search

mustang-im / mustang

Mustang - New full-featured desktop email, chat and video conference client
https://mustang.im
Other
8 stars 1 forks source link

OAuth2: Microsoft: Configure Client ID as a public client for all tenants #173

Open benbucksch opened 1 month ago

benbucksch commented 1 month ago

So, Microsoft finally approved us as Verified Publisher and vetted Partner. After 2-3 months, almost 100 emails, and weeks of work, simply trying to register. Eventually, Microsoft was simply unable to read documents, and also unable to communicate in any way what's going on. But with that over...

I have created an App Registration for OAuth2, added the IMAP, POP3 and SMTP scopes (it does not allow me to add the EWS and EAS scopes :sob: ), and created a Client ID and secret.

I've added the Client ID and secret in OAuth2URL.ts for Outlook and Office356. I needed to re-login for the EWS account, which I had already configured in Mustang - the re-login is expected. However, after successful login, I get an error:

"Cannot login

AADSTS700016: Application with identifier '5720dabf-3065-4076-abc3-7479ad24ec9f' was not found in the directory 'B'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant."

("B" tenant is our test domain beonex.onmicrosoft.com, IIRC, so that refers to the domain of the end user that tries to log in.)

We need to have a client ID which can log in with any domain (unless the domain admin explicitly disabled it).

image

jermy-c commented 1 month ago

OAuth2 works for personal account after:

  1. Using the Application (client) ID as the clientID
  2. Client secret and PKCE are not required
  3. Explicitly listing the scopes offline_access https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send, https://outlook.office.com/.default gives a scope error
  4. Enabling the https://login.microsoftonline.com/common/oauth2/nativeclient redirect URI, localhost doesn't work

But EAS and EWS aren't working yet. Nor is work account working. But the error states it's because of a config by the admin of the tenant.

圖片
benbucksch commented 1 month ago

Nor is work account working. But the error states it's because of a config by the admin of the tenant.

Yes, in the beonex.onmicrosoft.com tenant, we had a funny domain config for testing purposes.

benbucksch commented 1 month ago

EAS and EWS aren't working yet

Test EWS with these values and the client ID that master had before your change: const kAuthScope = "offline_access EWS.AccessAsUser.All"; const kAuthDone = "https://login.microsoftonline.com/common/oauth2/nativeclient"; const kAuthPage = "https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize"; const kTokenURL = "https://login.microsoftonline.com/organizations/oauth2/v2.0/token"; const kLogoutURL = "https://login.microsoftonline.com/organizations/oauth2/logout";

Also try: const kAuthPage = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; const kTokenURL = "https://login.microsoftonline.com/common/oauth2/v2.0/token"; const kLogoutURL = "https://login.microsoftonline.com/common/oauth2/logout";

jermy-c commented 1 month ago

Test EWS with these values and the client ID that master had before your change:

Yes, both work.

jermy-c commented 1 month ago

The scope offline_access EWS.AccessAsUser.All works even with the new clientID. The scope seems to be the issue for EWS.

benbucksch commented 1 month ago

That's great! Can you please also try after adding EAS.AccessAsUser.All (note: EAS) for ActiveSync, whether login with EWS still works?

jermy-c commented 1 month ago

Yes, it works in the login. With EWS and EAS together in the scope.

Note: IMAP, POP and SMTP need to be prefixed with https://outlook.office.com/ or you'll get the following error

The provided value for the input parameter 'scope' is not valid. One or more scopes in 'offline_access IMAP.AccessAsUser.All POP.AccessAsUser.All SMTP.Send EWS.AccessAsUser.All EAS.AccessAsUser.All' are not compatible with each other. Trace ID: fbb798eb-9515-4f6f-a4dc-01b7946e4000 Correlation ID: a3705ccf-c494-4a55-8952-62688580ed4c Timestamp: 2024-08-14 19:47:52Z

benbucksch commented 4 weeks ago

@jermy-c Which account types did you test?

Which protocols did you test?

Which combinations work with this change?

(beonex.onmicrosoft.com with IMAP/SMTP is known to not work, due to tenant/domain-specific settings. Not related to code.)

benbucksch commented 4 weeks ago

Note: IMAP, POP and SMTP need to be prefixed with https://outlook.office.com/

Yes, that matches Thunderbird: https://searchfox.org/comm-central/source/mailnews/base/src/OAuth2Providers.sys.mjs#20

jermy-c commented 4 weeks ago

Which account types did you test?

I tested:

Which protocols did you test?

I tested:

Which combinations work with this change?

jermy-c commented 4 weeks ago

EWS Personal Account Login

  1. Popup shows up with consent UI and the following error in the console

Error: The user account {EUII Hidden} does not exist in the outlook.com directory. To sign into this application, the account must be added to the directory. Trace ID: b8a24539-fb4a-46b7-83e7-b9d5765f0701 Correlation ID: 4f2a5d16-df24-45ff-a33f-4cf3818232ef Timestamp: 2024-08-15 16:55:08Z

  1. After accepting the permissions, the popup closes
  2. Forbidden error shows up in the setup UI
jermy-c commented 2 weeks ago

School Account

I was able login to my school account which is on a custom domain and a different tenant.

  1. IMAP/SMTP works
  2. EWS works
  3. OWA works