Open benbucksch opened 1 month ago
OAuth2 works for personal account after:
Application (client) ID
as the clientIDoffline_access https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send
, https://outlook.office.com/.default
gives a scope errorhttps://login.microsoftonline.com/common/oauth2/nativeclient
redirect URI, localhost doesn't workBut EAS and EWS aren't working yet. Nor is work account working. But the error states it's because of a config by the admin of the tenant.
Nor is work account working. But the error states it's because of a config by the admin of the tenant.
Yes, in the beonex.onmicrosoft.com tenant, we had a funny domain config for testing purposes.
EAS and EWS aren't working yet
Test EWS with these values and the client ID that master had before your change: const kAuthScope = "offline_access EWS.AccessAsUser.All"; const kAuthDone = "https://login.microsoftonline.com/common/oauth2/nativeclient"; const kAuthPage = "https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize"; const kTokenURL = "https://login.microsoftonline.com/organizations/oauth2/v2.0/token"; const kLogoutURL = "https://login.microsoftonline.com/organizations/oauth2/logout";
Also try: const kAuthPage = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; const kTokenURL = "https://login.microsoftonline.com/common/oauth2/v2.0/token"; const kLogoutURL = "https://login.microsoftonline.com/common/oauth2/logout";
Test EWS with these values and the client ID that master had before your change:
Yes, both work.
The scope offline_access EWS.AccessAsUser.All
works even with the new clientID. The scope seems to be the issue for EWS.
That's great! Can you please also try after adding EAS.AccessAsUser.All (note: EAS) for ActiveSync, whether login with EWS still works?
Yes, it works in the login. With EWS and EAS together in the scope.
Note: IMAP, POP and SMTP need to be prefixed with https://outlook.office.com/
or you'll get the following error
The provided value for the input parameter 'scope' is not valid. One or more scopes in 'offline_access IMAP.AccessAsUser.All POP.AccessAsUser.All SMTP.Send EWS.AccessAsUser.All EAS.AccessAsUser.All' are not compatible with each other. Trace ID: fbb798eb-9515-4f6f-a4dc-01b7946e4000 Correlation ID: a3705ccf-c494-4a55-8952-62688580ed4c Timestamp: 2024-08-14 19:47:52Z
@jermy-c Which account types did you test?
Which protocols did you test?
Which combinations work with this change?
(beonex.onmicrosoft.com with IMAP/SMTP is known to not work, due to tenant/domain-specific settings. Not related to code.)
Note: IMAP, POP and SMTP need to be prefixed with
https://outlook.office.com/
Yes, that matches Thunderbird: https://searchfox.org/comm-central/source/mailnews/base/src/OAuth2Providers.sys.mjs#20
Which account types did you test?
I tested:
Which protocols did you test?
I tested:
Which combinations work with this change?
EWS Personal Account Login
Error: The user account {EUII Hidden} does not exist in the outlook.com directory. To sign into this application, the account must be added to the directory. Trace ID: b8a24539-fb4a-46b7-83e7-b9d5765f0701 Correlation ID: 4f2a5d16-df24-45ff-a33f-4cf3818232ef Timestamp: 2024-08-15 16:55:08Z
Forbidden
error shows up in the setup UISchool Account
I was able login to my school account which is on a custom domain and a different tenant.
So, Microsoft finally approved us as Verified Publisher and vetted Partner. After 2-3 months, almost 100 emails, and weeks of work, simply trying to register. Eventually, Microsoft was simply unable to read documents, and also unable to communicate in any way what's going on. But with that over...
I have created an App Registration for OAuth2, added the IMAP, POP3 and SMTP scopes (it does not allow me to add the EWS and EAS scopes :sob: ), and created a Client ID and secret.
I've added the Client ID and secret in OAuth2URL.ts for Outlook and Office356. I needed to re-login for the EWS account, which I had already configured in Mustang - the re-login is expected. However, after successful login, I get an error:
"Cannot login
AADSTS700016: Application with identifier '5720dabf-3065-4076-abc3-7479ad24ec9f' was not found in the directory 'B'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant."
("B" tenant is our test domain beonex.onmicrosoft.com, IIRC, so that refers to the domain of the end user that tries to log in.)
We need to have a client ID which can log in with any domain (unless the domain admin explicitly disabled it).