Sign in with Google - reauth: bug or feature?

sorry if this should be a duplicate, I skipped over topics and faq, didn’t see any

k9 6.400, using the ‘new’ gmail auth for the first time that redirects the user to signing in to google in a browser and granting k9 permission. Worked like a charm, but what I hadn’t expected, appx. a week or two into using this, I was getting an auth error from k9, followed by logging in to google and granting the same permission a second time.

Now what I would like to know, is if this is intentional, i.e. a short expiry set by google or k9 as the app owner, or a bug triggered by e.g. some unexpected connectivity issue mid handshake.

Since I am also using a rooted device this time, I wouldn’t mind to hear about exploit probability or existing reported exploits, i.e. I’d like to learn rating the risk that such a re-auth could be or has been provoked and used to obtain access

potentially same as Notification that authentication has failed, but checking the settings shows nothing wrong , only that I went through the google permission granting process a second time and hence, cannot say if re-trying later would have worked. if this turns out to be merely a connection/timout issue, then perhaps k9 shouldn’t kick users straight to granting the permission.

I just checked on my google account: I’ve granted k9 permission today, and 10 days ago, but, luckily, there is only one app authorization resulting from it. Unless this is really an expiry feature, which I do not believe it is and there is no mention of, k9 should learn to be more patient with its own and 3rd party timeouts and retries, since teaching users to repeat authing steps that only need to be done once, would be playing into the hands of social engineering and phishing

Another possibility, would be Google’s security infrastructure spotting something being out of the ordinary and asking for a challenge to be answered correctly. Who knows.

did you possibly change your google site password? i suspect that that would force a “recertification” of your OAuth2 credential. [i know that if you changed your site password all your app-passwords had to be reset.]

@rich_osborne – you may want to delete your “contacts/2 sim” question from this item as off topic for this one and you have started a new one for it.


‘who knows’ would translate as ‘how would you know’. imap login used to return a long failure string when google was unhappy, it was a little hard to get to read in full IIRC, but you could tell what was happening.

also, I would have expected a security notification in that case, and it would not make sense from the perspective of a security lockout that a renewed app permission coming from the same IP and device, could circumvent it

lastly, if that was the case (it most probably wasn’t), then k9 should still show me what google is unhappy about, not jump to repeating the riskiest step in the entire xoauth design (the obtention of an initial secret)