FS#77208 - [thunderbird] OAuth2 authentication not working for Microsoft 365 Enterprise accounts

Attached to Project: Arch Linux
Opened by Vinu Moses (vinumoses) - Saturday, 21 January 2023, 18:52 GMT
Last edited by Antonio Rojas (arojas) - Saturday, 28 January 2023, 12:52 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Antonio Rojas (arojas)
Levente Polyak (anthraxx)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 8
Private No


OAuth2 authentication not working for Microsoft 365 Enterprise accounts

Additional info:
* package version(s)

* link to upstream bug report, if any

Steps to reproduce:
Upgrade to thunderbird 102.7.0
The app asks for an OAuth login but does not complete the login. Emails do not download.

If I downgrade to thunderbird 102.6.1 I am able to login into my MS Exchange account and everything works.
This task depends upon

Closed by  Antonio Rojas (arojas)
Saturday, 28 January 2023, 12:52 GMT
Reason for closing:  Fixed
Additional comments about closing:  thunderbird 12.7.0-2
Comment by Paul Hervot (Dettorer) - Monday, 23 January 2023, 09:29 GMT
I experience the same problem, upstream seem to have a fix that will be included in the next release (102.7.1).
Comment by Michal Kolodziejczyk (miko) - Monday, 23 January 2023, 15:54 GMT
Me too. Tried packages thunderbird-beta-bin, thunderbird-nightly-bin and betterbird-bin - none of them worked, I had to downgrade to thunderbird 102.6.1 - then it works again.
Comment by Robert de Jager (blob) - Tuesday, 24 January 2023, 08:37 GMT
The thunderbird devs are already aware of this, and will patch this soon.
See the release notes:
Comment by Marco Emilio Poleggi (sphakka) - Wednesday, 25 January 2023, 12:55 GMT
Nope, still broken with v102.7.0! Stay with v106, and pleeeease devs, avoid releasing critical upgrades without first checking potential upstream blockers.
Comment by Benoit Brummer (trougnouf) - Wednesday, 25 January 2023, 16:30 GMT
I can't blame Arch devs when the official download link points to this buggy version, but indeed when the release notes mention "Thunderbird 102.7.0 will not automatically update due to a critical authentication issue with Microsoft 365 Business accounts. Affected users should not update until Thunderbird 102.7.1 is released with a fix." in red, a repo downgrade is in order rather than just waiting for the next version.
Comment by Ville Aakko (Wild_Penguin) - Wednesday, 25 January 2023, 20:53 GMT
I agree with Benoit. A downgrade would be appropriate and welcome.

As a sidenote (hope I'm not chatting too much) - and I should point this upstream - this kind of "automatic release" should not happen in Linux distributions when the issue is even known by the team (Thunderbird) beforehand. The bug is critical and breaks the application for many users. Thunderbird should evaluate their release pipeline to prevent this kind of stuff from happening again.

(this is coming from someone who needed to do downgrades on two different distributions just to get my daily email red and work done)
Comment by Mark Wagie (yochananmarqos) - Wednesday, 25 January 2023, 21:02 GMT
Downgrading the repo package would be counterproductive. As already linked here, Mozilla has already fixed the issue and will be publishing the point release this week. If the package was downgraded, an epoch would have to be used. In practice, it rarely needs to be used and really should never be used. The best course of action is always working with upstream to solve an issue so downgrading is not necessary.
Comment by Peter Fern (pdf) - Thursday, 26 January 2023, 06:48 GMT
Their fix apparently tested okay internally, but it looks like they yanked the supposedly fixed release as it did not work. I don't know how Thunderbird communicate this sort of thing, but apparently they disabled automatic upgrades for this release for other platforms because they knew it was broken before publishing. Is there some way that we might track the auto-upgrade status of a release and not publish known-broken builds in future?