SUMMARY I find it impossible to configure an institutional gmail-based IMAP account, or even a regular gmail account on Akonadi/KMail. Response message is always "failed to authenticate additional scopes". STEPS TO REPRODUCE 1. Create a new IMAP account. 2. Server: imap.gmail.com. 3. Settings: SSL/TLS. Port: 993. Authentication (Plain/XOAuth, both fail). OBSERVED RESULT Failure notification with the message "failed to authenticate additional scopes". If I start Akonadi from the command line, I can see the following message: org.kde.kgapi: Bad request QUrl("https://accounts.google.com/o/oauth2/token?prettyPrint=false") , Google replied ' "{\n \"error\": \"invalid_grant\",\n \"error_description\": \"Bad Request\"\n}" ' EXPECTED RESULT - Some login window for Google on the browser should appear, and then I would expect IMAP to download my emails and work as usual. SOFTWARE/OS VERSIONS Windows: macOS: (available in the Info Center app, or by running `kinfo` in a terminal window) Linux/KDE Plasma: KDE Neon 6.3 KDE Plasma Version: 6.3.5 KDE Frameworks Version: 6.14.0 Qt Version: 6.9.0 ADDITIONAL INFORMATION The account was working properly till mid-May 2025 with PLAIN authentication. It is an institutional googlemail account without support for 2FA.
can you try using manual configuration instead of the wizard? On the "Add" button you'll see a dropdown menu where you can choose to add a Custom Account. try that one. Also see https://userbase.kde.org/KMail/FAQs_Hints_and_Tips#Configure_GMail_without_OAuth
Thanks for your reply! I indeed have used the manual configuration, since the wizard does not work with my institutional google mail account. The problem persists no matter the authentication option I choose. Finally, the link to the userbase to configure Gmail without OAuth seems to be outdated, as "Less secure apps" are no longer admitted by Google.
Do you happen to have Google Calendar sync in Korganizer set up for the same account as well? I think what happens here is that we try to just reuse the original tokens for calendar and extend their scope to allow access to Gmail as well and it fails with the invalid_grant error and we do not recover from that correctly. I'll take a look at fixing this in the code, in the meanwhile you can try to delete any Google-related credentials from KWallet and try to add the Gmail account first.
Thanks Daniel! I removed all credentials from kwallet, and also the imap account from akonadi/kmail. Then, when I create it again, the browser correctly opens the google-signing page, and I can grant all the permissions. But then, mail cannot be synced. All I can see in the logs is the following: org.kde.pim.kimap: sasl_client_start failed with: -4 "SASL(-4): no mechanism available: No worthy mechs found"
Make sure you have the SASL_PATH environment variable set: export SASL_PATH=/usr/lib/x86_64-linux-gnu or wherever libkdexoauth2.so is installed on neon
Many thanks, Allen, I managed to make it work!! This is what I did (I have a standard Neon user edition installation): 1. Create a new script in ~/.config/plasma-workspace/env named 'sasl_path.sh' with the following content. export SASL_PATH=/usr/lib/x86_64-linux-gnu/sasl2 2. Create a new symlink in /usr/lib/x86_64-linux-gnu/sasl2 since libkdexoauth2.so didn't exist: cd /usr/lib/x86_64-linux-gnu/sasl2 sudo ln -s libkdexoauth2.so.3 libkdexoauth2.so Now IMAP connects and all the emails are properly downloaded using XOAuth authentication.
I think you should create bug against KDE Neon reporting that the SASL_PATH should be set for regular users who install pim.
moving this back to Akonadi since there is a bug with the google tokens stuff
(In reply to Allen Winter from comment #7) > I think you should create bug against KDE Neon reporting that the SASL_PATH > should be set for regular users who install pim. Done (https://bugs.kde.org/show_bug.cgi?id=505656), many thanks for the support!
I *think* I am hitting this bug, but I'm not 100% sure. I'm using Neon. It has the /etc/xdg/plasma-workspace/env/neon_sasl_path.sh fix deployed on disk. I have a Google account working via IMAP and "app passwords" until a few days ago, then it just stopped syncing. I try to create a new IMAP resource using using manual configuration. I leave the password blank, and select "XOAuth" in the authentication drop-down. I hit OK and no browser opens. Then, later, I see a notification that says: Resource joshua-gws-imap is broken. Failed to authenticate additional scopes Also, if I try the "Auto Detect" button, it says it can't connect to the server. BTW, all works fine in Thunderbird with the app password. How else may I help you debug? :)
(In reply to Joshua J. Kugler from comment #10) > Resource joshua-gws-imap is broken. > Failed to authenticate additional scopes It also constantly complains about an empty password for the resource.
I'm seeing this in the Akonadi logs: org.kde.kgapi: Bad request QUrl("https://accounts.google.com/o/oauth2/token?prettyPrint=false") , Google replied ' "{\n \"error\": \"invalid_grant\",\n \"error_description\": \"Bad Request\"\n}" ' Apparently something is wrong on the KDE side? Did our cert/grant expire a couple weeks ago? But: this doesn't explain why I can't just use my app password, which is really odd.
What does `echo $SASL_PATH` say?
