Bug 402973

Summary: Changing Google password results in no access
Product: [Frameworks and Libraries] libkgapi Reporter: Ovidiu-Florin BOGDAN <kde.kfoar>
Component: GeneralAssignee: Daniel Vrátil <dvratil>
Status: REPORTED ---    
Severity: normal CC: auxsvr, brendon, dvratil, ephemient, kishore96
Priority: NOR    
Version: GIT   
Target Milestone: ---   
Platform: Fedora RPMs   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Ovidiu-Florin BOGDAN 2019-01-07 14:41:21 UTC 
SUMMARY
With an Google account (GMail) set-up in KMail, if the password changes, a non-related error is thrown and the email access is interrupted.

STEPS TO REPRODUCE
1. Set-up GMail account in KMail, using the OAuth access (the web login thingy)
2. Ensure the account is set-up and working
3. Change the password from that account

OBSERVED RESULT
* Account get's disconnected - Shown in Folder list next to account name)
* Error in Account incomming settings -> "Password could not be read: user rejected access to the wallet"

EXPECTED RESULT
* An authentification error to be thrown
* A prompt to re-do the login


SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Fedora 29 KDe
(available in About System)
KDE Plasma Version: 5.14.4
KDE Frameworks Version: 5.53.0
Qt Version: 5.11.1
Comment 1 Daniel Vrátil 2019-01-07 14:46:49 UTC 
I think I have a suspicion as to what happens, but I have not confirmed it and haven't checked the code either, so this is just an educated guess:

When you change account password Google likely expires both the Access token and the Refresh token - the code may not be ready to handle invalid Refresh token and just keeps trying to get a new Access token using the - now invalid - Refresh token instead of throwing both away and showing the Google login dialog to receive a new pair.
Comment 2 Ovidiu-Florin BOGDAN 2019-01-07 15:03:11 UTC 
A workaround from Daniel Vrátil:

* Open KWallet
* find the LibKGAPI entry
* under Mappings you have a "apps.googleusercontent.com entry"; select it
* in the right pane you'll see an entry for your Google accounts
* remove the entry for the account that you want to trigger the login again

* exit KMail (Kontact)
* stop akonadi (from a terminal, run: akonadictl stop)
* start KMail
* you should be prompted for a login for that account
* if you are not prompted, check if the account is in "(Disconnected)" state in the directories list and if so, trigger an update on the root directory for the account in question.
Comment 3 Brendon Higgins 2022-07-05 13:57:25 UTC 
The workaround worked for me only after I noticed that I also had to click the "Save" button after deleting the entry in KWalletManager (whoops).

I did also want to point out that the "user rejected access to the wallet" error message is *highly* misleading and confusing in this situation. I was scratching my head for a couple of hours on that one until I managed to see Akonadi's console output say
org.kde.kgapi: Bad request, Google replied ' "{\n  \"error\": \"invalid_grant\",\n  \"error_description\": \"Token has been expired or revoked.\"\n}" '
I would suggest (as this case shows) that an error below the wallet subsystem does not necessarily imply any choice or action on the user's part. So that error message could be phrased better (or there could be more fidelity in the error responses flowed back up the stack)...