openai / openai-cookbook

Examples and guides for using the OpenAI API
https://cookbook.openai.com
MIT License
60.27k stars 9.57k forks source link

[FEATURE] Restrict OAuth to hardcoded addresses (Outlook cookbook) #1402

Open ericvincentLU opened 2 months ago

ericvincentLU commented 2 months ago

Feature Request: Restrict OAuth Authentication to Department Mailbox

Description:

Our team is encountering an issue when attempting to access a department mailbox (e.g., IT or HR) using Microsoft Graph API with OpenAI Actions GPT integration outlook cookbook example. Initially, this use-case is functional. However, after a day or so, we’re encountering a problem when attempting to read the messages from this account using the custom GPT. The GPT decides to use credentials from our personal accounts instead of the department credentials for the mailbox configured in the custom GPT.

We have configured the necessary Azure application and permissions to access the department's mailbox, but the following error is returned:

{
  "error": {
    "code": "MailboxNotEnabledForRESTAPI",
    "message": "The mailbox is either inactive, soft-deleted, or is hosted on-premise."
  }
}

GPT message : """

It appears my configuration is currently linked personal@example.com. To read emails from department@example.com, the mailbox connection would need to be updated to that specific account. Please ensure I am connected to the right mailbox or adjust any necessary settings on your end for access.

Let me know if you'd like further assistance!

"""

Even after signing out, asking to re-authenticate, this issue persists.

Furthermore, when asking for the full API request, the GPT indicates that it is trying to read from the user's personal mailbox instead of the department's mailbox.

Steps to Reproduce:

  1. Configure an Azure application to access a shared department mailbox (e.g., IT or HR) using OAuth authentication, specifically the outlook cookbook example .

  2. Attempt to retrieve unread emails via the /me/messages endpoint using Microsoft Graph API. This should be succesfull. After a day or so, the custom GPT will most likely try to authenticate using your personal account instead of the configured department account/email address.

The API returns the error mentioned above.

Expected Behavior:

The shared department mailbox should be accessible, allowing our team to retrieve emails on behalf of that mailbox without needing to authenticate with personal accounts, even after multiple days of inactivity.

Actual Behavior:

The API responds with an error that indicates the mailbox is inactive, on-prem or not supported by the API.

Context:

Our goal is to automate the management of a shared department mailbox (such as IT or HR) rather than using personal accounts. While we have successfully set up permissions for the department mailbox, the system currently seems to authenticate only with personal accounts days after creating the GPT with Actions, which is not the intended use case.

We prefer to restrict OAuth authentication specifically to the department account, rather than relying on personal credentials or account flexibility. The department mailbox is active and accessible via Outlook, correctly configured in the custom gpt with actions, but the API throws this error, suggesting a mismatch in configuration.

Proposed Solution:

We would appreciate guidance on how to ensure that the Graph API exclusively authenticates with the department account and bypasses personal account authentication.

kwhinnery-openai commented 2 months ago

Hi there! Thanks for the great idea on how to extend this cookbook for this use case. Unfortunately, I'm not sure this extension to the content is something the OpenAI team can prioritize in the immediate future. That said, I'll leave the issue open in case someone from the community is interested in making a contribution around this.

ericvincentLU commented 1 month ago

Hi there! Thanks for the great idea on how to extend this cookbook for this use case. Unfortunately, I'm not sure this extension to the content is something the OpenAI team can prioritize in the immediate future. That said, I'll leave the issue open in case someone from the community is interested in making a contribution around this.

Thanks for the quick reply @kwhinnery-openai !