Nextcloud Mail App: Issues with Microsoft 365 OAuth Configuration and Account Linking

[XaFaK-01]

Steps to reproduce

1. Have configured MS OAuth client ID and secret in the admin settings as per [these instructions].(https://docs.nextcloud.com/server/latest/admin_manual/groupware/mail.html#xoauth2-authentication-with-microsoft-azure-ad)
2. After that when adding a new Microsoft 365 Account in the mail app, once Name, Mail Address, and Password have been filled in, it shows the message: "Account created. Please follow the pop-up instructions to link your Google account.", even though it's not a Google Account. Anyways when the pop-up appears, the button first says "Awaiting User Consent" then the status shows as "Authorization pop-up closed" and signing in and filling up all the info in the pop-up from Microsoft 365 is completed but nothing happens related to logging in even though the pop-up says "Account connected" "You can close this window".

Expected behavior

I should be able to log in to my Microsoft 365 Account.

Actual behavior

It shows the message: "Account created. Please follow the pop-up instructions to link your Google account.", even though it's not a Google Account. Anyways when the pop-up appears, it shows the status as "Authorization pop-up closed" and signing in and filling up all the info in the pop-up from Microsoft 365 is completed but nothing happens related to logging in even though the pop-up says "Account connected" "You can close this window"

Mail app version

3.4.6

Mailserver or service

Microsoft 365

Operating system

Ubuntu 22.04.3 LTS

PHP engine version

PHP 8.2

Web server

None

Database

PostgreSQL

Additional info

Here's the latest log for the mail app from the logging section:

`[mail] Warning: OCA\Mail\Exception\ClientException: Account 66 does not exist or you don\'t have permission to access it at <>

0. /var/www/html/custom_apps/mail/lib/Controller/MicrosoftIntegrationController.php line 138 OCA\Mail\Service\AccountService->find("john", 66)
1. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 230 OCA\Mail\Controller\MicrosoftIntegrationController->oauthRedirect("0.AVAA32RN4P49b ... 4", "66", "825012c9-4b24-40ad-a899-0caa9f968768", null)
2. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 137 OC\AppFramework\Http\Dispatcher->executeController(["OCA\Mail\Con ... "], "oauthRedirect")
3. /var/www/html/lib/private/AppFramework/App.php line 183 OC\AppFramework\Http\Dispatcher->dispatch(["OCA\Mail\Con ... "], "oauthRedirect")
4. /var/www/html/lib/private/Route/Router.php line 315 OC\AppFramework\App::main("OCA\Mail\Cont ... r", "oauthRedirect", ["OC\AppFramewo ... "], ["mail.microsoft ... "])
5. /var/www/html/lib/base.php line 1068 OC\Route\Router->match("/apps/mail/integration/microsoft-auth")
6. /var/www/html/index.php line 36 OC::handleRequest()

GET /apps/mail/integration/microsoft-auth?code=0.AVAA32RN4P49bEWWuNNnvfEjfFnWwAtrFrZPvWyvpd9BsaBQAIg.AgABAAIAAAAmoFfGtYxvRrNriQdPKIZ-AgDs_wUA9P-bRuZenv9c2obZiTgYhjkDY7fxW08xvLmOF9fpaKKNCuepmCre0mqsBNp5kPZeZwh4qNB5HRtro0ErjzwAljV2KrFnELaEmrJE_xoLIQGI0TgbV-BTg8S7KzI3rbIStM0D61orit0xS1-tE5k5FzS0GehTsfjfi1pEuMZMZSTjGM9ErkXXIBt6pJfXjXQ6-9qeVcDU5jhsm1epC_5mwUrcT3CPlUs3-OODRTKbvQW9idHGztxlml3nlNAjPPhpif-h66y4paBYCaQeZSRrWOKeEvm0KkHtpq6WQBHhLkm5XYueEJM-vAmFvo13xHdomCTB3WvSTu6cAy8X_1BzJbw7Zy0GxzBBH0MQ2yTDQXyfMcDZ3Vqz8A5DpDBRtcmnTYZvJ06YxS6HljlZaAyF517BrXaOtHbSleAAATZc9Vr_B_dug9yS1AistFJCxecukZZR3O7vofY-9r8w4qgWSvw1XhQ751Di8gE5Y24zuTq8J7JsXRMw7M1l68TaD58qoU5JJXCCdD13VAGezCuRQsVWGQrlZqH9mp379o23iuXYHFJb3xrfbLImlRBdx7M3GILFt2M3yrXoOM61dBIcmWt3_fwP6gImrZP7UrNcxJftUZi3jjYZymxGHiFt2jOcKRY3OUaDckOTjT9lQfFivniO-rhPSh4Iy8jz1Z_yCcMduSR-lqr3ZhD65xzo4RUMbNeqjm4BtcC9zIOyiJ7InzPQBF9Qo6vBacnzQcr2fGkYDmsQTLW5jBGXrz5-PujDjmhnTezwd4SQIM9zS-9p-7bU-zyDxoMRKzMgOT6vLTHzu6Oh6jMRKLQOnkKEXp5sutNmGNFcsiGpmTd2GoFnLCLic-RBMPWZjf9BME2R2_pRhxcsuIqEHVo2aXlCMuXMk3CZ6YlaYIG0NUicSwuP9yVvnMIBfS2Vv_WDYtMHTbU3PpKUDbaFIUdm8-WncAFYkysHYHg76qNIYLdQK1AewezD2s4OIgBc34g169zt8S6jJf_CezkP9u79NKM_OrEtAzG5ZxWibMgsYxGEDXeIvPmIPlkFAV_u4&state=66&session_state=825012c9-4b24-40ad-a899-0caa9f968768 from xx.xx.xxx.xx by john at 2023-12-11T21:29:12+00:00`

