Bug#1025729: evolution-data-server: Gmail OAuth2: "Access blocked: GNOME Evolution’s request is invalid"

Full Name somebody5934 at yahoo.com
Fri Dec 9 02:11:33 GMT 2022 

I plan to upgrade later this month. The issue will affect Debian 11 the
same, as the package version is less than 3.44.2 in Debian 11. 

>From 
https://developers.google.com/identity/protocols/oauth2/resources/oob-migration
, compliance dates are as follows:

> February 28, 2022 - new OAuth usage blocked for the OOB flow

> September 5, 2022 - a user-facing warning message may be displayed to
> non-compliant OAuth requests

> October 3, 2022 - the OOB flow is deprecated for OAuth clients
> created before February 28, 2022

> January 31, 2023 - all existing clients are blocked (including
> exempted clients). Clients may request a one-time extension to
> continue using the OOB flow until January 31, 2023, as instructed in
> the email message sent to affected clients.

(I was unable to find that email in my blocked account, so that doesn't
seem to be a workaround)

They seem to be rolling out the blocking slowly to reduce impact, one
of my gmail accounts is affected but the other two aren't yet. But all
accounts will be blocked on Jan 31st.

Did you test it with an existing account or a fresh account? A fresh
account should be blocked as of February.

To reproduce for an existing account that hasn't yet been blocked, I
think revoking Evolution from third party app access should do the
trick:

1. Login to google
2. Go to https://myaccount.google.com/permissions?pli=1
3. Under GNOME Evolution, Remove Access
4. Attempt to login using Evolution
5. You should get the following error message:
"Access blocked: GNOME Evolution’s request is invalid"
"You can’t sign in because GNOME Evolution sent an invalid request."

Under error details,
"Error 400: invalid_request
The out-of-band (OOB) flow has been blocked in order to keep users
secure. Follow the Out-of-Band (OOB) flow migration guide linked in the
developer docs below to migrate your app to an alternative method.
Request details: redirect_uri=urn:ietf:wg:oauth:2.0:oob"

That should hopefully make it consider it "new usage". I would verify
this 100% myself, but I do not want to lock myself out of my remaining
google accounts before I have a fix ready to install. I'll post an
update after I upgrade to 11 just to confirm 100% it is also broken
there, but I'm pretty confident on that based on the version numbers.


On Thu, 2022-12-08 at 15:23 -0500, Jeremy Bicha wrote:
> On Wed, Dec 7, 2022 at 10:48 PM James Taylor <somebody5934 at yahoo.com>
> wrote:
> > Package: evolution-data-server
> > Version: 3.30.5-1+deb10u2
> > Severity: important
> > 
> > Dear Maintainer,
> > 
> > Google deprecated a type of OAuth flow in Feb 28, 2022. This was
> > fixed and addressed upstream
> > shortly after at 
> > https://gitlab.gnome.org/GNOME/evolution-data-server/-/issues/388
> > and
> > the fix was included in version 3.44.2. However, Google has
> > recently begun blocking
> > the old format. My Oauth2 token expired December 7th, 2022 so I can
> > no longer access
> > my gmail account from evolution. A suitably recent version is
> > available in Testing.
> 
> Debian 10 has reached end of life for standard support. Please
> upgrade
> to Debian 11.
> 
> I was able to successfully log into a Google account today using
> Debian 11 using GNOME Settings > Online Accounts.
> 
> Could you provide detailed steps for how to reproduce this bug from a
> clean Debian 11 install?
> 
> Thank you,
> Jeremy Bicha

More information about the pkg-gnome-maintainers mailing list