The Thunderbird 2FA Plugin is a tool that lets Thunderbird use secure two-factor authentication with any OAuth2 or OpenID Connect provider. It allows organizations to connect Thunderbird to their existing identity systems, improving security without changing how users access their email.

Introduction

Thunderbird has long been a favorite among developers, system administrators, and power users due to its open-source nature and strong extensibility. It supports a wide range of protocols, and its add-on ecosystem allows for advanced customizations that rival even enterprise email clients. However, one area where Thunderbird has traditionally fallen short is modern authentication, especially when it comes to secure, enterprise-grade two-factor authentication (2FA).

By default, Thunderbird only supports OAuth2 login flows for a small, hardcoded list of well-known providers such as Google or Microsoft. This presents a challenge for organizations that use custom identity platforms, self-hosted solutions, or need finer control over authentication policies.

To address this gap, the Right&Above team developed the plugin that provides Thunderbird with full support for any OpenID Connect (OIDC) or OAuth 2.0-compatible identity provider (IdP). With this plugin, teams can integrate their existing authentication stacks, including platforms like Keycloak, Auth0, or custom-built OIDC servers, into Thunderbird’s email login workflow. No core patches are needed. No vendor lock-in. Just seamless integration with your existing security infrastructure.

And since we actively support Open Source as part of our engineering culture, we made the plugin publicly available. The full implementation is open for the community here: https://github.com/raa-org/thunderbird-custom-idp

What Is the Thunderbird Custom IdP Add-on?

The Thunderbird Custom IdP is an add-on that enhances Thunderbird’s authentication system. Specifically, it allows Thunderbird to use any OIDC (OpenID Connect) or OAuth2 (OAuth 2.0) identity provider for IMAP (Internet Message Access Protocol) and SMTP (Simple Mail Transfer Protocol) login flows. Instead of relying on Thunderbird’s built-in OAuth2 providers, this plugin dynamically injects your organization’s authentication details during runtime – including authorization endpoints, token endpoints, client credentials, and scope definitions.

This means that even if your organization runs a private Keycloak instance or a cloud-based identity platform, Thunderbird can now be configured to authenticate users through that provider with full support for modern security features like PKCE (Proof Key for Code Exchange) and secure secret storage.

Why It Matters

Modern email clients need to operate in secure environments, particularly in enterprise contexts where compliance, access control, and auditing are essential. Thunderbird’s default support model simply does not meet the requirements of organizations that need:

Centralized identity management
Secure authentication on shared or virtual devices
Segmented access policies (e.g., different scopes for sending vs. receiving email)
Enables integration with identity platforms that support OpenID Connect (OIDC), allowing use within enterprise Single Sign-On (SSO) ecosystems.

The Right&Above 2FA plugin effectively transforms Thunderbird into a fully capable enterprise-ready email client – without requiring changes to Thunderbird’s core or forking the source code. It keeps all logic external, fully reversible, and easy to deploy and maintain.

How It Works In Practice

When the add-on is installed and Thunderbird is launched, the plugin immediately loads a configuration file. This configuration can be provided in three different ways:

Remote HTTPS JSON configuration – ideal for managed enterprise environments where policy needs to be centrally distributed.
Packaged configuration – embedded directly into the plugin (for example, config.json).
Profile-level configuration – placed in a user’s local Thunderbird profile (oauthpatch.json), suitable for one-off or user-managed setups.

Once the configuration is loaded, the plugin intercepts Thunderbird’s OAuth2 provider resolution mechanism. When Thunderbird tries to connect to a mail server like imap.corp.example.com, the plugin injects the correct issuer (identity provider), scopes (permissions), and authentication flow parameters.

It also retrieves and supplies sensitive credentials like clientId and clientSecret, using the preferred secret storage method – either Thunderbird’s secure Login Manager, in-memory storage for session-based secrets, or plain-text storage for testing purposes.

