Menu

#55 PassCmd breaks Oauth2 token

1.3.1
fixed
Oswald Buddenhagen
auth (2)
1.3.2
5
2020-07-29
2020-04-24
Max Gautier
No

Hi, and thanks for your work on mbsync.

I'm trying to sync a gsuite account. I need to use Oauth2 ( T_T ) and I managed to get it to work, unfortunately, the PassCmd configuration directive seems to somehow break my token.

When I use my command and copy paste the output into the "Pass" option into my mbsync config file, it works flawlessly. When I use PassCmd, I get and auth error.

The token is of the form : xxxx.xxxxxxxxxxxxxxxx_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxx-xx-xxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Where x stands for [a-zA-Z0-9]

Debug output with PassCmd : (base64 token redacted)

Connection is now encrypted
M: * OK Gimap ready for requests from 88.142.48.6 y8mb213389659wrn
M: >>> 1 CAPABILITY
M: * CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA ID XLIST CHILDREN X-GM-EXT-1 XYZZY SASL-IR AUTH=XOAUTH2 AUTH=PLAIN AUTH=PLAIN-CLIENTTOKEN AUTH=OAUTHBEARER AUTH=XOAUTH
M: 1 OK Thats all she wrote! y8mb213389659wrn
Logging in...
Authenticating with SASL mechanism XOAUTH2...
M: >>> 2 AUTHENTICATE XOAUTH2 <base64 string="" (172="" char)="">
M: + <base64 string="" 94="" (char)="">
Error: SASL(-13): authentication failure: server rejected XOAUTH2: {"status":"400","schemes":"Bearer","scope":"https://mail.google.com/"}</base64></base64>

Debug output with Pass :

Connection is now encrypted
M: * OK Gimap ready for requests from 88.142.48.6 t7mb378433581wmf
M: >>> 1 CAPABILITY
M: * CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA ID XLIST CHILDREN X-GM-EXT-1 XYZZY SASL-IR AUTH=XOAUTH2 AUTH=PLAIN AUTH=PLAIN-CLIENTTOKEN AUTH=OAUTHBEARER AUTH=XOAUTH
M: 1 OK Thats all she wrote! t7mb378433581wmf
Logging in...
Authenticating with SASL mechanism XOAUTH2...
M: >>> 2 AUTHENTICATE XOAUTH2 <base64 string="" (296="" char)="" m:="" *="" capability="" imap4rev1="" unselect="" idle="" namespace="" quota="" id="" xlist="" children="" x-gm-ext-1="" uidplus="" compress="DEFLATE" enable="" move="" condstore="" esearch="" utf8="ACCEPT" list-extended="" list-status="" literal-="" special-use="" appendlimit="35651584" 2="" ok="" user@domain.com="" authenticated="" (success)="" error:="" sasl(-13):="" authentication="" failure:="" server="" rejected="" xoauth2:="" warning:="" sasl="" reported="" failure="" despite="" successful="" imap="" authentication.="" ignoring...="">>> 3 COMPRESS DEFLATE
M: 3 OK Success
M: >>> 4 NAMESPACE
M: * NAMESPACE (("" "/")) NIL NIL
M: 4 OK Success</base64>

It seems that PassCmd somehow cuts the token in two ?
In the PassCmd case, the first part of the base64 string (before the M: + line) seems to be the same than the beginning of the base64 string in the Pass case.
I have the SASL(-13) error in both cases, but it does not seem to prevent downloading my emails, so I guess it's not really important here...

OS : Archlinux
mbsync --version : isync 1.3.1
Lib sasl : cyrus sasl 2.1.27-2
Plugin XOAUTH SASL : https://github.com/robn/sasl2-oauth

Discussion

  • Max Gautier

    Max Gautier - 2020-04-24

    I garbled the debugs output, forget to use code balises. Here again (don't see an edit button ?)
    PassCmd case 

    Connection is now encrypted
M: * OK Gimap ready for requests from 88.142.48.6 z4mb211079259wme
M: >>> 1 CAPABILITY
M: * CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA ID XLIST CHILDREN X-GM-EXT-1 XYZZY SASL-IR AUTH=XOAUTH2 AUTH=PLAIN AUTH=PLAIN-CLIENTTOKEN AUTH=OAUTHBEARER AUTH=XOAUTH
M: 1 OK Thats all she wrote! z4mb211079259wme
Logging in...
Authenticating with SASL mechanism XOAUTH2...
M: >>> 2 AUTHENTICATE XOAUTH2 <base 64 string 172 char long>
M: + <base64 string 96 char long>
Error: SASL(-13): authentication failure: server rejected XOAUTH2: {"status":"400","schemes":"Bearer","scope":"https://mail.google.com/"}
M: [ 1] Callback enter connect_store, sts=3

    Pass case

    Connection is now encrypted
M: * OK Gimap ready for requests from 88.142.48.6 t7mb378433581wmf
M: >>> 1 CAPABILITY
M: * CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA ID XLIST CHILDREN X-GM-EXT-1 XYZZY SASL-IR AUTH=XOAUTH2 AUTH=PLAIN AUTH=PLAIN-CLIENTTOKEN AUTH=OAUTHBEARER AUTH=XOAUTH
M: 1 OK Thats all she wrote! t7mb378433581wmf
Logging in...
Authenticating with SASL mechanism XOAUTH2...
M: >>> 2 AUTHENTICATE XOAUTH2 <base64 string 296 char long>
M: * CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA ID XLIST CHILDREN X-GM-EXT-1 UIDPLUS COMPRESS=DEFLATE ENABLE MOVE CONDSTORE ESEARCH UTF8=ACCEPT LIST-EXTENDED LIST-STATUS LITERAL- SPECIAL-USE APPENDLIMIT=35651584
M: 2 OK username@domain.tld authenticated (Success)
Error: SASL(-13): authentication failure: server rejected XOAUTH2: 
Warning: SASL reported failure despite successful IMAP authentication. Ignoring...
M: >>> 3 COMPRESS DEFLATE
M: 3 OK Success
M: >>> 4 NAMESPACE
M: * NAMESPACE (("" "/")) NIL NIL
M: 4 OK Success
M: [ 1] Callback enter connect_store, sts=0
pattern '[Gmail]/All Mail' (effective '[Gmail]
     

  • Oswald Buddenhagen

    Oswald Buddenhagen - 2020-04-25
    • status: reported --> open
    • assigned_to: Oswald Buddenhagen
    • Fixed In: unknown --> 1.3.2
     

  • Oswald Buddenhagen

    Oswald Buddenhagen - 2020-04-25

    use the 1.3 branch, it's already fixed there.
    yes, i'm being slow with the release.

     

  • Max Gautier

    Max Gautier - 2020-04-27

    Nice ! :) Thanks a lot.

     

  • Oswald Buddenhagen

    Oswald Buddenhagen - 2020-07-29
    • status: open --> fixed
     

Log in to post a comment.