Using OAuth2 with Thunderbird and Gmail

To use Thunderbird to access your Gmail account, Google will tell you that you must allow “Insecure apps” in your Google security settings. However, since version 38, Thunderbird has supported Oauth2 with Gmail, so you don’t have to enable “Insecure apps”. Google just doesn’t tell you that.

Here I will show you how to change the authentication method on existing accounts from using a saved password, to using a key, namely Oauth2. It allows controlled access for an app, to a set of features that you allow. In this case it will be for just your emails, not your entire Google account like it does now.

Once you start the process, you won’t be able to use the email account within Thunderbird until you complete it.

Change settings to OAuth2

In Thunderbird, go to Account Settings in the menu. Under the Gmail account that you want to enable Oauth2 for, go to Server Settings. Select Oauth2 from the drop down menu next to Authentication method.

Set in account settings

Do the same for sending mail, by going to the Outgoing Server on the left side, selecting the Gmail account, and selecting Oauth2 from the drop down menu next to Authentication method.

Save the changes by hitting Ok.

Remove saved passwords

Now that we’ve made the changes, we need to removed the saved passwords. Otherwise Thunderbird may keep on trying to use the old passwords. Go to your saved passwords at Preferences > Security > Saved Passwords.

Set in account settings

Open this up and remove any entries related to this Gmail account for incoming and outgoing passwords. There should be two.


Next, restart Thunderbird.

Get the OAuth2

When Thunderbird starts back up, it will show you a prompt for your password. This is actually a web portal that is asking for your user name and password to log in, so you can grant access to Thunderbird.

Go ahead and log in.

Set in account settings

Once you have logged in, Google will ask for your permission to allow Thunderbird to access your emails.

Set in account settings

Click “Allow” (otherwise this will have all been for nothing…)

And you’re done! Doing this once will enable both the incoming and outgoing emails to work.

Turn off “Allow insecure apps”

If Thunderbird was the only application that was logging in with your password, you should be able to go into your Google account security settings and change “Allow Insecure Apps” to off.

If it’s not, there’s nothing to worry about, as in the event that any other app tries to use a password to login, you’ll get notified, and then you can decide to turn it back off or fix the setup for that app. (And logging in to Gmail with your password doesn’t count in this case. That will always be enabled).


This was really annoying of Google to require the OAuth2 method, while not providing any sort of easy to find documentation on how to set it up. I had to search through a ton of sites to find this information, which is why I put it here.

When they sent me the email that “Some app has been blocked from accessing your account (because it’s not using OAuth2)”, they could have put a helpful link in the email or in their security settings to “Here’s how to setup OAuth2 with other apps.” All they told me was I could turn off the high security, rather than how to make Thunderbird work with the high security.

If I hadn’t searched for a way to enable OAuth2 in Thunderbird, I would have assumed it couldn’t be done. My guess is that Google doesn’t like competition from software like Thunderbird, but that’s still no excuse.

And the article you’re reading didn’t take long to write. They would have earned ad revenue on such a page as this, had they written it. (Hey, Google, you can send them here!)

end < /rant >

Oh well, on a positive note, I love having my own mail server, more and more all the time! It’s based on Mail in a Box, and it’s really slick.