Firstly, apologies for the length and technicality of this question but I've so far been unable to find this information for the questions below.
Due to the upcoming disablement of basic authentication for O365 Exchange Online by Microsoft on 01/10/2022 we need to enable the use of modern authentication for Thunderbird in our tenant.
We have a rather strict security process in regard to reviewing how applications have been developed for OAuth before they can be approved for use.
To be able authorise the Azure AD Enterprise App registration that is required for Thunderbird to connect to Exchange Online mailboxes using modern auth I need to answer the questions below.
I’ve spent a lot of time searching for this information online, including looking through the Thunderbird OAuth module files at the link below, been able to find the required information.
I'm not a developer or authentication expect so maybe I've not been able to interpret the available information in the correct way but without these answers we can't continue to use Thunderbird that is currently our main Linux email client, this would be a major issue.
Does the application use OpenID Connect to authenticate the user?
I haven't been able to find anything that states it does so assume that it doesn't?
_Does the application validate signatures in tokens issues by the authorisation server?
If the OpenID Connect idtoken is used, make sure it is properly validated according to the JSON Web Signature, JSON Web Encryption, and OpenID specifications.
Assuming that OpenID Connect is not used then this is N/A
Do you use a code library for you OpenID Connect implementation? If so, is it a certified OpenID Connect implementation?
I think so because In the above .jsm files it states that it has been developed against the following RFC standards but again I can’t find where a specific code library is explicitly stated:
What is the grant type used? Resource Owner Password Credentials and Implicit Grant must not be used.
I’ve found the following in the above .jsm files but I’m not sure of the grant type this is:
if (aRefresh) {,
this.log.info(
`Making a refresh request to the token endpoint: ${this.tokenEndpoint}`
);
data.append("grant_type", "refresh_token");
data.append("refresh_token", aCode);
} else {
this.log.info(
`Making access token request to the token endpoint: ${this.tokenEndpoint}`
);
data.append("grant_type", "authorization_code");
data.append("code", aCode);
data.append("redirect_uri", this.redirectionEndpoint);
}
_Does the application use an established library to provide the OAuth functionality?
If a bespoke implementation of OAuth has been used, have the state and redirect_uri parameters been used correctly?
The app must use the state parameter (even though it is not mandatory). This prevents improper validation of the authorization initiator. If the application does not verify that the received token or authorization code was generated in the process initiated by it, the token can be overridden (the state parameter in the authorization request is used to make sure that the obtained authorization code or token was generated for your application.)
The app must send a redirecturi parameter not only to the /authorization endpoint, but also to the /token endpoint.
All I’ve been able to find for this is a reference to localhost.
_If a bespoke implementation of OAuth uses the authorizationcode flow, has this been done securely?
Does the application store tokens in cookies or localStorage?
Is this stored in the Thunderbird Password Manager?
If tokens are stored in cookies, are best practices followed?
If the Thunderbird Password Manager is used then this would be N/A
Does the application validate tokens it receives?
e.g. HMAC-based or RSA-based
Again apologies the list of questions but without this information it's going to be very difficult to continue to use Thunderbird once Microsoft disable basic auth.
Firstly, apologies for the length and technicality of this question but I've so far been unable to find this information for the questions below. Due to the upcoming disablement of basic authentication for O365 Exchange Online by Microsoft on 01/10/2022 we need to enable the use of modern authentication for Thunderbird in our tenant. We have a rather strict security process in regard to reviewing how applications have been developed for OAuth before they can be approved for use. To be able authorise the Azure AD Enterprise App registration that is required for Thunderbird to connect to Exchange Online mailboxes using modern auth I need to answer the questions below. I’ve spent a lot of time searching for this information online, including looking through the Thunderbird OAuth module files at the link below, been able to find the required information. I'm not a developer or authentication expect so maybe I've not been able to interpret the available information in the correct way but without these answers we can't continue to use Thunderbird that is currently our main Linux email client, this would be a major issue.
https://github.com/mozilla/releases-comm-central/blob/master/mailnews/base/src/OAuth2Providers.jsm https://github.com/mozilla/releases-comm-central/blob/master/mailnews/base/src/OAuth2Module.jsm https://github.com/mozilla/releases-comm-central/blob/master/mailnews/base/src/OAuth2.jsm
The questions are:
Does the application use OpenID Connect to authenticate the user?
I haven't been able to find anything that states it does so assume that it doesn't?
_Does the application validate signatures in tokens issues by the authorisation server? If the OpenID Connect idtoken is used, make sure it is properly validated according to the JSON Web Signature, JSON Web Encryption, and OpenID specifications.
Assuming that OpenID Connect is not used then this is N/A
Do you use a code library for you OpenID Connect implementation? If so, is it a certified OpenID Connect implementation?
I think so because In the above .jsm files it states that it has been developed against the following RFC standards but again I can’t find where a specific code library is explicitly stated:
RFC 6749 Section 3.1 Section 3.2 Section 3.3 Section 2.3.1 section 2.3.1
What is the grant type used? Resource Owner Password Credentials and Implicit Grant must not be used.
I’ve found the following in the above .jsm files but I’m not sure of the grant type this is:
_Does the application use an established library to provide the OAuth functionality? If a bespoke implementation of OAuth has been used, have the state and redirect_uri parameters been used correctly? The app must use the state parameter (even though it is not mandatory). This prevents improper validation of the authorization initiator. If the application does not verify that the received token or authorization code was generated in the process initiated by it, the token can be overridden (the state parameter in the authorization request is used to make sure that the obtained authorization code or token was generated for your application.) The app must send a redirecturi parameter not only to the /authorization endpoint, but also to the /token endpoint.
All I’ve been able to find for this is a reference to localhost.
_If a bespoke implementation of OAuth uses the authorizationcode flow, has this been done securely?
Does the application store tokens in cookies or localStorage?
Is this stored in the Thunderbird Password Manager?
If tokens are stored in cookies, are best practices followed?
If the Thunderbird Password Manager is used then this would be N/A
Does the application validate tokens it receives? e.g. HMAC-based or RSA-based
Again apologies the list of questions but without this information it's going to be very difficult to continue to use Thunderbird once Microsoft disable basic auth.
Many thanks
Owain