Multiple Gmail accounts losing auth

[bpothier]

I am using email-oauth2-proxy 2024-11-11 on Windows.
I have multiple Gmail accounts configured using the single imap/2993 server and sharing a single "personal" API client-id/secret (all added as test users).
All are individually added in config - not using catch-all account - using identical permission/token/scope/redirect/client_id/client_secret.
I have delete_account_token_on_password_error = False
I have encrypt_client_secret_on_first_use = False
I have use_login_password_as_client_credentials_secret = False
I have allow_catch_all_accounts = False
I am using Zimbra desktop as email client.
I can auth the accounts and they work.... for a while... until one/all seem to fail auth and need to be re-authenticated - hours to days later.

I have tried breaking the cache-store out to its own file, however it still breaks periodically. When it fails, it still purges everything except "last_activity" from authcache file - despite delete token on pass fail=false setting. When it is working, authcache contains the expected salt/iterations/access/refresh/expiry entries on each configured account. I notice several accounts end up with same last_activity value, so could a simultaneous/overlapping email fetch corrupt things? Email client is set to update every X hours, but could it end up running parallel updates?

Is there some coherency/race condition with multiple accounts on a single email-oauth2-proxy instance?

Do I need to configure a test API under each Gmail account, rather than sharing the same client-ID/secret across multiple accounts (with each added as allowed test user)?

For the Google API, I have only enabled the Gmail API bundle. is there a different API needed for renewing tokens or something? The configuration documentation is a little vague on specific API(APIs?) to add..

I have other apps (e.g. TrueNAS) configured to send email with their own internal Gmail API OAuth2 connection that have worked for months and across upgrades without issue(i.e. have not had to re-auth), so unsure if I need to add some additional API library to the Google API project created for this proxy client-id/secret?

I have not tried using a "well known" client-ID/secret rather than test/dev "personal" created one...

[simonrob]

There shouldn't be any problem with multiple concurrent requests for different accounts – this is a designed use-case (though please do report an issue if you find a bug here).

You mention the accounts are using the same token – could you clarify here? It's fine to duplicate accounts by copy/pasting the permission_url, token_url, oauth2_scope, redirect_uri, client_id and client_secret values, but you shouldn't duplicate the access_token, refresh_token and other values that are handled automatically. If this is what you've done, it may be that the accounts all require re-authenticating at the same time, which is creating the issue you're experiencing?

[bpothier]

To clarify, in emailproxy.config, I have multiple gmail entries with identical: permission_url, token_url, oauth2_scope. redirect_uri and they also share the same client_id and client_secret. I have removed all other entries from the accounts in the emailproxy.config
I have command line option: --cache-store "X:\xxx\authcache.txt" - I have not added/updated any entries to this file, it is all done by emailproxy - each account has own/unique entry for last_activity, token_salt, token_iterations, access_token, access_token_expiry, refresh_token - at least when they are working.
When the failure happens, emailproxy removes all except last_activity from that/those account.

I last did the re-auth last week some time and it has been working until I had a failure today and had debug log enabled. The last working connection and then the error lines are:

