Increased security on Google keeps a new gContactSync account from being created

[VanceAyres]

In Address Book, clicking on gContactSync > New Account gives you the 1st screen where leaving it on existing account & selecting Next simply gives you a screen that says "Sign in with Google temporarily disabled for this app This app has not been verified yet by Google in order to use Google Sign In." Next is grayed out so the only options are Cancel or Back. On another site this info is provided:
Gold Product Expert
Rupert
12/21/19
Google have recently increased the security on Google Accounts by denying access to many apps and services that previously had access to google accounts. Google announced forthcoming changes to how apps sign in and gain access to your Google account several months ago, to give app developers plenty of time to conform to googles requirements regarding account access.

If an app/service is showing the 'temporarily disabled' then the app developers need to work on getting their app verified by google in order to use Google Sign In.

More info on the security implications of allowing third-party apps and services to sign into your account and why these changes were considered necessary are provided here:
https://security.googleblog.com/2019/04/better-protection-against-man-in-middle.html

I went into Manage your Google Account & it showed Security issues found. I went into Secure account & I was able to tell it I trusted the developer of gContactSync. Even after I did this though it still gave me the same error.

To Reproduce
Anytime you try to use New Account under gContactSync in Address Book it does it.

Desktop (please complete the following information):

• OS: LXLE 18 which is a spinoff of Ubuntu 18.04

**Application **

• Application: Seamonkey
• Application Version: 2.49.5
• gContactSync Version: 2.1.13

Additional context
Is there a workaround? Can gContactSync be allowed to use an app password that you setup in your Google account?

[realdimas]

Same issue here, applies to all account types: G Suite, Gmail, Google Account tied to 3rd party email.

Steps to reproduce:

1. When prompted by gContactSync Wizard on start-up, select Use a new account
2. Type email address
3. Confirm email address and password in the web view
4. Pass two-factor challenge

Expected result:
Receive OAuth consent form prompt.

Actual result:
Error shown

Authorization Error
Error 401: disabled_client
Sign in with Google temporarily disabled for this app. This app has not been verified yet by Google in order to use Google Sign In.

Learn more

Request Details
    response_type=code
    client_id=874495714229-5m7jmsjebv6nrf61q14siutq43bi1gvt.apps.googleusercontent.com
    redirect_uri=urn:ietf:wg:oauth:2.0:oob
    login_hint=[REDACTED]
    access_type=offline
    display=page
    scope=https://www.google.com/m8/feeds

Setup:

• Thunderbird 68.6.0 running with default config on macOS 10.15
• gContactSync version 3.1.7
• no pre-existing accounts configured in gContactSync, fresh installation of both Thunderbird and gContactSync
• javascript.enabled is set to true (which is a default currently)

It looks like that OAuth is requesting https://www.google.com/m8/feeds which is part of Apps Script API.
According to the list at https://support.google.com/cloud/answer/9110914#sensitive-scopes Apps Script API is considered a "sensitive" scope and therefore require additional steps in order to satisfy Google new policy on the users' data protection.

Related articles:

• https://support.google.com/cloud/answer/7454865 – Unverified apps
• https://support.google.com/cloud/answer/9110914 – OAuth verification requirements

[DaveB91]

Just adding a +1 to this issue

[mwensveen-ebpi]

Adding another +1.

[hargut]

Just read a bit on the requirements to be fulfilled, it seems to be necessary to meet at least the following:
https://developers.google.com/apps-script/guides/client-verification#requesting_verification

Requesting verification

You can request a verification of the OAuth client used by your app and its associated Cloud Platform (GCP) project. Once your app is verified, your users will no longer see the unverified app screen. In addition, your app will no longer be subject to the user cap.
Requirements

In order to submit your OAuth client for verification, you must satisfy the following requirements:

    You must own a web site on a domain. The site must host publicly-accessible pages that describe your app and its privacy policy. You must also verify your ownership of the site with Google.
    Note: You do not need to publish your app from an account in this domain, but the domain owner must be an editor or owner of the script project.

    The GCP project your script project uses must be a standard GCP project that you have edit access for. If your script is using its default GCP project, you must switch to a standard GCP project.

Best regards,
Harald

[Salubritas]

I'm having this issue after a Thunderbird reinstall (to fix slowness/hangs).

I have a TB installation on another PC with a working gContactSync as it was set up way before this problem. Anyone know if there's a way to get the gContactSync config from the working TB installation and recreate on the non-working one? Would recreating the right config values work?

[ghost]

@Salubritas if the two Thunderbird installations are syncing with the same account this is a great idea. The gcontactsync directory inside the Thunderbird profile directory holds a preferences_backups directory that seems promising.

[Salubritas]

Thanks for the tip. Unfortunately preferences_backups is empty on both machines.

[mvastola]

So if anyone is interested (including but not limited to @jdgeenen) I implemented a temporary workaround for myself in a fork at https://github.com/mvastola/gcontactsync.

Basically, I just made a few small tweaks to allow using your own custom Google Developer Project, which doesn't have the verification requirement if you use it for your own account (or your G Apps domain).

---

Here are the instructions to use, but note this is really for advanced users only (which I'm guessing you probably are if you found this GitHub).

