Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 888822 - Does not work with Google 2-factor authentication
Summary: Does not work with Google 2-factor authentication
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: gnome-online-accounts
Version: 19
Hardware: All
OS: All
unspecified
high
Target Milestone: ---
Assignee: Debarshi Ray
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 874569 956446 960036 971607 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-12-19 15:14 UTC by Tommy He
Modified: 2015-12-11 13:10 UTC (History)
22 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-04-09 15:59:14 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
GNOME Bugzilla 688364 0 None None None Never

Description Tommy He 2012-12-19 15:14:48 UTC
Description of problem:
Account credential expires immediately if the 2-step verification is turned on for Google account.

The user who has Google 2-step verification enabled is unable to link with GNOME Online Account.

Version-Release number of selected component (if applicable):
gnome-online-accounts-3.6.2-1.fc18.x86_64

How reproducible:
100%

Steps to Reproduce:

Precondition: Properly config and enable 2-step verification in planned to set Google account.

1. Go to the Online Account module in g-c-c
2. Click Add New Online Account
3. Enter Google account name and password. According to the prompt, account password is used, not application specified password.
4. Enter the Verify Code displayed on SMS or Google Auth app on Android, depending on the method select during 2-step configuration process before.
5. Allow Gnome to access the listed Google account content.
6. Wait a while for account connection
  
Actual results:
An error displayed saying that account credential expires, please re-login.

The same error repeats in every following try of re-login.

Expected results:
Online account connects successfully. User doesn't need to re-login

Additional info:

Comment 1 Tommy He 2012-12-19 15:20:35 UTC
I may need to say that in GNOME 3.4 on Feodra 17, gnome-online-accounts can hold Google 2-step credential. This kind of infinite re-login issue isn't there.

Comment 2 Paolo Leoni 2013-01-13 15:13:45 UTC
No workaround is possible for this issue? 
It's a very annoying bug for those that are using 2-step verification system.

Comment 3 Matthew Saltzman 2013-01-18 01:31:12 UTC
Still present in gnome-shell-3.6.2-6.fc18.x86_64.

Comment 4 Ben Burleson 2013-01-22 17:12:18 UTC
This link may help for a short-term fix:
http://kparal.wordpress.com/2012/12/03/gnome-3-6-gnome-online-accounts-and-google-two-factor-authentication/

Comment 5 Matthew Saltzman 2013-01-22 19:54:17 UTC
If you just enter an application-specific password, the remote accounts app rejects it and demands your regular password.  I was going to suggest that accepting application-specific passwords seems like it would be the simplest fix.

Comment 6 Brian Johnson 2013-04-17 16:05:21 UTC
I just upgraded my desktop to Fedora 19 pre-alpha and it looks like this is still an issue in 3.8. I tried the steps Ben posted, but that doesn't seem to help. Is there an update for this?

Comment 7 Debarshi Ray 2013-09-18 12:39:28 UTC
This has been fixed in GNOME 3.10 which will make it to Fedora 20.

As explained in the GNOME bugzilla, the reason this did not work was because of evolution-data-server not being able to authenticate to Google Calendars using CalDAV and OAuth2. See https://bugzilla.gnome.org/show_bug.cgi?id=686804

Therefore, if you want a backport it has to start with evolution-data-server.

Comment 8 Debarshi Ray 2013-09-18 12:39:51 UTC
*** Bug 960036 has been marked as a duplicate of this bug. ***

Comment 9 Debarshi Ray 2013-09-18 12:43:48 UTC
*** Bug 874569 has been marked as a duplicate of this bug. ***

Comment 10 Debarshi Ray 2013-09-18 12:47:24 UTC
*** Bug 971607 has been marked as a duplicate of this bug. ***

Comment 11 Debarshi Ray 2014-04-09 15:57:36 UTC
*** Bug 956446 has been marked as a duplicate of this bug. ***

Comment 12 Juergen Schraten 2014-08-10 12:50:44 UTC
(In reply to Debarshi Ray from comment #7)
> This has been fixed in GNOME 3.10 which will make it to Fedora 20.
> 
> As explained in the GNOME bugzilla, the reason this did not work was because
> of evolution-data-server not being able to authenticate to Google Calendars
> using CalDAV and OAuth2. See
> https://bugzilla.gnome.org/show_bug.cgi?id=686804
> 
> Therefore, if you want a backport it has to start with evolution-data-server.

I'm on a newly installed and fully updated F20 with evolution-data-server 3.10.4 and *nothing* has changed. It's still the same problem.

- I created a new 2-step password an wrote it down (which is *not* the intention of 2-step-passwords, I guess)
- I create a GOA account, and the password is accepted
- Evolution shows mail account and calendar as supposed
- I log out and log in again
- I'm asked for the password but it is *not* accepted
- I delete my GOA account
- I delete the key in seahorse
- I log out and log in
- I create a new 2-stpe password
- I create a new GOA account
- I'm asked for the password, and it is accepted
- Evolution shows mail account and calendar as supposed
- I log out and log in
- I'm asked for the password, but it is *not* accepted
- ... [to be continued endlessly, even with changed oder of procedures]

Sorry to report this - but for me the bug is *not* closed.

Comment 13 Dennis Flaherty 2015-10-12 02:58:33 UTC
Similarly broken on gnome-online-accounts.x86_64 3.16.4.1-1.fc22.

1. Add a Google account: sign in with Google Email and Password, click Allow.
2. Witness that Credentials have already expired.
3. Remove Google account.
4. Rinse and repeat.

Because this is broken, I cannot add my Google account address book to Evolution's Contacts, because Evolution is otherwise uses a deprecated and now unavailable API to get it: "The requested resource was not found: https://developers.google.com/accounts/docs/AuthForInstalledApps".

This bug is not closed.


Note You need to log in before you can comment on or make changes to this bug.