OAuth2: Microsoft: Find scope for Hotmail

[benbucksch]

Our scope https://outlook.office365.com/.default works for Office365 accounts, but not for @outlook.com , Hotmail, live.com, xbox.com accounts. Find out which scope to use and put that in OAuth2URLs.ts . Note that we still need to support office365 accounts, so either find the scope that works for both, or split the configs for Office365 and Outlook.com.

[jermy-c]

Office365

https://outlook.office365.com/.default works for Office365 accounts. According to email-oauth2-proxy

Outlook.com

https://outlook.office.com/.default works for Outlook.com accounts. According to email-oauth2-proxy

Hotmail, live.com, xbox.com accounts

https://graph.microsoft.com/IMAP.AccessAsUser.All https://graph.microsoft.com/POP.AccessAsUser.All https://graph.microsoft.com/SMTP.Send could possible provide for all the other accounts that Microsoft provides. I'm not too sure since their docs don't explicitly state them. I only know that the Microsoft Graph API unifies all the other Web APIs which could possibly mean it will work for all the accounts even Office365 and Outlook.com. But I did see some sources stating that Graph API doesn't work with Outlook.com.

Other Stuff

• We can't use scopes for two different resources at once i.e. https://outlook.office.com/.default and https://outlook.office365.com/.default. According to StackOverflow. So we'll have to split the config.

Resources

• https://stackoverflow.com/questions/56492061/value-of-scope-to-use-when-getting-oauth-token-to-read-outlook-email
• https://learn.microsoft.com/en-us/answers/questions/1611326/deprecation-of-outlook-web-api-imap-oauth2-authent
• https://github.com/microsoftgraph/msgraph-sdk-dotnet/issues/1330
• https://docs.genesys.com/Documentation/ESEmail/latest/Admin/EmSMailAzure
• https://github.com/Foundry376/Mailspring/blob/6c3993aa93a414c5a5b4f25f67369916e338d8e6/app/internal_packages/onboarding/lib/onboarding-constants.ts#L48

[benbucksch]

https://outlook.office.com/.default works for Outlook.com accounts.

Does it also work for Office365 accounts?

Microsoft Graph API

Scopes are per protocol. We are not implementing Graph API.

We are implementing the protocols:

• IMAP, POP3, SMTP
• EWS
• ActiveSync
• Outlook Web Access (webmail frontend)

We need scopes for each of these protocols, for both Office365 and Outlook.com accounts (i.e. 5 protocols x 2 account types = 10 cases)

Could you look in the docs specifically for these? And could you please test it, with all these cases?

[jermy-c]

Does it also work for Office365 accounts?

According to the docs, it does work for both Office365 and Outlook.com accounts.

We could use the scope:

offline_access https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send https://outlook.office.com/EWS.AccessAsUser.All https://outlook.office.com/EAS.AccessAsUser.All 

Outlook.com seems to be part of Office 365. But some of the examples in the docs especially for EWS use the https://outlook.office365.com/ URI so it might be seperate for some them. If that's the case we'll need to split the configs.

EWS and ActiveSync are part of Office 356 Exchange Online which use the https://outlook.office365.com/ URI so we can just add the EWS and ActiveSync(EAS) scopes to it.

I didn't see anything for Outlook Web Access.

Resources

• https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth
• https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth#get-a-token-with-delegated-auth
• https://learn.microsoft.com/en-us/graph/permissions-reference#easaccessasuserall
• https://learn.microsoft.com/en-us/answers/questions/319653/ews-accessasuser-all-via-graph-or-exchange-online

[benbucksch]

In Owl, we're using scope offline_access EWS.AccessAsUser.All (note: without URL prefix)

[benbucksch]

We could use the scope

Could you please test it? The scope and Client ID is in OAuth2URLs.ts and EWSAccount login() line 42.

You can use manual config. It now supports EWS and OWA. But you'll have to enter the URLs manually. See ManualConfigURL.svelte line 78-82.

[benbucksch]

Even if the scope is correct, we might be rejected, because when we applied for this scope in 2020, we didn't ask for outlook.com accounts, because Microsoft didn't support that yet back then. The error message should tell you the difference.

