Cannot get OAuth2 to work with Gmail

Upgraded to K-9 Mail 6.200 today on my Pixel 6 running Android 12. I use Gmail. Tried to switch from app-based password to OAuth 2.0 today, but this step in the FAQ does not happen as expected:

Afterwards you’ll be asked to grant K-9 Mail access to “Read, compose, send, and permanently delete all your email from Gmail”. Tap “Allow”.

Instead, my Google app opens to the following screen at that step:

None of the options there seem to trigger any sort of authorization for K-9 Mail. Any suggestions?

Odd. Is there anything special about your configuration? Do you have all browsers disabled? Are you using the app in an Android work profile? Anything else you can think of?

Nothing crazy that I can think of. Not a work profile, just a regular Google account, the same one my device is logged into. I don’t have any browsers disabled – not sure what that refers to? I use Chrome on my device. Phone and all apps are fully up-to-date.

I’ve been using K-9 Mail with this account and an app password for years. I was not having any problems with that method but was excited to try OAuth 2.0.

No matter what I try, it just opens the Google app to that account management screen.

I just thought of something – incoming mail is handled by my primary Gmail account, but outgoing mail is sent with a different Gmail account. I had not touched my outgoing server settings yet, but I just checked that and it was set to OAuth 2.0. I tried changing it back to password method (I use an app password), and it still redirected to the Google app, the same account management screen I attached above.

Is K-9 Mail trying to authenticate incoming and outgoing settings together, even though they are configured separately (and might not be identical, as in my case)?

Yes. OAuth tokens are currently associated with the account, not with a particular incoming/outgoing server.

Ah, that explains it.

I would suggest clarifying that somewhere (I didn’t see anything mentioned about this), and not permitting the app settings to let the user configure the incoming server as OAuth 2.0 and the outgoing server as something else.

Appreciate the the fast responses!

Still, the OAuth flow should open the browser, not the Google app. I don’t know what’s going on there.

When I look at the recent apps list, a browser window is being opened, but it’s immediately/transparently redirecting to the Google app.

Maybe it’s because of my account setup – I am logged into the device as the incoming account, but my outgoing account does not exist on this device? Does the authentication process check the outgoing email address configured in K-9 Mail even though it ignores the authentication choice?

I certainly do not have a “traditional” email setup, but I’m sure there are many users with something similar. (It’s the only workaround when you have an existing Gmail account and want to change your username a decade later without losing all of your data.)

Can you try adding the Gmail account that you use for your incoming server as a new account to K-9 Mail? Then do the same for the Gmail account that you use for the outgoing server. If there’s no difference in behavior, we can conclude that whether or not an account is set up on the device itself is irrelevant to the issue you’re experiencing.

I added a new account to K-9 Mail from scratch using my primary Google account (the account I receive mail on). This worked exactly as expected, I got the proper prompts and flow per the FAQ. It prompted me for permissions in a browser window.

I then added another new account to K-9 Mail from scratch using my other Google account (the account I send mail from). That directed me to the Google app screen I was initially receiving, not a browser window. I presumed that the intent was probably to have the user add the necessary account to the device from that screen. So I added it, and once that process completed, I was prompted to grant K-9 Mail the appropriate permissions.

So it appears that a user will only be directed to the proper Google permissions browser window if they are already signed into the device with that Google account. If they are signed into the device with a different account, the app will open to the screen I pasted above which is not-so-clearly asking the user to add the account to their device.

I’m not able to reproduce this on Android 12. I was able to add a Gmail account that was not added to the device. The Google app is installed, another Gmail account is added to the device, and the default browser is also Chrome.

Do you have 2FA enabled on that Google account you added (I do)? That’s the only other possibility for a different flow that I can think of. I can try it again and take a screen recording if you want, but not sure how much additional value that will add.

The account didn’t have 2FA enabled. But it still worked as expected when I enabled 2FA just now.