Instructions for Configuring Google Project:

1. Create a project for this in the Google Developer console. (Avoid reusing an existing one for privilege separation and all that.)
2. Enable the App Scripts API LIbrary for your project.
3. Configure the OAuth Consent Screen which is the screen you will be prompted with when you give gContactSync access to your contacts.
4. Set the following and save.
   • Application type: Internal (this prevents your app from needing approval but limits access to only you and your organization).
   • Application name: Any name you want (this shows people what they're granting access to). 'gContactSync' works.
   • Under 'Scopes' click "Add Scope" and find "Apps Script API | ../auth/contacts". Add it.
5. Go to the Credentials Page for your project and on top, click "Create Credentials" and from the dropdown choose "OAuth client ID". Then use the following settings:
   • For "Application Type" put 'Other'
   • For "Name" use 'gContactSync' or else anything you want.
6. Copy the credentials that show (the "Client Id" and the "Client Secret"). You will need them for the next step.

Instructions for Configuring Thunderbird:

1. Download my replacement extension from my fork. (Also feel free to examine the changes I made and even build it yourself with the build.sh script because it's bad practice to run untrusted code. I only changed maybe a dozen lines.)
2. Install it from file in the Extensions tab.
3. Go to about:config and create two string entries with keys extensions.gContactSync.googleAppClientId and extensions.gContactSync.googleAppClientSecret, and the values obtained above from Google.
4. Use the extension like you normally do, and you should be prompted to replace your refresh your permissions. When you do, it should work this time.

---

I'm happy to address any bugs in this code, but I'm not looking to take over the project or maintain a fork. I'm just not sure what @jdgeenen's status is and/or if this is abandonware (and therefore I'm not sure if I should submit a PR or else submit my version to the Thunderbird Addon Store). In any case, if you want my code it's all yours.

[Salubritas]

Thanks Mike, nice workaround. Personally I am using gContactSync to sync one standard Google account and one G Suite (Apps) account... so I guess this would require 2 x Google Projects and extensions, or more tweaks to shoehorn two IDs etc. into one extension!

Has anyone tried dropping an email to @jdgeenan? I guess he doesn't have time to do the work but maybe there is some way we can help. gContactSync is surely used by a lot of people and pretty critical to the entire TB project? An email client without a live address book for the biggest email provider is pretty lacking isn't it?!

Also... is the information about GCP OAuth verification relevant to this as a TB extension? I guess it needs to get verified in whatever way Provider for Google Calendar does it - that extension is still handling OAuth without problems:

https://github.com/kewisch/gdata-provider

[mvastola]

@Salubritas, that's interesting and also really odd. This provider uses global constants named OAUTH_CLIENT_ID and OAUTH_CLIENT_SECRET which it uses to handle OAuth.

I'm not entirely sure how it has access to those since this provider was (but is no longer) a part of Thunderbird itself. Perhaps those are only available to that particular extension?

In any case, the Google OAuth ID/Secret seem to be hard-coded into the Thunderbird source code. I'm guessing that's where OAUTH_CLIENT_SECRET is set for the GCal provider? (The only issue is I can't find OAUTH_CLIENT_SECRET anywhere in the Thunderbird source code.

Per the comments, apparently Google at some point will be switching to "dynamic client registration" which appears to be a way to -- instead of issuing a permanent ID and secret -- use a permanent "Client-Identifier" to obtain a unique client_id/secret for every install.

Honestly, I'm not sure of the security benefit to any of this (including the verification requirement causing original issue). When these requests are all done from a client-side application (especially an open source one), it's inherently impossible for a "client secret" to live up to its name. The only recourse Google might have to someone piggy-backing on another app's credentials is to revoke them, which isn't really feasible to values that have been compiled in (especially in such a widely used app). For the time being, you probably could get away with using the credentials in the Thunderbird source code, though I'll stop short of endorsing it.

As an aside, I'm also totally unsure how Google defines an "Application" in the first place. Perhaps extensions are so much as permitted to use Thunderbird's allocated token since it all runs in the same app?

In any case, probably the safest resolution is for @jdgeenan, or anyone else who wants to do so, to make a domain, get it verified (and thus usable by the public), and have this extension use those values.

[hargut]

Tbsync and the related Provider for CalDav and CardDav does work.

The Google calendar provider is functional and it looks like Cardbook could soon be working again.

For now those options could help to overcome the current situation.

[mvastola]

@hargut, not familiar with Cardbook. Is it supposed to work with Google Contacts?

@Salubritas, I actually figured out how to elegantly hook in to the native credentials (without hard coding them) and made another branch on my fork to test. It doesn't work though because Mozilla hasn't enabled the Calendar API in their project because the tokens weren't meant to be used for that purpose. :-\

So the only viable solution remains someone applying to google to be authorized for this.

[mvastola]

Update: I just bit the bullet and applied for the Google thing. Still not looking to maintain this though. If it's approved I'll just make a PR with the new credentials. I'll keep you guys posted. No idea how long it'll take.

[Salubritas]

I've installed TbSync and the related provider and it seems to be working well.

I searched for a while and never found this extension! Searching TB add-ons for "google calendar", "google contacts" and "google address book" does not show it prominently.

I think if TB bumped "featured" extensions to the top of search results it would make a big difference. Plus TbSync could do with a more detailed description with all those keywords so it gets a better relevance ranking. The future of TB concerns me when stuff like this seems a lot harder than it should be.

Anyway, TbSync it looks like a great solution so thank you for that.

[hargut]

@mvastola Cardbook currently has the same issue with the Google connection, but its developer is already trying to get that fixed by registering the id properly. Up till now Cardbook is my favorite, but I've currently also installed TbSync as it get's the job done right now.

https://gitlab.com/CardBook/CardBook/-/issues/839