davmail icon indicating copy to clipboard operation
davmail copied to clipboard

Published 20 hours ago verified publisher icon mguessan

Recently started getting "refresh token failed" every few minutes

Open alanorth opened this issue 2 years ago • 5 comments

I'm using davmail 6.0.0-1 in O365Interactive mode on Arch Linux. I have davmail.oauth.persistToken=true in my configuration. Every few minutes I my token fails to refresh:

davmail.log:2021-08-05 10:10:30,182 WARN  [SmtpConnection-45344] davmail.exchange.auth.O365Token  - refresh token failed javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

After I manually auth in the browser and paste the URL with the blank white page I see this in the log:

2021-08-05 10:28:40,351 DEBUG [SmtpConnection-45346] davmail.exchange.auth.O365Token  - Access token expires Thu Aug 05 11:28:40 EEST 2021
2021-08-05 10:28:40,352 DEBUG [SmtpConnection-45346] davmail.exchange.auth.O365Token  - Token: {removed for privacy}

A few minuter later I have to do it all over again. Sometimes when sending a mail, sometimes when Thunderbird is just checking the inbox, etc. Happens both on OpenJDK 8 and 11, if that matters.

I'm slowly going insane. Is this some mis-configuration on my end, some restriction by my email admins, or what?

alanorth avatar Aug 05 '21 07:08 alanorth

I'm seeing the same behavior on and off (was happening with 5.4.0 but also 6.0.0).

holzman avatar Aug 13 '21 21:08 holzman

In my case, this was a configuration issue (of sorts). I use O365Manual and had accidentally configured different passwords on my clients for SMTP and imaps access; so the refresh token was sometimes encrypted using the SMTP password, and sometimes encrypted using the imaps password.

holzman avatar Aug 20 '21 19:08 holzman

Thanks for finding the answer by yourself, a wrong password on the client side was the most obvious way to explain your issue.

However the error message in DavMail should clearly state that, not just a generic crypto related error.

mguessan avatar Aug 23 '21 15:08 mguessan

The tricky bit (which confused me for a few days) was that the passwords weren't wrong, just inconsistent.

The IMAP and SMTP passwords I had configured client-side were different. If I talk to the server over IMAP and follow through the O365Manual auth steps, it stores the refreshToken - encrypted with the IMAP password. Then I'd try sending mail, which would fail since it couldn't decrypt the token with the SMTP password. I'd go through the auth again (prompted by sending mail), and it then stores the token encrypted by the SMTP password - and fetching mail would fail.

I guess we could just wrap this with its own try/catch and more informative error message here:

https://github.com/mguessan/davmail/blob/47d32a948f784acabfc1fd063b7104190370e479/src/java/davmail/exchange/auth/O365Token.java#L194

And a note in the docs stating that if davmail.oauth.persistToken is set, that users should make sure they're using the same password for imap and smtp.

holzman avatar Aug 23 '21 16:08 holzman

In my case I narrowed it down to some or all of the following:

  • If my IP address changes (ie from house to coffee shop, VPN changes, etc)
  • If I close the browser where I did the authentication (for example to switch from Firefox Beta to Nightly, or reboot the computer)
  • If I close davmail

Now I find that I generally have to re-authenticate several times a day, rather than every few minutes. And when I have to re-auth, I have to do it for IMAP immediately after opening Thunderbird, then for SMTP when I send a mail. Cursing Microsoft in the strongest words possible.

alanorth avatar Sep 07 '21 06:09 alanorth