Key Capabilities and Features

Custom Identity Provider Support
Works with any identity platform that speaks OIDC or OAuth2, such as Keycloak, ForgeRock, Auth0, or even custom IdPs.
Non-Invasive Architecture
The plugin dynamically “patches” Thunderbird’s OAuth logic in-memory – no source code modifications or file overwrites are required. Disabling or uninstalling the plugin cleanly reverts Thunderbird to its original state.
PKCE Integration
For added security, PKCE can be enabled to safeguard the authentication flow when used with public or client-side apps.
Per-Service Scope Definitions
Scopes can be configured independently for IMAP and SMTP, allowing fine-grained control over what actions a given login is permitted to perform.
Flexible Deployment Options
Whether you manage five desktops or five thousand, the plugin supports centralized deployments with minimal user involvement.
Cross-Platform Compatibility
Supports Windows, macOS, and Linux without modification.

Runtime Adaptability
Compatible with Thunderbird version 139 and above, including those using newer JavaScript module formats (.sys.mjs, .jsm).

Security and Privacy Considerations

Security is a core priority of the plugin’s design. Key security mechanisms include:

HTTPS-Only Configuration Loading
Any external configuration must be served over secure HTTPS connections to prevent tampering or injection.
Secure Secret Storage
Client secrets can be stored in Thunderbird’s Login Manager (encrypted), in-memory (ephemeral), or via developer-mode preferences.
No Telemetry
The plugin does not send any diagnostics, logs, or tracking data. All operations remain local to the user’s device.
Built-in Protection
Includes timeouts and payload limits to prevent long-running requests or oversized configuration files from affecting performance or stability.

Use Case: Centralized Enterprise Rollout

For IT administrators managing fleets of devices, the plugin supports centralized rollout:

Host a global configuration file on an internal HTTPS endpoint.
Pre-package the plugin with a preset configUrl so that users do not need to configure anything themselves.
Use Login Manager to securely store secrets, or opt for in-memory storage on shared machines (e.g., kiosks or virtual desktops).

This approach enables organizations to standardize email authentication across departments, enforce stronger login policies, and integrate Thunderbird with their existing identity architecture – all while preserving the usability and flexibility that Thunderbird is known for.

Real-World Deployment

Currently, our solution, the Thunderbird 2FA plugin, is actively used by all staff across our company on both Windows and macOS laptops. It integrates seamlessly into their daily workflows without disrupting productivity.

We have also configured our internal Linux-based mail server, which utilizes Cyrus IMAP (cyrus-imapd), to support two-factor authentication (2FA). This server is connected to our broader identity ecosystem via RAA-SSO (Right&Above Single Sign-On) – a centralized authentication layer that unifies access across multiple corporate tools and services.

Single Sign-On Solution

Final Thoughts

As organizations continue to modernize their infrastructure, integrating open-source tools like Thunderbird into secure enterprise environments remains a challenge – particularly around identity and access management.

The Thunderbird Custom IdP add-on, developed by Right&Above, bridges that gap by enabling secure, standards-based authentication with any OAuth2 or OpenID Connect provider. It does so without requiring intrusive changes or sacrificing user experience.

Whether you are securing internal communications, enforcing 2FA policies, or migrating to a unified identity solution, this plugin provides the flexibility and security you need while keeping overhead low and maintaining full control.

For teams that rely on Thunderbird but need enterprise-grade authentication, this plugin is a lightweight yet powerful solution to future-proof your email access.

Have questions?
We have answers.

Full Name *

Email *

Phone Number

Company

Message Text *

Verify code *

Attach a file

Right&Above is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the information you requested from us.

I agree to receive other communications from Right&Above

You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy. By clicking submit below, you consent to allow Right&Above to store and process the personal information submitted above to provide you the content requested.

Thank you for
contacting us!

We have received your message.

Your message has been received and we will be contacting you shortly to follow-up If you would like to speak to someone immediately feel free to call.

2FA Plugin for Thunderbird