Google-4-TbSync icon indicating copy to clipboard operation
Google-4-TbSync copied to clipboard
verified publisher icon zanonmark

Need to re-grant permissions after a few days/weeks

Open Giermann opened this issue 3 years ago • 4 comments

Follow up from here: https://github.com/zanonmark/Google-4-TbSync/issues/36#issuecomment-1181638964

I already followed the instructions here, but without success: https://github.com/zanonmark/Google-4-TbSync/issues/36#issuecomment-1288181010

I have the same issue on both of my two clients: After setting up everything according the Wiki, it works for a couple of days (approx. 5-20) and then Thunderbird shows up a dialog to grant permissions to the add-on. Further, the (only really needed) permission "See, edit, download and permanently delete your contacts." is always unchecked, so it is not sufficient to click three times on "Next", but I have to check the permission to continue.

According to @zanonmark this is not normal - so how can I debug this issue and what could be the source?

Giermann avatar Nov 03 '22 12:11 Giermann

I confirm this never happened to me.

Questions to investigate the issue:

  1. Which versions of Thunderbird, TbSync, Google-4-TbSync are You running?

  2. Did You install any other Thunderbird add-on?

  3. Do You have a normal Google account, or some special one (Education, etc.)?

Thanks, MZ

zanonmark avatar Nov 04 '22 07:11 zanonmark

  1. This happened with all versions, I tried since May (when I started to use TbSync). I did switch to DAV-4-TbSync because of this issue and now had to return back, because Jobisoft removed the Google part completely. I did the reconfiguration now with TB 102.4.1, TbSync 4.3 and Google-4-TbSync 0.4.2 on 2 clients, both had the problem once since then. Today I updated to TB 102.4.2, but TbSync and Google-4-TbSync do not have newer versions.

  2. YES, I did - of course. But Provider-For-Google-Calendar for example does not show this issue. But no other add-on uses my developer credentials.

  3. Normal Google account, free of charge created for my android phone years ago.

Is there any kind of debugging I can enable to find the reason, WHY the add-on displays the dialog? When I cancel the dialog, I see "Browser window closed before the authorization code was retrieved." in error console, which comes from PeopleAPI.js Unfortunately I do not understand, why and when the AuthenticationWindow should show up. In fact, I do not know how the AthenticationToken is being refreshed without showing the dialog...

Giermann avatar Nov 04 '22 08:11 Giermann

Thanks for Your feedback.

This could be some kind of misconfiguration in the Google Cloud Platform project, or in Thunderbird settings, or some old cache setting kicking in...

Yes, You may enable the "Verbose logging" option in the Google-4-TbSync account properties, although I'm not sure it's relevant here.

You could also try to delete (well, rename) the files (accounts68.json, changelog68.json, debug.log, folders68.json) under YOUR_TB_PROFILE/TbSync/, which would be like making a fresh installation of TbSync + Google-4-TbSync, then reconfigure the add-on from scratch (for real, i.e. with no previous settings pre-loaded).

If it's not working, please contact me privately for some more debugging.

Thanks, MZ

zanonmark avatar Nov 06 '22 20:11 zanonmark

Just for verification: Deleting the mentioned files seems not to delete really EVERYTHING from a prior configuration. I closed Thunderbird and deleted the files along with older versions (accounts.json, changelog.json, folders.json), then restarted TB and did the configuration from scratch for an Exchange account and my Google account.

But I wondered, that while authenticating my Google Account, it was already listed as an connected account. This could be because I also use Provider-For-Google-Calendar, but I guess almost all of your users do so, so this should not cause any trouble?

Further, I walked through the creation of developer credentials again and do not see any options that I could have missed or misconfigured. But until now, I did not setup another ClientID to check with.

I just wanted to give that feedback before I lean back to see if the Permissions dialog will show up in a few days... If so, I will contact you privately.

Giermann avatar Nov 07 '22 07:11 Giermann

After spending weeks or months with the patient support of @zanonmark, i finally close this request as "working as expected".

I don't know why you or other users do not need to re-grant the rights every time using the consent screen. But after digging into OAuth 2.0 further, it seems obvious that:

  1. An "Authorization Code" is being returned only after committing the consent screen
  2. An "Authorization Code" can always only be used once (I thought trying to request another "Refresh Token" with the same auth code would be a great idea, which is not): https://www.rfc-editor.org/rfc/rfc6749#section-4.1.2
  3. As a result, you only get a "Refresh Token" after showing the consent screen and you have to keep it for future use: https://github.com/googleapis/google-api-php-client/issues/1686#issuecomment-522120704
  4. You can obtain "Access Tokens", as long as you remember the "Refresh Token" and until this becomes invalid
  5. The "Refresh Token" will expire after 7 days, if you use "Testing" app credentials and request scopes other than "userinfo.email", "userinfo.profile" and "openid": https://developers.google.com/identity/protocols/oauth2#expiration

Giermann avatar Feb 16 '23 17:02 Giermann

As per private communication:

this actually seems to be working as expected - still I don't understand why it doesn't for this way for all the other people including myself...?!

Thanks for debugging, MZ

zanonmark avatar Feb 18 '23 14:02 zanonmark