Last working connection today......
2024-12-23 12:08:01,289: IMAP (127.0.0.1:64482-{127.0.0.1:2993}-imap.gmail.com:993)     <-- b'C01 OK Thats all she wrote! e123abcdefgh1234\r\n'
2024-12-23 12:08:01,290: IMAP (127.0.0.1:64482-{127.0.0.1:2993}-imap.gmail.com:993) <-- b'C01 OK Thats all she wrote! e123abcdefgh1234\r\n'
2024-12-23 12:08:01,290: IMAP (127.0.0.1:64482-{127.0.0.1:2993}-imap.gmail.com:993) --> b'C02 LOGIN [[ Credentials removed from proxy log ]]\r\n'
2024-12-23 12:08:02,110: IMAP (127.0.0.1:64482-{127.0.0.1:2993}-imap.gmail.com:993)     --> b'C02 AUTHENTICATE XOAUTH2 '
2024-12-23 12:08:02,111: IMAP (127.0.0.1:64482-{127.0.0.1:2993}-imap.gmail.com:993)     --> b'[[ Credentials removed from proxy log ]]\r\n'
2024-12-23 12:08:02,668: IMAP (127.0.0.1:64482-{127.0.0.1:2993}-imap.gmail.com:993; [email protected])     <-- b'* CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA ID XLIST CHILDREN X-GM-EXT-1 UIDPLUS ENABLE MOVE CONDSTORE ESEARCH UTF8=ACCEPT LIST-EXTENDED LIST-STATUS LITERAL- SPECIAL-USE APPENDLIMIT=35651584\r\n'
2024-12-23 12:08:02,669: IMAP (127.0.0.1:64482-{127.0.0.1:2993}-imap.gmail.com:993; [email protected]) <-- b'* CAPABILITY IMAP4rev1 AUTH=PLAIN SASL-IR UNSELECT IDLE NAMESPACE QUOTA ID XLIST CHILDREN X-GM-EXT-1 UIDPLUS ENABLE MOVE CONDSTORE ESEARCH UTF8=ACCEPT LIST-EXTENDED LIST-STATUS LITERAL- SPECIAL-USE APPENDLIMIT=35651584\r\n'
2024-12-23 12:08:02,670: IMAP (127.0.0.1:64482-{127.0.0.1:2993}-imap.gmail.com:993; [email protected])     <-- b'C02 OK [email protected] authenticated (Success)\r\n'
2024-12-23 12:08:02,670: IMAP (127.0.0.1:64482-{127.0.0.1:2993}-imap.gmail.com:993; [email protected]) [ Successfully authenticated IMAP connection - releasing session ]
2024-12-23 12:08:02,671: IMAP (127.0.0.1:64482-{127.0.0.1:2993}-imap.gmail.com:993; [email protected]) <-- b'C02 OK [email protected] authenticated (Success)\r\n'
.......
Next / failed attempt 12 hours later
.......
2024-12-24 00:08:09,884: New incoming connection to IMAP server at 127.0.0.1:2993 (unsecured) proxying imap.gmail.com:993 (SSL/TLS)
2024-12-24 00:08:09,884: Accepting new connection from 127.0.0.1:58401 to IMAP server at 127.0.0.1:2993 (unsecured) proxying imap.gmail.com:993 (SSL/TLS)
2024-12-24 00:08:09,905: IMAP (127.0.0.1:58401-{127.0.0.1:2993}-imap.gmail.com:993) --> [ Client connected ]
2024-12-24 00:08:09,905: IMAP (127.0.0.1:58401-{127.0.0.1:2993}-imap.gmail.com:993) <-> [ Starting TLS handshake ]
2024-12-24 00:08:10,298: IMAP (127.0.0.1:58401-{127.0.0.1:2993}-imap.gmail.com:993) <-> [ TLSv1.3 handshake complete ]
2024-12-24 00:08:10,367: IMAP (127.0.0.1:58401-{127.0.0.1:2993}-imap.gmail.com:993)     <-- b'* OK Gimap ready for requests from 12.34.56.78 m123456789abc\r\n'
2024-12-24 00:08:10,367: IMAP (127.0.0.1:58401-{127.0.0.1:2993}-imap.gmail.com:993) <-- b'* OK Gimap ready for requests from 12.34.56.78 m123456789abc\r\n'
2024-12-24 00:08:10,368: IMAP (127.0.0.1:58401-{127.0.0.1:2993}-imap.gmail.com:993) --> b'C01 CAPABILITY\r\n'
2024-12-24 00:08:10,368: IMAP (127.0.0.1:58401-{127.0.0.1:2993}-imap.gmail.com:993)     --> b'C01 CAPABILITY\r\n'
2024-12-24 00:08:10,428: IMAP (127.0.0.1:58401-{127.0.0.1:2993}-imap.gmail.com:993)     <-- b'* CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA ID XLIST CHILDREN X-GM-EXT-1 XYZZY SASL-IR AUTH=XOAUTH2 AUTH=PLAIN AUTH=PLAIN-CLIENTTOKEN AUTH=OAUTHBEARER\r\n'
2024-12-24 00:08:10,428: IMAP (127.0.0.1:58401-{127.0.0.1:2993}-imap.gmail.com:993) <-- b'* CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA ID XLIST CHILDREN X-GM-EXT-1 XYZZY SASL-IR AUTH=PLAIN\r\n'
2024-12-24 00:08:10,428: IMAP (127.0.0.1:58401-{127.0.0.1:2993}-imap.gmail.com:993)     <-- b'C01 OK Thats all she wrote! m123456789abc\r\n'
2024-12-24 00:08:10,428: IMAP (127.0.0.1:58401-{127.0.0.1:2993}-imap.gmail.com:993) <-- b'C01 OK Thats all she wrote! m123456789abc\r\n'
2024-12-24 00:08:10,429: IMAP (127.0.0.1:58401-{127.0.0.1:2993}-imap.gmail.com:993) --> b'C02 LOGIN [[ Credentials removed from proxy log ]]\r\n'
2024-12-24 00:08:11,191: Error refreshing access token for account [email protected] - received invalid response: {'error': 'invalid_grant', 'error_description': 'Token has been expired or revoked.'}
2024-12-24 00:08:11,193: Retrying login due to exception while refreshing access token for account [email protected] (attempt 1): TokenRefreshError()
2024-12-24 00:08:11,947: Error refreshing access token for account [email protected] - received invalid response: {'error': 'invalid_grant', 'error_description': 'Token has been expired or revoked.'}
2024-12-24 00:08:11,951: Retrying login due to exception while refreshing access token for account [email protected] (attempt 2): TokenRefreshError()
2024-12-24 00:08:12,589: Authorisation request received for [email protected] (interactive mode)
2024-12-24 00:08:12,594: Please authorise your account [email protected] from the menu

