[Users] OAuth2 authorization expires? (ToCM-list)

Sun May 1 05:23:00 UTC 2022

On 5/1/22, Geoffrey Leach <geoffleach.gl at gmail.com> wrote:
> After a week or so, I noticed that my OAuth2 connection to gmail was
> no longer operational. After re-creating the authorization, I noticed
> this in the log: * OAuth2 access token expiry stored. Is renewal of
> the authorization something that is required on a regular basis?
> 
DM: Yes, as mentioned on the OAuth2 FAQ page
(https://www.claws-mail.org/faq/index.php/Oauth2), when your Claws Mail
'project' is set up with a publishing status of 'Testing', the
authorization will only last for seven days. Following is my proposed
edit for the relevant Note 3, which is currently awaiting moderation:

"3. Regarding "Publishing status", the initial default is 'Testing'. To
change this to 'In Production' click on the 'Publish App' button in the
'Publishing status' section of the 'OAuth Consent Screen', and then
click on 'Confirm'. This results in the status changing to ‘In
Production’ and a new section ‘Verification Status’ showing with a
‘Needs verification’ status, which can be safely ignored. In Claws Mail
v3.19.0 and v4.1.0 this currently will not work or may initially work
but only for a limited number of days, due to some changes Google has
recently made in their authorization requirements. If it is not
working, you will see an authorization error in the network log and not
be able to connect for sending / receiving email. If you go to the
'OAuth2' page of the Claws Mail settings and try to obtain a new
Authorization Code, you will see an authorization error in your browser
that includes something like the following: “Error 400:
invalid_request”  //  “You can't sign in to this app because it doesn't
comply with Google's OAuth 2.0 policy for keeping apps secure.”  //
“If you’re the app developer, make sure that these request details
comply with Google policies."  //  "redirect_uri:
<nowiki>urn:ietf:wg:oauth:2.0:oob</nowiki>”. Solutions / workarounds
include:

a) The development team is working on implementing a fix for this,
which will likely be eventually included in git and then a future
release.

b) If you are willing and able to compile Claws Mail from the source
code, then you can go to this link
(https://lists.claws-mail.org/pipermail/users/2022-April/029933.html)
for instructions on implementing the fix yourself.

c) You can switch back to 'Testing' status on the same 'OAuth Consent
Screen' page you used before. For this to work you need to make sure
you've added the desired email address to the 'Test Users' list on the
'Edit App Registration' - 'Test Users' page of the 'OAuth Consent
Screen' setup process (or on the main 'OAuth Consent Screen' page).
Note that with this status each authorization code will only last for
seven days, after which you will be unable to connect and will see
authorization errors in the network log. To get a new authorization
code, go to the 'OAuth2' page of the Claws Mail settings and repeat the
steps for getting an authorization code and completing authorization.
(Note that there is no need to get a new client ID or client secret.)
(Information in this Note 3 is current as of 17 Apr 2022.)

DM: I think you will find the above edit more helpful, depending how
you decide to move forward in managing your accounts. Cheers, ---Dustin