Recurring TokenRefreshError() on Linux (using --no-gui)
Closed this issue · 4 comments
I have been using the proxy on Windows with Thunderbird and GMail for many years without issues. It works great.
Recently I decided to start using it for mutt on my headless Linux VPS, so I just copied the Windows config over to my Linux box and ran the proxy with --no-gui and --external-auth.
All was fine, I authenticated using external-auth, no problem. Initially seemed to work fine.
However consistently, about once every week, I get this in the log:
2025-05-30 19:11:37: Accepting new connection from 127.0.0.1:41612 to IMAP server at 127.0.0.1:1993 (unsecured) proxying imap.gmail.com:993 (SSL/TLS)
2025-05-30 19:11:38: Retrying login due to exception while refreshing access token for account xxxx@gmail.com (attempt 1): TokenRefreshError()
2025-05-30 19:11:39: Retrying login due to exception while refreshing access token for account xxxx@gmail.com (attempt 2): TokenRefreshError()
After an event like this both access_token and refresh_token are gone from the config file, and I have to reauthenticate manually using external-auth. This happens once per week. Three times so far.
Is this a bug? Is there a way to make it refresh the token properly?
Thank you.
Whenever this happens, the root cause is that you are trying to log in with a different password to the one you used when authenticating the account. With Thunderbird (and many other clients), the IMAP/POP password can be different to the SMTP one. Make sure both of these passwords are the same and the issue should stop.
If for whatever reason you can't do this you can set delete_account_token_on_password_error = False, but please note that this will make the protocol you are using the different password for fail.
Hi simon, it happened again. Exactly a week later. This time I had delete_account_token_on_password_error = False from your sugestion, but it still deleted the tokens.
I only log in with mutt, nothing else. The password to the proxy is hardcoded into the mutt config file, so the problem is not an incorrect password.
2025-06-08 18:49:00: Accepting new connection from 127.0.0.1:60792 to IMAP server at 127.0.0.1:1993 (unsecured) proxying imap.gmail.com:993 (SSL/TLS)
2025-06-08 18:49:02: Retrying login due to exception while refreshing access token for account xxxx@gmail.com (attempt 1): TokenRefreshError()
2025-06-08 18:49:05: Retrying login due to exception while refreshing access token for account xxxx@gmail.com (attempt 2): TokenRefreshError()
How can I debug this further?
The pattern is clear. It happens once every week. It appears Google is requiring a token refresh, but the proxy fails to do the refresh for some reason. Thank you.
Update: after two hours of troubleshooting with AI, it appears Google might have updated it's OAuth policy so that new refresh tokens now expire every 7 days, while old tokens have been grandfathered.
My app was in "Testing" mode, with a grandfathered token for my Thunderbird client on Windows, which explains why I never had a problem before.
But since I just added my Mutt client recently, it received one of these new 7-day expiring refresh tokens.
This seems to be the likely culprit. I published my OAuth app now. Let's hope the expiry issue is resolved this way.
Thanks for following up. I'm glad you've managed to find a likely culprit. Still, the proxy should renew the tokens regardless of their expiry time, so please do come back if you continue to experience this issue.