key] to *that* GMail account. But I could also see Ggl not allowing that key to access any *other* GMail account. What does the developer-access scheme say about that? Does a different GMail account of mine count as a "different server"? Again, I appreciate your efforts to support this!

The question has to do with: I can't verify that an existing Ggl.OAuth account in Epyrus is actually using my keys, because the other Ggl account somehow can't be switched from app-passwords (which capability is now un-grandfathered from that account) to OAuth. Next stop: Adding the two GMail accounts to a new test profile, as OAuth after installing my keys.

[Bilbo47]

I have no idea where preferences are stored in user profiles

That would be prefs.js in the profile directory.

The only reason I asked here is because I didn't find them in there. Oh wait! I have a custom-config glitch where two Epyrus profile folders come up, but only one is live and the other is unused / vestigial.

That wasn't it. The reason the prefs did not exist in prefs.js is because the pref-keys still had their default values. Probably I tested last month with "my developer key", found it did not work quickly, and deleted the custom pref-key-values, just to return that GMail account to a working state.

[athenian200]

That wasn't it. The reason the prefs did not exist in prefs.js is because the pref-keys still had their default values. Probably I tested last month with "my developer key", found it did not work quickly, and deleted the custom pref-key-values, just to return that GMail account to a working state.

Well, the process is very convoluted, and it probably won't be a practical solution for most people. There's so much you have to get right... you have to request the right scopes, set the key up a certain way, etc...

Like I said, this is absolutely not intended for end users, and I'm basically just refusing to give up on principle rather than because my solution is actually practical. I can't actually recommend Epyrus for anyone that needs reliable access to OAuth2.

If you play around with it enough, you might figure it out, but more than likely you won't. For all I know they've managed to block it and set it up so that my developer key is actually the only one that works, and now that I'm not verified and the 100 user cap is reached, that's it.

It seems like it still works in my testing when I create new keys, but it's possible they know it's my account and they are just doing that to keep me from finding out what the problem is. The problem is that I just fundamentally can't trust that anything I suggest will work reliably, because Google can always make it work differently for different people.

[Bilbo47]

I screwed up because the browser was logged in to a different, similarly named Ggl account. Because of updating the security on the Ggl account that had App Passwords yesterday, it now no longer has them, and Ep can't do email with that account (unless I somehow get OAuth to work).

The fix to this was to delete the login info for this GMail account from Epyrus, by whatever method. Testing on a different profile showed that Remove Account does not drop the login info from the logins.json file. I don't have a JSON editor, so renaming that file to a backup prompted Epyrus to re-do the OAuth access approval from scratch, complete with opening the mini-browser window to logging in to the Ggl account and grant Epyrus access. Note this was *without* removing the GMail account from Epyrus. Yes it was a quick PITA to dismiss the all of the three types of popup dialogs asking for login info ... for normal email accounts, OAuth email accounts, normal calendars, OAuth calendars, ugh.

Again, all this making OAuth work as expected was without any custom OAuth key. Why again is a custom key needed/recommended? Gonna try it anyway, now that I know all the other steps.

[athenian200]

The fix to this was to delete the login info for this GMail account from Epyrus, by whatever method. Testing on a different profile showed that Remove Account does not drop the login info from the logins.json file. I don't have a JSON editor, so renaming that file to a backup prompted Epyrus to re-do the OAuth access approval from scratch, complete with opening the mini-browser window to logging in to the Ggl account and grant Epyrus access. Note this was *without* removing the GMail account from Epyrus. Yes it was a quick PITA to dismiss the all of the three types of popup dialogs asking for login info ... for normal email accounts, OAuth email accounts, normal calendars, OAuth calendars, ugh.

Again, all this making OAuth work as expected was without any custom OAuth key. Why again is a custom key needed/recommended? Gonna try it anyway, now that I know all the other steps.

Yeah, I'm not surprised the old account with IMAP couldn't be migrated to OAuth2 easily. The reason the custom key is needed/recommended is because there's a 100 user cap on the one that comes with Epyrus, and once that's passed no new users will be able to use the key that's been created. I was kind of hoping there wouldn't be 100 users that needed to rely on my provided key, but it happened and now the problem that almost made me not want to release Epyrus to begin with, has kind of fallen back on my shoulders in a way... LOL. It did seem to take almost a year for that to become a problem, though.

I guess it's really not much of a lie to say that you're an Epyrus developer, though... if you're trying to use OAuth2 with Epyrus, you are pretty much debugging it...

[Bilbo47]

The fix to this was to delete the login info for this GMail account from Epyrus, by whatever method.

Duh. The method would be Tools => Options => Security => [Saved Passwords] => <select login> => Remove.

[Bilbo47]

Holy crap it works! Epyrus accessing GMail via OAuth2 using my private developer key The instructions by Claws-mail are barely helpful. Maybe I'll write it up better tomorrow, but any HowTo will be out of date as soon as Ggl changes their UI again.

I'm not surprised the old account with IMAP couldn't be migrated to OAuth2 easily.

Hey I got that working! - using the tricks discovered today.

The reason the custom key is needed/recommended is because there is a 100 user cap on [non-approved apps].

And if many users secure their own parachute key by following a decent HowTo then the 100 slots can be free for new users...

If you're trying to use OAuth2 with Epyrus, you are pretty much debugging it

Well it's more like debugging the dismal OAuth process. All the tricks have nothing new to do with Epyrus ... overriding a default pref-value is not so advanced, so that's the easiest part of setting this up.

[athenian200]

Holy crap it works! Epyrus accessing GMail via OAuth2 using my private developer key The instructions by Claws-mail are barely helpful. Maybe I'll write it up better tomorrow, but any HowTo will be out of date as soon as Ggl changes their UI again.

Glad to hear it! I was planning to try and do a better job explaining it than the Claws-Mail thing, but I never got around to it. I actually learned a lot about Epyrus from the stuff you were doing... I learned that the login data is stored in a logins.json JSON file in user profiles, and also where preferences are stored.

The funny thing is, I was always a UXP developer who knew more about the platform than any individual application, and tended to use Pale Moon and Epyrus stock because I was focusing so much on testing platform features with the Out of Box Experience that I really have surprisingly little experience using the applications as... well, a user. I rarely have to mess with my profile because I only really have one e-mail account that works with Epyrus, and often I am just testing new features in a clean temporary profile that gets generated in the build directory when I type ./mach run so actually having to live with and rely on a profile that can't easily be recreated from scratch is a reality I haven't faced.