[bpothier]

In Google cloud console - IAM & Admin - Organization Policies, I see there is an active policy for:
Active | Allow extending lifetime of OAuth 2.0 access tokens to up to 12 hours | iam.allowServiceAccountCredentialLifetimeExtension

Could I just not be polling Gmail often enough and the token is unable to be extended/refreshed so is cancelled by email-oauth2-proxy?
As I mentioned before, in TrueNAS, there is an ability to send emails/alerts and it uses OAuth2 to allow access to Gmail for sending mail - but hopefully does not need to send alerts more frequently than 12 hours ,yet continues to have access to do so as needed...

[bpothier]

Ran across a very similar sounding issue but for Yahoo accounts: https://itsfoss.community/t/oauth2-email-proxy-for-legacy-email-clients/10302 -

Generally this thing works as expected, but every now and then, the config file gets empty. Say once a week, and when this happens, the config file has to be recreated, and a new oauth token has to be received from yahoo.
Recently we made the config file immutable, so it’s impossible to overwrite.
So the config file stays, still there are problems with login once a week (random recurring, so not like every wednesday 19:45 or such…)

[bpothier]

Well, must be that time of week again.. auth tokens expired again.. stopped proxy, changed client to T-Bird one and started it again... just in case it is related to free/testing "project" status...

[simonrob]

The proxy handles token expiration itself, so it shouldn't really matter how long or short the lifetime is. I've run the proxy myself for months on end with no issues in this area.

The Yahoo issue you've pointed to does indeed sound similar, but I'm afraid without any way of reliably replicating it there's not much I can do here.

[bpothier]

Ok, so far been a few days at least using T-Bird client_id without issue, but I'll keep an eye if it makes it over a week.
Could just be some quiet Google specific issue when using "testing" client_id's...?

Is there some additional debug/log to enable should it be needed? It just seems proxy receives "an error" when renewing the token so fails it out and requires manual re-auth... not sure if there is any other error/message to return though..

[simonrob]

The normal debug log will show the token renewal process. What I meant by replication was some way of reproducing the empty configuration file issue mentioned for that Yahoo account. This could just be an old bug that no-longer exists, however.,

[Arif2108]

🚀 Want a 1000% Bonus on 👉 1XBET? It's super easy! 😎

Here’s how to get started:

1️⃣ Sign Up and fill in your details.
2️⃣ Use Promo Code 👉 LOVET20 👈 for your 1000% bonus!

🎉 Awesome Perks Just for You:

• Welcome Bonus: 150% + 150 Free Spins! 🎰
• Deposit Bonuses on Mondays & Fridays—100%! 🔥
• Daily Freebies: 1xTOTO + 1 Free Spin! 🎉
• Cashback in real cash! 💵
• Birthday Gifts + Yearly Surprises! 🎁
• Referral and Special Promo Programs! 🤩

⏳ What are you waiting for? Sign up now and use promo code 👉 LOVET20 👈 for an awesome start! Let’s go! 😄