Showing results for 
Show  only  | Search instead for 
Did you mean: 
Strollin' around
Status: New idea

In Thunderbird with basic authentication (username/password) you can choose to remember the password or not.

But OAuth2 tokens are automatically saved in Thunderbird. While this is very convenient as long as you have Thunderbird open, I would like to see an option to tell Thunderbird to automatically remove OAuth2 tokens on exit.

I know you can also use app passwords, but that's not what I want. I want to login everytime Thunderbird is opened using OAuth (including MFA), hence the need to remove the tokens on exit.

Thank you for considering this.

Status changed to: New idea
Community Manager
Community Manager

Thanks for submitting an idea to the Mozilla Connect community! Your idea is now open to votes (aka kudos) and comments.

Familiar face

If you remove the token you will be going through the entire oauth authorisation process on every start.  Your provider will have remembered the authorisation,  But Thunderbird will not have.  I really do not see much advantage in forcing yourself to go through multiple pages of authorisations for each start and each account.

However, you can use a batch file to simply delete all the stored passwords files on exit each time to try out how much fun it is.  Delete if they exist logins.json, key3.db, key4.db and  signons.sqlite  Some of those files are obsolete but may well still be present.

Strollin' around

For security ofcourse.

If you can login somewhere, you should also be able to logout. As Thunderbird does not have a logout option, removing the token is the next best thing.

And of course I can write a script for that, but I shouldn't have to. For basic authentication, Thunderbird does not remember my login credentials and does not log me in automatically. I want the same for OAuth authentication.

And I don't mind authenticating every time. That is exactly what I want. It's a small price to pay for added security.

New member

I agree with @DonGaz that for certain important email accounts, forcing a login when starting Thunderbird is desirable. If someone has brief access to my laptop it's too easy to request a password reset for some website, fire up Thunderbird and and receive the password reset link.

Following @MattAuSupport's suggestion I created a batch file Thunderbird.cmd and started it with a desktop icon with the command below avoiding the black cmd.exe window.

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "start Thunderbird.cmd -WindowStyle Hidden"

The Thunderbird.cmd file contains this:

@echo off
rem We don't save new logins in thunderbird so we copy a good saved logins file
rem over the current one and a good cookies database file over the current one

set tbpdir=C:\Users\MyUser\AppData\Roaming\Thunderbird\Profiles\xyz12345.default-release
set loginsf=%tbpdir%\logins.json
set loginsfg=%tbpdir%\logins_good.json
set cookiedb=%tbpdir%\cookies.sqlite
set cookiedbg=%tbpdir%\cookies_good.sqlite
set tbexe=%ProgramFiles(x86)%\Mozilla Thunderbird\thunderbird.exe

cd /D %tbpdir%
copy /Y %loginsfg% %loginsf% > NUL
copy /Y %cookiedbg% %cookiedb% > NUL
start "" /WAIT "%tbexe%"
timeout /T 3 /NOBREAK
copy /Y %loginsfg% %loginsf% > NUL
copy /Y %cookiedbg% %cookiedb% > NUL

To use this you must set variable tbpdir  to your own thunderbird profile directory. Also in the thunderbird GUI delete saved passwords and cookies until you are getting prompted to login to the account in question when starting thunderbird. Do not login and quit thunderbird. Copy logins.json to logins_good.json and copy cookies.sqlite to cookies_good.sqlite.

This way everytime you start thunderbird your saved passwords are in the same good state where the critical email account you use to receive password reset links is the only one requiring a login.