Thinks Microsoft oauth token changed on every fetch, gets stored in parallel with TB password manager

haarp commented 1 year ago

Description

Hello,

I've started using this addon and migrated away from the native Thunderbird password manager. So far things seem to be working, with one exception: Microsoft (microsoftonline.com) over oauth with POP3. Thunderbird/this addon thinks the password has changed each time email is fetched. It will then:

Write the new password into the TB password manager, even if it was just deleted from there manually
Prompt to save "new" credentials. Which can get extremely annoying, but seems to have settled now after a few dozen deletes and TB restarts (?)

Expected Behaviour

Never store passwords in the integrated password manager, as I have removed the master password and this is a security concern.

Current Behaviour

Always stores Microsoft oauth token in integrated password manager

Possible Solution

--

Steps to Reproduce (for bugs)

Add a POP3 account on microsoftonline.com using oauth.
Set passwords up with this addon
Observe incessant prompting and/or new entries appearing on the TB password manager after deleting the old one

Context

Each fetch looks like this:

2023-08-13 02:32:01.842: Use last selected entry for *PURGED*@oauth://login.microsoftonline.com main.js:26:11
2023-08-13 02:32:02.685: Got new password for *PURGED* at oauth://login.microsoftonline.com main.js:26:11
2023-08-13 02:32:02.844: Use last store at entry for *PURGED*@oauth://login.microsoftonline.com main.js:26:11

Another oauth POP3 account for Gmail does not exhibit this behavior. Maybe the massive size of Microsoft's token plays a role?

Your Environment

KeePassXC-mail version used: 1.6.1
KeePassXC version: 2.7.5
Thunderbird version: 102.14.0
Operating system and version: Gentoo Linux

Thanks!

kkapsner commented 10 months ago

Sorry for the late answer...

The repeated questions for the saving should go away if you tick "Do not ask again.".

Some questions:

does Thunderbird 115 behave the same?
is there a different behaviour when you use IMAP?
Is there anything related to KPM in the Thunderbird console (Ctrl + Shift + J)?
Do you see "Saving done" in the extension console?

kkapsner commented 10 months ago

Do you have "Save new credentials" enabled?

haarp commented 9 months ago

I've been testing this on Thunderbird 115. I've selected "Yes" and "Do not ask again" for the "Do you want to save the entered password for ..." question. I also enabled "Never ask before updating credentials" in KeepassXC (see #91).

Under these conditions, it seems Thunderbird will not save credentials to its own password manager anymore. I will monitor it for a while longer.

According to @kkapsner in #91, Microsoftonline/O365 really does update the token frequently, so the updates themselves are normal, to be expected, and probably unavoidable.

kkapsner / keepassxc-mail