search

blacktirion / email-oauth2-proxy-docker

Dockerized Version of simonrob/email-oauth2-proxy
40 stars 7 forks source link

Stuck at validating link #48

Open BiLLy-85 opened 8 months ago

BiLLy-85 commented 8 months ago

I can't seem to go any further, tried everything.

I try to let Microsoft 365 work on paperless, I've got paperless on a docker on my Synology with docker compose. Put email-auth2-proxy-docker with the docker compose and I've got something to work, if i try to connect paperless i get some logs, with one with an link, but if i try to open that link on my computer it'll give an error: AADSTS900561: The endpoint only accepts POST, OPTIONS requests. Received a GET request.

My docker compose looks like this:

version: "3.4"
services:
  broker:
    image: docker.io/library/redis:7
    restart: unless-stopped
    volumes:
      - redisdata:/data

  db:
    image: docker.io/library/postgres:15
    restart: unless-stopped
    volumes:
      - ./db:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: paperless
      POSTGRES_USER: paperless
      POSTGRES_PASSWORD: paperless

  webserver:
    image: ghcr.io/paperless-ngx/paperless-ngx:latest
    restart: unless-stopped
    depends_on:
      - db
      - broker
      - gotenberg
      - tika
    ports:
      - "8778:8000"
    volumes:
      - ./data:/usr/src/paperless/data
      - ./media:/usr/src/paperless/media
      - ./export:/usr/src/paperless/export
      - ./consume:/usr/src/paperless/consume
      - ./trash:/usr/src/paperless/trash
    env_file: docker-compose.env
    environment:
      PAPERLESS_REDIS: redis://broker:6379
      PAPERLESS_DBHOST: db
      PAPERLESS_TIKA_ENABLED: 1
      PAPERLESS_TIKA_GOTENBERG_ENDPOINT: http://gotenberg:3000
      PAPERLESS_TIKA_ENDPOINT: http://tika:9998

  gotenberg:
    image: docker.io/gotenberg/gotenberg:7.10
    restart: unless-stopped

    # The gotenberg chromium route is used to convert .eml files. We do not
    # want to allow external content like tracking pixels or even javascript.
    command:
      - "gotenberg"
      - "--chromium-disable-javascript=true"
      - "--chromium-allow-list=file:///tmp/.*"

  tika:
    image: ghcr.io/paperless-ngx/tika:latest
    restart: unless-stopped

  emailproxy:
    image: blacktirion/email-oauth2-proxy-docker # ghcr.io optional. this is published on both Docker Hub and Github Container Repository
    restart: unless-stopped
    volumes:
      - ./proxy:/config
    ports:
      - "1993:1993"
      - "8080:80"
    environment:
      LOGFILE: true
      DEBUG: true
      CACHE_STORE: /config/credstore.config
      LOCAL_SERVER_AUTH: true #Optional

volumes:
  data:
  media:
  pgdata:
  redisdata:
  emailproxy:

The emailroxy.config looks like this:

[IMAP-1993]
server_address = outlook.office365.com
server_port = 993
local_address = emailproxy

[mailbox@domain.nl]
permission_url = https://login.microsoftonline.com/<Tenant-id>/oauth2/v2.0/token
token_url = https://login.microsoftonline.com/<Tenant-id>/oauth2/v2.0/token
oauth2_scope = https://outlook.office365.com/.default
redirect_uri = http://localhost
client_id = <client-id (tried Application-is (client-id) and secret-id (not value)>
client_secret = <secret-value>

[emailproxy]
delete_account_token_on_password_error = True
encrypt_client_secret_on_first_use = False
allow_catch_all_accounts = False`

The log says the following:

