search

Webklex / php-imap

PHP-IMAP is a wrapper for common IMAP communication without the need to have the php-imap module installed / enabled. The protocol is completely integrated and therefore supports IMAP IDLE operation and the "new" oAuth authentication process as well.
https://www.php-imap.com
MIT License
317 stars 151 forks source link

Can't connect to consumer Outlook OAuth IMAP (hotmail.xx & outlook.xx mailbox) #519

Open Pascal76 opened 1 month ago

Pascal76 commented 1 month ago

Hello,

I saw a lot of documents concerning the B2B part (it works fine), and no one about the consumer mailboxes. I configured everything as expected (I think) I can even can get the access/refresh token without any issue but the connexion fails.

Scope : openid email User.Read IMAP.AccessAsUser.All ( openid offline_access email User.Read https://outlook.office.com/IMAP.AccessAsUser.All is not valid and IMAP.AccessAsApp can't be added for consumer mailboxes and https://outlook.office.com/Mail.ReadWrite does not help )

URLs: https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize https://login.microsoftonline.com/consumers/oauth2/v2.0/token

(I replaced values with XXX below)

Config : [accounts] => Array ( [default] => Array ( [host] => outlook.office365.com [port] => 993 [protocol] => imap [encryption] => ssl [validate_cert] => 1 [username] => XXX@outlook.fr [password] => XXX (the access token) [authentication] => oauth

Debug :

OK The Microsoft Exchange IMAP4 service is ready. [XXX]

TAG1 AUTHENTICATE XOAUTH2 XXX...

<< TAG1 NO AUTHENTICATE failed.

Same issue if I did it manually (openssl s_client -crlf -connect outlook.office365.com:993 ...)

Pascal76 commented 1 month ago

Today I was able to make it works.

The scope for "response_type=code" : openid offline_access email User.Read wl.offline_access wl.imap wl.emails https://outlook.office.com/IMAP.AccessAsUser.All The scope for "grant_type=authorization_code" : https://graph.microsoft.com/.default Then I don't know why I must request a new access_token ("grant_type=refresh_token") to make it work with scope : https://outlook.office.com/.default

iwkse commented 3 weeks ago

Hi, we're having the same issue. We are using a personal account to create the credentials, client ID and client secret. I didn't understand well how you made it works. grant_type=refresh_token doesn't seem to be valid.

We're doing like this:

https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?
&client_id=4732ae67-xxxx-yyyy-zzzz-dc01692174c1
&response_type=code
&redirect_uri=https://www.xxxyyy.it/xxxx/test-imap.php
&response_mode=query
&scope=https://graph.microsoft.com/.default
&grant_type=authorization_code
&state=12345

This one works and we get the code that we use in such call:

https://login.microsoftonline.com/consumers/oauth2/v2.0/token

client_id:4732ae67-xxxx-yyyy-zzzz-dc01692174c1
client_secret:-YYYYYYYYYYYYYY~xxxxxxxxxxxxxxxxxxx
grant_type:client_credentials
scope: https://outlook.office.com/.default
code:M.C522_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

For scopes: openid offline_access email User.Read wl.offline_access wl.imap wl.emails https://outlook.office.com/IMAP.AccessAsUser.All I don't understand where you set this. In the /token POST it accepts only .default