$ echo $SASL_PATH /usr/lib/x86_64-linux-gnu/sasl2 $ ls -l /usr/lib/x86_64-linux-gnu/sasl2/ total 384 lrwxrwxrwx 1 root root 22 Aug 8 2024 libanonymous.so -> libanonymous.so.2.0.25 lrwxrwxrwx 1 root root 22 Aug 8 2024 libanonymous.so.2 -> libanonymous.so.2.0.25 -rw-r--r-- 1 root root 18808 Aug 8 2024 libanonymous.so.2.0.25 lrwxrwxrwx 1 root root 20 Aug 8 2024 libcrammd5.so -> libcrammd5.so.2.0.25 lrwxrwxrwx 1 root root 20 Aug 8 2024 libcrammd5.so.2 -> libcrammd5.so.2.0.25 -rw-r--r-- 1 root root 22904 Aug 8 2024 libcrammd5.so.2.0.25 lrwxrwxrwx 1 root root 22 Aug 8 2024 libdigestmd5.so -> libdigestmd5.so.2.0.25 lrwxrwxrwx 1 root root 22 Aug 8 2024 libdigestmd5.so.2 -> libdigestmd5.so.2.0.25 -rw-r--r-- 1 root root 64256 Aug 8 2024 libdigestmd5.so.2.0.25 lrwxrwxrwx 1 root root 16 Aug 8 2024 libgs2.so -> libgs2.so.2.0.25 lrwxrwxrwx 1 root root 16 Aug 8 2024 libgs2.so.2 -> libgs2.so.2.0.25 -rw-r--r-- 1 root root 39080 Aug 8 2024 libgs2.so.2.0.25 lrwxrwxrwx 1 root root 21 Aug 8 2024 libgssapiv2.so -> libgssapiv2.so.2.0.25 lrwxrwxrwx 1 root root 21 Aug 8 2024 libgssapiv2.so.2 -> libgssapiv2.so.2.0.25 -rw-r--r-- 1 root root 43616 Aug 8 2024 libgssapiv2.so.2.0.25 lrwxrwxrwx 1 root root 22 Aug 14 17:19 libkdexoauth2.so.3 -> libkdexoauth2.so.3.0.0 -rw-r--r-- 1 root root 18912 Aug 14 17:19 libkdexoauth2.so.3.0.0 lrwxrwxrwx 1 root root 18 Aug 8 2024 liblogin.so -> liblogin.so.2.0.25 lrwxrwxrwx 1 root root 18 Aug 8 2024 liblogin.so.2 -> liblogin.so.2.0.25 -rw-r--r-- 1 root root 22904 Aug 8 2024 liblogin.so.2.0.25 lrwxrwxrwx 1 root root 17 Aug 8 2024 libntlm.so -> libntlm.so.2.0.25 lrwxrwxrwx 1 root root 17 Aug 8 2024 libntlm.so.2 -> libntlm.so.2.0.25 -rw-r--r-- 1 root root 39288 Aug 8 2024 libntlm.so.2.0.25 lrwxrwxrwx 1 root root 18 Aug 8 2024 libplain.so -> libplain.so.2.0.25 lrwxrwxrwx 1 root root 18 Aug 8 2024 libplain.so.2 -> libplain.so.2.0.25 -rw-r--r-- 1 root root 22904 Aug 8 2024 libplain.so.2.0.25 lrwxrwxrwx 1 root root 19 Aug 8 2024 libsasldb.so -> libsasldb.so.2.0.25 lrwxrwxrwx 1 root root 19 Aug 8 2024 libsasldb.so.2 -> libsasldb.so.2.0.25 -rw-r--r-- 1 root root 34880 Aug 8 2024 libsasldb.so.2.0.25 lrwxrwxrwx 1 root root 18 Aug 8 2024 libscram.so -> libscram.so.2.0.25 lrwxrwxrwx 1 root root 18 Aug 8 2024 libscram.so.2 -> libscram.so.2.0.25 -rw-r--r-- 1 root root 48280 Aug 8 2024 libscram.so.2.0.2 But I don't even get to here: org.kde.pim.kimap: sasl_client_start failed with: -4 "SASL(-4): no mechanism available: No worthy mechs found" I have the issue in the original bug report where the browser doesn't open to get the oauth token. I've tried clearing all the old passwords, and creating a new IMAP account. I never get a browser to authorized KMail.
good, the env var is correct. do you have an appropriate mapping in kwalletmanager - LibKGAPI -Maps - *******.apps.googleusercontent.com ??
I did have one, yes. I deleted my IMAP account, deleted the LibGAPI mapping, and tried recreating the IMAP account again. I set the auth method to XOauth, and hit "OK." This time, it opened a browser to authenticate. Successfully authenticated. IMAP account still does not show up in the left hand column of Kmail. Map is back in LibKGAPI *Does* show up in the "check mail" drop down. Nothing happens when I try to check mail on the new account. Restarted KMail. Same thing. Restarted Akonadi, same thing. I'm getting a notification that no password was found for the new IMAP account. I'm not sure what else to try.
okay i can repro this in a vm - investigating
apologies to everybody. this was a packaging error, libkdexoauth2.so was mistakenly put into the kpim6-libkgapi-dev package, hence why everything worked on some installations that had this installed but not on others that didn't. has been rectified in git and updated packages are being pushed to all editions
It's working. Thank you so much!
I *do* still get a message every now and then about the IMAP resource password being empty, but it doesn't seem to prevent things from working.
Yeah, have seen those as welI, think they are old config from deleted accounts.
Oh, wait...I think that might have been another IMAP account that I still have locally, but *is* dead. I don't think I've seen any errors about "akonadi_imap_resource_XXX" has a blank password. Thanks again for diving in and debugging this!