Please help me configure Gmail oauth authentication on Thunderbird with KeePass 2

[chryhm]

I would like to check my Gmail accounts and send emails using Thunderbird and KeePass 2, but I cannot manage to make it work. I would be very grateful if you could publish a step-to-step guide on how to achieve that.

I tried the following:

1. I installed the keepassxc-mail plug-in on Thunderbird, then copied the PS script in a .ps1 file and ran it.
2. I installed keepassnatmsg plug-in for KeePass 2 and followed the procedure to install native messaging on Thunderbird.
3. I saved credentials for the gmail accounts on KP, filling username & password fields, and in the URL field I input oauth://accounts.google.com.
4. Tried to download the emails with Thunderbird. First a small windows appears, asking if the email account to check is correct, then the oauth login browser window appears, with the username already filled, but on the next page the password field is empty.

What am I doing wrong?

Another method I tried was this:

1. I disabled keepassxc-mail plug-in temporarily and enabled Thunderbird's password manager
2. I logged in the accounts using the password manager to remember the oauth tokens
3. From the password manager I copied the saved tokens in the password fields of the KeePass previously created entries
4. I deleted all entries from Thunderbird's password manager and enabled keepassxc-mail again

Did not work. Please help.

Your Environment

• KeePassXC-mail version used: 1.5
• KeePass 2 version: 2.53.1
• Thunderbird version: 102.11.0
• Operating system and version: Windows 11

[kkapsner]

Your steps seems OK. Two things to check:

1. please go to the debug console of keepassxc-mail (go to the add-ons page, click on the cog wheel and hit "Debug Add-ons": , then inspect keepassxc-mail: ) and post the content of it (you might want to redact some information there).
2. disable the check for the protocol in keepassnatmsg (Match URL schemes... number five in the screenshot of the general options here)

[chryhm]

Thank you for your reply.

1. I am posting the contents of the "Inspector" tab.

2. "Match URL schemes" was already disabled

Hope this helps. What should it happen when I check for new mails for a gmail account and your plug-in is working correctly? In the credential entries in KeePass 2, should I simply use "accounts.google.com" in the URL field? Please let me know if there anything more I could check.

[kkapsner]

Sorry - forgot to mention that I need the output of the "console" tab.

If you already have the oauth token in KeePass the mails should just be received. If you did not have it you will be prompted with a login (not sure if it will auto fill with the password from KeePass). The oauth token should then be stored in KeePass.

You should use "oauth://accounts.google.com" in the URL field.

[chryhm]

Sorry about the delay, but it's a it's a very busy time and a complicated test, as every time I have to delete and then reconfigure all my credential configurations from Thunderbird.

I created all the oauth token entries in KP following your specifications, deleted all credentials saved in Thunderbird, then enabled the keepassxc-mail add-on, and checked my emails.

For the gmail accounts, I receive the following error:

Emails for the other non-oauth accounts are downloaded and sent correctly.

These are the contents of the "console" tab after the operation.

Am I doing something wrong?

[kkapsner]

The connection to KeePass is working. Please remove the entry for the oAuth and run through the authorization process in Thunderbird manually. The entry should then be stored in KeePass.

[chryhm]

After many tries I finally identified the problem, and solved it. Thank you for your time and help! Since I had two different KP entries for each account, one for Firefox and one for Thunderbird, it seems that keepassxc-mail only checked the first found entry, and if authentication with those credentials failed, it did not try the next, but it prompted the login window instead. Even if the "browser entries" were denied for keepassnatmsg, and the "thunderbird entries" were allowed, and these two settings were saved as plugin properties for those entries, still if the wrong entry was found first it would not skip to the second one. As a solution, I added a number at the beginning in the title of the "Thunderbird entries", and in keepassnatmsg settings I selected to sort found entries by title, rather then username.

[kkapsner]

If there are multiple entries you should see a dialog to select which one to use. In your screenshot above you can also see that keepassxc-mail only got one login... I have no idea why the second one was ignored.

But I'm glad that you have it now working.