Author Topic: Version 1.14.0-750-dev - "work in progress", not in Google Play  (Read 8537 times)

swregs

  • Newbie
  • *
  • Posts: 7
Re: Version 1.14.0-750-dev - "work in progress", not in Google Play
« Reply #15 on: February 09, 2018, 06:24:56 pm »
Currently AquaMail is helpful that the main screen identifies which one or more accounts are having an issue.  And I believe the login error notification identifies the account to which it applies.  I have used/seen some mail apps that flag login error and you can't tell which account is having the problem until it hands-off to OAuth flow and you see the branding (if configured) for the tenant (and if you have more than one account at that same tenant then good luck).
Currently, also I think the AquaMail main screen shows transient errors like connectivity issues as I have seen misc occasions one or more of my Office 365 accounts flag warning.  Those fix themselves on their own or if I click the account to force immediate refresh.

One possibility for the re-auth "flow":
- instead of generic login error, in the main window account list for the account entry or the account specific notification indicate something like "Re-authentication is requested."
- user clicks on account from main window list or clicks the notification
- immediately goes to server provided OAuth flow (enter password and possible MFA)
- if completed successfully, drop into message list for the account so I can see what I may have missed while access was disrupted (although I can imagine some might prefer when the notification was used to satisfy re-auth that the app just returns to the background)

Other observations:
-For me, getting a re-prompt for permissions during OAuth flow tends to make me go down the path of "why have the permissions changed since I originally allowed the app access"
-If a re-auth was requested by the server, but not resolved/ignored in AquaMail, a persons conditional access situation may have changed before they do the re-auth (like they got back to their office that is whitelisted to not require MFA); in this case I'm not sure if an interactive re-auth is still needed
- Does the error code / response code from the auth server allow ability to distinguish if the need is a requested re-auth vs permanent auth failure (aka will require intervention of IT, like to re-enable account, re-attest authenticity of device, etc)

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: Version 1.14.0-750-dev - "work in progress", not in Google Play
« Reply #16 on: February 09, 2018, 07:28:27 pm »
Well there are apps that don't report login errors at all :)

I just tried revoking Aqua Mail's permission from my account and when the app tried to refresh the token the next time, it go this:

{
"error":"invalid_grant",
"error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID '906be9aa-2843-47e6-a01d-ab9361ca7009' named 'Aqua Mail'. Send an interactive authorization request for this user and resource."
}

... which does match what I did, but I'm not sure if the error would be different in your case (password expiration).

The "error" is the only thing we can count on (machine readable).

The "error_description" key is optional and then it would be a bad idea to try to parse that.

Re: instead of generic login error, in the main window account list for the account entry or the account specific notification indicate something like "Re-authentication is requested."

I'll try to make it be our already existing "please grant permission" message instead of the current "http 401".

But then again I don't know what exactly happens (what errors at what point) in your case.

Re: user clicks on account from main window list ... immediately goes to server provided OAuth

Click on account seems questionable (what if the user needs to read an already received message).

Clicking the error does run the account setup screen already.

---

On other observations:

If the password having expired causes the OAUTH refresh token to also expire - we'll need to get a new one, and this is done by running the login flow (the "login.microsoftonline.com..." in a window).

If that login flow does not require MFA specifically when the device is connected to the corporate network - sure, great, but that's "inside" that login flow and isn't controlled by our code.

We could try to remove the "consent" parameter to try to avoid the repeat permissions request - but I don't have enough info to know that this would work (and not prevent logins at all) with any degree of confidence.

---

Summary:

The only change I'm going to make right now is a special case for http 401 when there is OAUTH in use, and assume that the user needs to grant permission (our current error message for OAUTH errors).



Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: Version 1.14.0-750-dev - "work in progress", not in Google Play
« Reply #17 on: February 09, 2018, 08:12:08 pm »
In addition, I filed a task for "tap login error notification -> go directly to account setup screen" to reduce the number of taps it takes to re-approve an OAUTH account.
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: Version 1.14.0-750-dev - "work in progress", not in Google Play
« Reply #18 on: February 09, 2018, 09:33:52 pm »
The change for better error message ("please grant permission" instead of the generic "http 401") is included in this build:

https://www.aqua-mail.com/forum/index.php?topic=6392.0
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/