Correct usage of OAuth2 with GMail

[apathy]

Hello! I'm using Znuny 6.4.4

I have a couple of issues:
1. After a successful authorization with Google:
TOKEN STATUS shows Token is valid until <manual authorization time shows here>. Not some time in the future, just 'right now already in the past'.
REFRESH TOKEN STATUS shows No refresh token was requested yet.
In an hour this message starts popping out in otrs.log:

Code: Select all

[Error][Kernel::System::OAuth2Token::GetToken][1174] Refresh token for token config with ID 5 has expired or is not present. Token must be retrieved manually via authorization code.

Why does it require to do it manually? How do I do it correctly?

2. In a week or so every single GMail OAuth2 record added throws an error when authorizing with a button "Request new token".

Code: Select all

Error requesting token for token config ID 1 with authorization code 'code-here'. Error: invalid_grant
    
    Please contact the administrator. 
    
    Backend ERROR: OTRS-CGI-99 Perl: 5.32.1 OS: linux Time: Tue Feb 14 15:49:59 2023
    
     Message: Error requesting token for token config ID 1 with authorization code 'code-here'. Error: invalid_grant
    
     RemoteAddress: address-here
     RequestURI: /otrs/get-oauth2-token-by-authorization-code.pl?state=TokenConfigID1&code=code-here&scope=https://mail.google.com/
    
     Traceback (197546): 
       Module: Kernel::Output::HTML::Layout::Error Line: 1038
       Module: Kernel::Output::HTML::Layout::ErrorScreen Line: 1019
       Module: Kernel::Modules::AdminOAuth2TokenManagement::_RequestTokenByAuthorizationCode Line: 120
       Module: Kernel::Modules::AdminOAuth2TokenManagement::Run Line: 53
       Module: Kernel::System::Web::InterfaceAgent::Run Line: 1144
       Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_get_2doauth2_2dtoken_2dby_2dauthorization_2dcode_2epl::handler Line: 52
       Module: (eval) (v1.99) Line: 207
       Module: ModPerl::RegistryCooker::run (v1.99) Line: 207
       Module: ModPerl::RegistryCooker::default_handler (v1.99) Line: 173
       Module: ModPerl::Registry::handler (v1.99) Line: 32

This shows in otrs.log:

Code: Select all

[Fri Feb 17 08:50:09 2023][Error][Kernel::System::WebUserAgent::Request][246] Can't perform POST on https://oauth2.googleapis.com/token: 400 Bad Request
[Fri Feb 17 08:50:09 2023][Error][Kernel::System::OAuth2Token::RequestTokenByRefreshToken][963] Response for request for token config with ID 4 and request type 'TokenByRefreshToken' was not '200 OK'. invalid_grant: Bad Request
[Fri Feb 17 08:50:09 2023][Error][Kernel::System::OAuth2Token::GetToken][1187] Error requesting token by refresh token for token config with ID 4.
[Fri Feb 17 08:50:09 2023][Error][Kernel::System::CommunicationLog::_LogError][535] CommunicationLog(ID:35416,AccountType:-,AccountID:-,Direction:Incoming,Transport:Email,ObjectLogType:Connection,ObjectLogID:35740)::Kernel::System::MailAccount::POP3S => OAuth2 token could not be retrieved.

Everything works fine in terms of sending and receiving emails, but I feel like it could break at anytime.
How do I fix all of this?

Thank you!

[root]

Hi

Does the user you used to obtain the token has full access to the fetched mailbox?

- Roy

[apathy]

Yes, the user has full access. And there're no issues with sending and receiving emails with Znuny.

[apathy]

We've found what's wrong.
Znuny's built-in "Google Mail" template for "Add a new OAuth2 token configuration based on the selected template." contains an error.

URL for token by refresh token should be https://accounts.google.com/o/oauth2/token instead of https://oauth2.googleapis.com/token

Issue reported: https://github.com/znuny/Znuny/issues/340