2024-03-26 10:49:53,036: Initialising Email OAuth 2.0 Proxy (version 2024-03-15) in debug mode from config file /config/emailproxy.config
2024-03-26 10:49:53,037: Starting IMAP server at emailproxy:1993 (unsecured) proxying outlook.office365.com:993 (SSL/TLS)
2024-03-26 10:49:53,074: Initialised Email OAuth 2.0 Proxy - listening for authentication requests. Connect your email client to begin
2024-03-26 10:50:43,046: New incoming connection to IMAP server at emailproxy:1993 (unsecured) proxying outlook.office365.com:993 (SSL/TLS)
2024-03-26 10:50:43,046: Accepting new connection from 172.18.0.7:42514 to IMAP server at emailproxy:1993 (unsecured) proxying outlook.office365.com:993 (SSL/TLS)
2024-03-26 10:50:43,061: IMAP (172.18.0.7:42514-{172.18.0.6:1993}-outlook.office365.com:993) --> [ Client connected ]
2024-03-26 10:50:43,062: IMAP (172.18.0.7:42514-{172.18.0.6:1993}-outlook.office365.com:993) <-> [ Starting TLS handshake ]
2024-03-26 10:50:43,204: IMAP (172.18.0.7:42514-{172.18.0.6:1993}-outlook.office365.com:993) <-> [ TLSv1.2 handshake complete ]
2024-03-26 10:50:43,211: IMAP (172.18.0.7:42514-{172.18.0.6:1993}-outlook.office365.com:993)     <-- b'* OK The Microsoft Exchange IMAP4 service is ready. [QQBNADAAUAAxADkAMABDAEEAMAAwADEANgAuAEUAVQBSAFAAMQA5ADAALgBQAFIATwBEAC4ATwBVAFQATABPAE8ASwAuAEMATwBNAA==]\r\n'
2024-03-26 10:50:43,211: IMAP (172.18.0.7:42514-{172.18.0.6:1993}-outlook.office365.com:993) <-- b'* OK The Microsoft Exchange IMAP4 service is ready. [QQBNADAAUAAxADkAMABDAEEAMAAwADEANgAuAEUAVQBSAFAAMQA5ADAALgBQAFIATwBEAC4ATwBVAFQATABPAE8ASwAuAEMATwBNAA==]\r\n'
2024-03-26 10:50:43,213: IMAP (172.18.0.7:42514-{172.18.0.6:1993}-outlook.office365.com:993) --> b'LJLC0 CAPABILITY\r\n'
2024-03-26 10:50:43,213: IMAP (172.18.0.7:42514-{172.18.0.6:1993}-outlook.office365.com:993)     --> b'LJLC0 CAPABILITY\r\n'
2024-03-26 10:50:43,221: IMAP (172.18.0.7:42514-{172.18.0.6:1993}-outlook.office365.com:993)     <-- b'* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+\r\n'
2024-03-26 10:50:43,222: IMAP (172.18.0.7:42514-{172.18.0.6:1993}-outlook.office365.com:993) <-- b'* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN SASL-IR UIDPLUS ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+\r\n'
2024-03-26 10:50:43,222: IMAP (172.18.0.7:42514-{172.18.0.6:1993}-outlook.office365.com:993)     <-- b'LJLC0 OK CAPABILITY completed.\r\n'
2024-03-26 10:50:43,222: IMAP (172.18.0.7:42514-{172.18.0.6:1993}-outlook.office365.com:993) <-- b'LJLC0 OK CAPABILITY completed.\r\n'
2024-03-26 10:50:43,264: IMAP (172.18.0.7:42514-{172.18.0.6:1993}-outlook.office365.com:993) --> b'LJLC1 LOGIN [[ Credentials removed from proxy log ]]\r\n'
2024-03-26 10:50:44,384: Authorisation request received for mailbox@domain.nl (local server auth mode)
2024-03-26 10:50:44,385: Email OAuth 2.0 Proxy Local server auth mode: please authorise a request for account mailbox@domain.nl
2024-03-26 10:50:44,385: Local server auth mode (localhost:80): starting server to listen for authentication response
2024-03-26 10:50:44,386: Please visit the following URL to authenticate account mailbox@domain.nl: https://login.microsoftonline.com/<Tenant-id>/oauth2/v2.0/token?client_id=client-id&redirect_uri=http%3A%2F%2Flocalhost&scope=https%3A%2F%2Foutlook.office365.com%2F.default&response_type=code&access_type=offline&login_hint=mailbox%40domain.nl

So now, if i go to the link profided in the log-file: https://login.microsoftonline.com//oauth2/v2.0/token?client_id=client-id&redirect_uri=http%3A%2F%2Flocalhost&scope=https%3A%2F%2Foutlook.office365.com%2F.default&response_type=code&access_type=offline&login_hint=mailbox%40domain.nl` I will get the following message: image

So, obviously I don't know how to fix this error, where to put an post instead of an get (..?)

And after this, i understood i have to put the given URL somewhere else, but where should that be exactly? I don't know for sure if this is related to the docker repository or if i should ask this question in the original repository.

yngyngyng commented 6 months ago

Hey @BiLLy-85, I believe you're using wrong URL for authorization.

You should try using https://login.microsoftonline.com/{Tenant-id}/oauth2/v2.0/authorize instead of /token. When using this endpoint, you will receive the code which is then used with /token endpoint as authentication method to fetch tokens.

Here's the official docs :

https://learn.microsoft.com/en-us/azure/active-directory-b2c/authorization-code-flow#redirect-uri-setup-required-for-single-page-apps

Brynnan42 commented 2 months ago

@BiLLy-85 Did you get this working with Paperless? I am currently trying to set up the same integration.