[benbucksch]

I've tried scope offline_access IMAP.AccessAsUser.All POP.AccessAsUser.All SMTP.Send EWS.AccessAsUser.All EAS.AccessAsUser.All and it works for Outlook.com with IMAP, but it fails when using EWS: "The provided value for the input parameter 'scope' is not valid. One or more scopes in 'offline_access IMAP.AccessAsUser.All POP.AccessAsUser.All SMTP.Send EWS.AccessAsUser.All EAS.AccessAsUser.All' are not compatible with each other"

With an Office365 account and the same scope, I get: IMAP tells me "Authentication fails", and EWS just hangs.

[benbucksch]

scope offline_access EWS.AccessAsUser.All works for Office365 using EWS. It fails for Outlook.com using EWS with: "The provided value for the input parameter 'scope' is not valid. The scope 'offline_access EWS.AccessAsUser.All' is not configured for this tenant."

[benbucksch]

scope offline_access IMAP.AccessAsUser.All SMTP.Send fails with "Authenticate failed" when using IMAP, on both Office365 and outlook.com.

[benbucksch]

Note: In all IMAP tests above, I used the manual config to switch auth method to OAuth2, and the latest master (git commit 3a944918) of Mustang is required.

[benbucksch]

With scope offline_access https://outlook.office.com/.default and Office365 and default IMAP config, I get "login failed". But we might have explicitly disabled basic auth with IMAP in this account in the past, for testing.

With manual config, IMAP, and OAuth2, IMAP seems to work, but SMTP fails with: "535 5.7.139 Authentication unsuccessful, SmtpClientAuthentication is disabled for the Tenant. Visit https://aka.ms/smtp_auth_disabled for more information." Again, the error message referring to "tenant" suggests that this might be our test configuration of this Office365 account.

Same config with EWS works.

With outlook.com and IMAP with password, it works. With IMAP and OAuth2, it also works.

With EWS, I get "Forbidden"

So, this is the most functional scope so far.

[jermy-c]

Scope: offline_access https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send https://outlook.office.com/EWS.AccessAsUser.All https://outlook.office.com/EAS.AccessAsUser.All

Seems like it works for Outlook.com. This image was translated with Google Lens.

These were the permission granted.

[jermy-c]

Scope: offline_access https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send https://outlook.office.com/EWS.AccessAsUser.All https://outlook.office.com/EAS.AccessAsUser.All

Failed for IMAP and SMTP. Because of SMTP failing authentication. Was successful for EWS.

[benbucksch]

@jermy-c which account was this, respectively?

[benbucksch]

FYI, with git commit 1605095c86, I changed the scope for Microsoft Office365 and outlook.com to offline_access https://outlook.office.com/.default for now.

[jermy-c]

@jermy-c which account was this, respectively?

Scope: offline_access https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send https://outlook.office.com/EWS.AccessAsUser.All https://outlook.office.com/EAS.AccessAsUser.All

Failed for IMAP and SMTP. Because of SMTP failing authentication. Was successful for EWS.

This was the Office365 account.

[jermy-c]

With EWS, I get "Forbidden"

I get the error also for @outlook.com and this in the console.

[jermy-c]

offline_access https://outlook.office.com/.default doesn't work for my @outlook.com account.

[benbucksch]

This is IMAP, right? The SMTP server hostname seems wrong.

[jermy-c]

This is IMAP, right? The SMTP server hostname seems wrong.

Yes. What's the correct host name?

I got those from here: https://support.microsoft.com/en-us/office/pop-imap-and-smtp-settings-for-outlook-com-d088b986-291d-42b8-9564-9c414e2aa040

[benbucksch]

See https://v1.ispdb.net/outlook.com https://v1.ispdb.net/office365.com

[jermy-c]

I'm still getting the same error for my Outlook.com account. But the scope works for Office365 with EWS.

[benbucksch]

@jermy-c That may be caused by our client registration. We are using the Beonex test client registration. It was registered in 2020, before Outlook.com had OAuth2. (The error message mentions "client".) Microsoft distinguishes between business and personal accounts in the client registration.

[jermy-c]

Scope: offline_access https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send https://outlook.office.com/EWS.AccessAsUser.All https://outlook.office.com/EAS.AccessAsUser.All

Outlook.com account

[benbucksch]

@jermy-c You're using OAuth2 (not Password) as authentication method, right? (It's not on the scrennshots)

[jermy-c]

Yes, I'm using OAuth2 as the Auth method. I should mention that along with screenshots.