keepassxc-mail icon indicating copy to clipboard operation
keepassxc-mail copied to clipboard
verified publisher icon kkapsner

Troubleshooting saving credential options for two-factor authentication accounts

Open eseb63 opened this issue 1 year ago • 2 comments

i used Thunderbird for a long time in its 68 version to use with the keebird extension and a KeePass database.

Microsoft recently alerted that classic authentification modes (imap and pop) wouldn't be supported anymore so i test Thunderbird with KeePassXC-mail and KeePassNatMsg to manage oauth authentification.

my configuration :

  • Windows 10 professional 22H2
  • Thunderbird portable 115.12.2
  • KeePassXC-mail 1.8
  • KeePass Professional Edition portable 2.57
  • KeePassNatMsg 2.0.17.0

first test without any option

I have several Microsoft accounts and another for Orange provider (i am french) : for each, i configured pop and imap accounts in Thunderbird.

I first tested without checking any option checkbox in KeePassXC-mail (i kept the keebird entries in the KeePass database) :

  • it worked for the Microsoft accounts without dialog prompt
  • it worked whith a dialog prompt for the Orange account, but after having check the "dont ask anymore" KeePassXC-mail didn't find a password anymore. I had to reinstall the extension and plugin prompt

** Where is stored this user choice and how to revert for a considered account ?**

after that it worked again but with dialog prompt for all accounts.

I then tested the KeePassXC-mail options (my translation may be approximative) :

"auto submit" option :

  • if unchecked, we have a prompt dialog like above to select the entry
  • if checked, no prompt dialog anymore

"save new credentials" option (classic authentification) :

  • it works fine for classic authentification : an entry is created in the KeePass database in a "KeePassXC-mail passwords" group. That entry is used during next access to the account. KeePassXC-mail group in KeePass

"save new credentials" option (two-factor authentification) :

  • i got trouble for oauth authentification with microsoft accounts : a dialog prompt the saving in KeePass, twice. each next access, we have a dialog prompt to create a new entry or update the existing one.

i investigated a bit about the oauth protocol and discovered that each access to the account begin with a token request to the oauth server (oauth://login.microsoftonline.com for microsoft) ;

** this token is temporary and different at each request, so why saving it in the KeePass database ? it seems to be unuseful as it can't be reused ?**

i examined the behavior with the Thunderbird console : a request to oauth://login.microsoftonline.com is made (at least twice, sometimes three), whether a relevant entry exists in the KeePass database or not. saving hotmail credential 2 times

the process is also quite invasive (and is repeated at least twice) :

  • KeePassXC-mail dialog prompt to confirm to store the token KeePassXC-mail asking entry creation

  • KeePassNatMsg dialog prompt to allow access (several times) KeePassNatMsg prompt microsoft

  • KeePass dialog prompt to allow the entry creation (or update) Keepass prompt update entry

"save new credentials without confirmation" option :

contrary to what the name of the option indicates, the information does not seem to be saved not saving hotmail credential 3 times

** so, the question remains : shouldn't the "save new credential (with or without confirmation)" option ignore accounts with two-factor authentication?**

silent process settings

at this moment, my settings to have a silent process are : in KeePassXC-mail :

  • check the "auto submit" option
  • uncheck the "save new credential" options

in KeePassNatMsg :

  • uncheck the "show a notification when credentials are requested"
  • check "use legacy host matching option" (don't prompt when host matches title/url)

last questions :

  • what is exactly the action of "clear storage of the selected entries" button ?

  • i don't understant why the KeePassNatMsg key showed in KeePassXC-mail doesn't match the one showed in the KeePassNatMsg options in KeePass ? hexadecimal conversion ?

  • why KeePassXC-mail ask for such permissions (total access to Thunderbird and the computer) ?

thanks in advance for the reply

eseb63 avatar Aug 26 '24 16:08 eseb63

what are supposed to be these files? they are blocked by mediafire as dangerous ones

eseb63 avatar Aug 26 '24 18:08 eseb63

Where is stored this user choice and how to revert for a considered account ?

This choice is stored in the extension storage provided by Thunderbird. To reset that you have to click "Clear storage of selected entries": image

this token is temporary and different at each request, so why saving it in the KeePass database ? it seems to be unuseful as it can't be reused ?

This token is used the next time to access the server and then renewed. So without saving it you would have to authenticate every time.

a request to oauth://login.microsoftonline.com is made (at least twice, sometimes three)

this to get and update the right token

so, the question remains : shouldn't the "save new credential (with or without confirmation)" option ignore accounts with two-factor authentication?

This would only leave you with the option to store the token in the Thunderbird password manager...

i don't understant why the KeePassNatMsg key showed in KeePassXC-mail doesn't match the one showed in the KeePassNatMsg options in KeePass ? hexadecimal conversion ?

I display the database hash which indentifies the database. I think in KeePassNatMsg you see the key of the connection (I do not have that available at the moment... but in KeePassXC it's that way). I will display the first few characters of the key in the next version...

why KeePassXC-mail ask for such permissions (total access to Thunderbird and the computer) ?

To be able to interact with the password management system of Thunderbird it needs to use a so called experiment. I already opened this ticket to not have the need to request so high privileges. But as long as this is not implemented there is no other way.

kkapsner avatar Sep 08 '24 12:09 kkapsner

i recently had trouble after changing the password of a Microsoft account.

during my investigations, i saw that Thunderbird stored the oauth tokens internally (settings\privacy and security => saved passwords), despite i didn't ask to memorize the password during the account creation

fixing my issue needed to delete the account entry in Thunderbird saved passwords and in the Keepass folder created by keepassXC-mail during tests made before.

So I wondered if Thunderbird and keepassXC-mail did not do the same job.

after disabling keepassXC-mail and restarting Thunderbird, Thunderbird achieves to retrieve the new messages of my Microsoft account.

So Thunderbird needs keepassXC-mail to manage accounts with classic authentication (if we dont ask it to memorize the password during the account creation) but apparently not to manage accounts with oauth authentication (at least the Microsoft ones) ?

The downside is that Thunderbird's password storage is less secure than Keepass, so some users would like Thunderbird to delete OAuth tokens at the end of the session.

eseb63 avatar Oct 13 '24 10:10 eseb63

oAuth tokens do work with KPM. The tokens need to be stored somewhere if you do not want to go through the oAuth setup every time you start Thunderbird.

For my accounts this is working fine when a I have a proper oauth:// entry in KeePassXC. The initial setup can be tricky sometimes because I do not want to interfere with the account setup process too much.

kkapsner avatar Dec 21 '24 16:12 kkapsner