-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Problem refreshing access token with Offlineimap #42
Comments
On Fri, May 10, 2024 at 07:54:45AM GMT, pablob127 wrote:
Is oama supposed to do the access token renewal on its own?
Yes of course, that should happen automatically.
If so, why isn't it doing it? What am I doing wrong?
oama has not been officially released yet. I assume you built it from
source and ran into some inconsistent state with your old setup.
I have just committed the (most likely) final changes before the
release. There are breaking changes, so please read the README
carefully.
So you need to build it again or alternatively, can download a pre-built
static binary from here:
https://s3.sr.ht/builds.sr.ht/artifacts/~petrus/1217865/856d484afcb3c69e/oama.tar
|
It turns out that I was using the latest mailctl version, not oama (I was just renaming it so it would be closer to the real one once it was released). Now that oama is released, I tried to switch but I am running into the Microsoft organizational authorization issue reported in issue #44 . |
Try the most recent |
Unfortunately, it does not. It is version 0.10.1, I could authorize properly (I had the same issue with the redirect URI as other people had), but I have just tried and offlineimap bailed out with an "unable to authenticate" after some time. How can we try to debug this? |
How can we try to debug this?
You can start by sending the output of the `oama printenv` command.
Also by asking other users, you are not the only one using oama with
similar setup.
|
Here's the result of 'oama printenv':
|
release 0.11.1 has a new command |
I'm trying to solve similar problem with renewals as in this ticket (i.e. authorize works fine for 50 minutes or so, renewal doesn't happen). I'm trying to debug using the show command: On oama version 0.11.1 (out of current Arch AUR package):
and
|
Please, follow the instructions in the Issues section. You did not provide the required information. You need to provide the full output of In your case, the best is to do that twice. Once, immediately after the authorization while it works. Then get the printenv output again when oama has failed to renew. Also, indicate what kind of I can see why your oama fails to renew the By the way, @pablob127 did not send the full |
I am doing another test with the older version (I do not want to stop to change to the new one), extracting the refresh token from the keyring. In my case, it does not look like the refresh token is missing (I see it in the keyring), but it is somehow not working. I made a script so that Offlineimap has access to the refresh token and I am trying to see what happens. Once I see what happens, I will move to the newest version, try again and post back (with various 'printenvs', complete this time). |
Apologies, I haven't noticed the instructions. My prinenv is completely the
I have my own client_id produced following instructions https://help.sagecrm.com/on_premise/en/2022R1/Administration/Content/Administrator/EM_GetClientIdSecret-Gmail.htm And it is crucial to note it used to work with mailctl for a long time, up to the point Arch AUR switched to oama.
Alas, as I said, they are absolutely identical. |
Intresting, so something went wrong during the transition in at least two similar occasions. Have you cleaned your keyring up before switching to oama? Here are a few things to try, in a matrix as it makes sense ... debugging is fun.
Is the The other two things to test:
|
Quick check:
Where do I find thunderbird's client_id/secret to isolate this dependence? |
After some test, it looks like the problem is not oama but rather Offlineimap. When my version of Offlineimap (8.0.0, included in Debian Bookworm) gets an access token, once it expires it seems to just fail the authentication without trying to get a new access token. This happens even if you give it both an access token and a refresh one. It works well when giving Offlineimap a refresh token only. I ended up extracting the refresh token obtained by oama from the keyring, giving it to Offilineimap and it seems to work (we'll see for how long, I'm not sure what the validity of a refresh token is). One question: Would it make sense to add a command to oama to return the refresh token? Since the missing refresh token for Google seems to be different, I will close this issue leaving this for reference. Thanks a lot for your work! |
it to Offilineimap and it seems to work (we'll see for how long, I'm
not sure what the validity of a refresh token is).
In my experience, it must be very long.
One question: Would it make sense to add a command to oama to return
the refresh token?
There is one:
oama show <email>
|
I'm afraid I don't follow this explanation. My understanding is that offlineimap (as well as mbsync/isync I'm using) just calls I also suppose that I'm happy to test this issue further, the idea by @pdobsan I haven't tested yet was "Use, at least temporarily, a different client_id/secret, like thunderbird's" (if you could point where to find those).
|
That one would need some text processing to isolate the refresh token out of everything else. I was thinking more along the lines of a command like:
that would print to standard output only the refresh token (just like "oama access" does for the access token). |
That's what I thought, but I found out that when I started getting authentication errors Offlineimap was not calling the access token evaluation routine. There's probably an issue where the expiration time of the token does not match what the server believes to be the expiration time. I should go open an issue there, but I got it working with the refresh token and I don't have much time available lately. |
as well as mbsync/isync I'm using) just calls ```oama
access <email>``` that returns access token for offlineimap to use,
and during this operation, oama should also renew the token.
Yes that's the way it is supposed to work.
I also suppose that `oama authorize <service> <email>` should set up
the renew token as well. Am I missing something?
Correct.
I'm happy to test this issue further, the idea by @pdobsan I haven't
tested yet was "Use, at least temporarily, a different
client_id/secret, like thunderbird's"
Feel free to open a separate issue with that. My hunch is that the
problem is with your client_id/secret.
(if you could point where to find those).
You need to be a bit more resourceful. ;-)
(have a look at issue #43)
|
And you are absolutely right. With Thunderbird's client_id/secret, everything works as expected. This is a bit puzzling, as it used to work with mailctl until recently, anyway, all's well that ends well :). Thanks for your help as well as for this great tool! |
With Thunderbird's client_id/secret, everything works as expected.
This is a bit puzzling, as it used to work with mailctl until
recently, anyway, all's well that ends well :).
That puzzle could be incidental to your client_id/secret expiring around
this time. To register a stable id/secret pair is quite complicated and
time consuming. That is why I have not done it for `oama` yet.
|
I have a common problem: Offlineimap works well with oama and Microsoft, for a while, but once the access token expires it stops working. I looked at the other issues with this problem, but they did not seem to apply. I apologize if I missed something obvious there.
In a previous setup I had, Offlineimap has access to both the access and refresh token, and it could easily renew its access token and keep running uninterrupted for long times. I haven't found a way to make oama return the refresh token, and on its own it does not seem to be able to renew its access token. I even tried to do a manual renew by running "oama renew ",which seemed to be successful but did not seem to help the stuck Offlineimap.
Is oama supposed to do the access token renewal on its own? If so, why isn't it doing it? What am I doing wrong?
My streamlined config files are:
config.yaml:
services.yaml:
.offlineimaprc [relevant extract]:
offlineimap.py:
Thanks!
The text was updated successfully, but these errors were encountered: