Since most all logic in Thunderbird runs with chrome privileges, a compromise of Thunderbird is still a compromise of the credentials, but in cases like the Gaia Email app, such an IMAP protocol is much riskier than the oauth2 approach. Because there is no dynamic registration for OAuth2 settings with Gmail, we (reluctantly) implemented this by adding the required GMail OAuth2 setup information directly in the Thunderbird code. For this to work, we had to have some method of determining what was, in fact, a GMail address that expected to use GMail OAuth2 settings.
Clarification: I had been using OAuth2 normally, with the previously stored token, for quite a long time. Part of the reason I went intentionally messing around was to try to trigger the OAuth2 authentication screens on purpose, so I could remind myself how that process looks. I hadn't needed to do this since originally configuring Thunderbird to access my Gmail account quite some time ago.
Since, I have had to change my authentication method for this account in Thunderbird to 'Normal password', and generate an 'App Password' to use with it from the management interface at accounts.google.com. I cannot make the OAuth2 method in Thunderbird work anymore.
In troubleshooting the fault, I later on took the step to remove Thunderbird's access to my account at accounts.google.com, which I now realize has the effect of invalidating all the other stored tokens for this purpose out in the wild. Thereby, I have managed to break OAuth2 access on all my Thunderbird instances across my PCs. I have had to revert to the described old 'App Passwords' based mechanism everywhere. This works, but Google deprecated the use of App Passwords as an account security concern. Google would prefer you to use OAuth2, if you can.
Cannot access Yahoo mail for about two weeks now with T-bird. I am using the latest version with inbound.att.net and outbound.att.net with Oauth2 selected. I have an Oauth password from AT&T, when I try to use this I get a pop up that asks me for sign in credentials. When attempting sign in it says I need to enable cookies. (Firefox) I have given 'cookie' permission to https://att.com, https://yahoo.com, https://login.yahoo.com. Can't get past this, any suggestions or additional permissions I might try?