[ChristophWurst]

"Authorization pop-up closed"

The main window waits for the popup window to either send a message when everything's done or when the popup closes. If the popup stays open and the main window sees the window closed, the browser might propagate incorrect state.

What browser did you use?

[XaFaK-01]

"Authorization pop-up closed"

The main window waits for the popup window to either send a message when everything's done or when the popup closes. If the popup stays open and the main window sees the window closed, the browser might propagate incorrect state.

What browser did you use?

I tried using Google Chrome, Brave, and Firefox. Same issue in all three even though I allowed browser popups in all of them.

The fascinating part is, that I configured Google OAuth too, the popup that appears for Google Auth works perfectly fine and I can add Gmail accounts but doesn't as expected for Microsoft 365 Accounts.

[ChristophWurst]

Not sure why the Google popup works as expected when the Microsoft one doesn't. Security features on the page loaded?

The code handling this is at https://github.com/nextcloud/mail/blob/41ae3ec32933527210698381f422629ebc22f03e/src/integration/oauth.js#L35-L51.

[XaFaK-01]

Not sure why the Google popup works as expected when the Microsoft one doesn't. Security features on the page loaded?

The code handling this is at

https://github.com/nextcloud/mail/blob/41ae3ec32933527210698381f422629ebc22f03e/src/integration/oauth.js#L35-L51

.

Here are the logs from the browser as soon as the popup appears for Microsoft 365 Account from GoDaddy:

[INFO] mail: Temporary account 81 deleted 
{
    "app": "mail",
    "uid": "john",
    "level": "2"
}

[ERROR] mail: could not save account details mail.js?v=ffbb5eef-24:sourcemap:2 

{
    "app": "mail",
    "uid": "john",
    "level": "2",
    "error": Error: OAUTH_CONSENT_ABORTED at https://link_to_my_nextcloud_server/custom_apps/mail/js/mail.744.1a29bc54e16f479faf85.js:2:30442 

And Security tab in the browser's "Developer Tools" says: "This page is secure (valid HTTPS)."

[XaFaK-01]

@ChristophWurst can you kindly guide me in terms of what can be done to fix it?

[bay-kah]

What may assist here is the office 365 account (in my case) has been third partied through go daddy. Potentially adding another layer to the process that the code cannot handle.

even though its using O365 the prompt says "google" Then once the sign in window appears for the godaddy window we get this.

Logs say:

OCA\Mail\Exception\ClientException: Account 20 does not exist or you don\'t have permission to access it

/var/snap/nextcloud/41512/nextcloud/extra-apps/mail/lib/Controller/MicrosoftIntegrationController.php - line 136: OCA\Mail\Service\AccountService->find()

/snap/nextcloud/41512/htdocs/lib/private/AppFramework/Http/Dispatcher.php - line 230: OCA\Mail\Controller\MicrosoftIntegrationController->oauthRedirect()

/snap/nextcloud/41512/htdocs/lib/private/AppFramework/Http/Dispatcher.php - line 137: OC\AppFramework\Http\Dispatcher->executeController()

/snap/nextcloud/41512/htdocs/lib/private/AppFramework/App.php - line 183: OC\AppFramework\Http\Dispatcher->dispatch()

/snap/nextcloud/41512/htdocs/lib/private/Route/Router.php - line 315: OC\AppFramework\App::main()

/snap/nextcloud/41512/htdocs/lib/base.php - line 1068: OC\Route\Router->match()

/snap/nextcloud/41512/htdocs/index.php - line 38: OC::handleRequest()

I realize this is the snaped version and that may introduce its own gremlins, but it seems to be the same issue. Maybe this will help?

[bay-kah]

Would it be any kind of a risk to omit or extend the windowClosedTimer?