I don't know the details of OAuth enough to understand how that really works. But that could certainly be annoying/or even unworkable with some fully automated tools.
1. The application sends you to Google login page with some magic URL parameters.
2. You log in, Google generates a magic code ("refresh token") which it prints on the screen for you to type into the application or uses some MalwareScript to transfer it from the browser to the application over
http://127.0.0.1/ or similar means.
3. The application sends some HTTP requests with the refresh token to obtain an access token valid for a short time each time it needs to do something.
4. Google may revoke the refresh token and any derived access tokens when you change your account password, revoke Thunderbird access or if it simply feels like doing so.
It's not even a bad scheme, but the implementation is kinda stupid because it's designed solely with idiots in mind and built on all those webshit technologies. In particular, nothing stops the application from showing you something that looks like a browser but is not a browser, taking your password and using it to handle conversion into refresh tokens fully automatically. Or using that password for some other purposes. There may be captcha on Google login page to prevent the former at least. It would also be nice to have a simple UI for manually generating such tokens for applications that don't fully support all that HTTP/OAuth nonsense.
If something goes wrong and you get a new login request each time you view a different directory, have fun debugging it
Maybe Thunderbird forgets its tokens or screws something, maybe GMail is buggy and revokes the token.
Try customer support