microsoft authflow

[dkwo]

it seems thunderbird recently removed their client_secret for microsoft, and switched to another method. at least, I'm unable to get a new token using their older client_id and secret within mutt/oauth2.py (this was triggered for me by a password change. it may have been broken for a while.)

I understand this question is not specific to mailctl/oama, but does anyone know a working way to get a token for microsoft accounts, in case the user cannot register an app themselves, like with universities or corporations?

in other words, how do you satisfy the requirement 'You need to provide your own client_id and client_secret of your application or of a suitable FOSS registered application.' for this specific case?

I'm out of ideas. Thanks.

edit: thunderbird ref https://bugzilla.mozilla.org/show_bug.cgi?id=1685414

[mcrosson]

I had to do the following to get things mostly working with o365. Formatted as a rough list from my notes before I gave up on using oama for the time being. I ended up using the mutt_oauth.py script with gpg and my ids/secrets set to get a valid xoauth2 token for use with offlineimap.

• My current blocker: microsoft now requires https as the redirect url in the app config on their side and that url has to match anything done on the oama side. From what I can sort oama doesn't do ssl on the embededed web server which is a problem and seems to block oama from working with current o365 requirements.
• CORS headers can be an issue too, see https://github.com/pdobsan/oama/issues/31#issuecomment-1857384717 for details
• I managed to figure out how to create an app+credential that 'works' but I own my o365 account and have full admin rights. My approach may not work for 'crossing tenants'.
• new app creation via o365 admin portal
  • admin centers -> all admin centers
  • microsoft entra
  • identity -> applications -> enterprise applications
  • new application
  • pick the non-gallery option and give it a name
  • overview has app id which maps to the client_id in oama config
  • properties -> assignment required & visible to users set to 'No'
  • properties -> find 'additional properties' note and click 'application registration link'
  • authentication -> supported account types set to multi tenant
  • authentication -> add platform, pick web, enter redirect uri (requires https, this is a blocker with oama)
  • certificates & secrets -> new client secret (use 24 months, thats the limit ms imposes)
  • api permissions -> add -> microsoft graph -> delegated permissions
    • open id perms (all)
    • IMAP.AccessAsUser.All
    • others as appropriate for use case

[dkwo]

@mcrosson Thanks. Unfortunately, I don't think I have admin access in my organization. What worked for me, was to use the new thunderbird client_id with an empty secret in mutt/oauth2.py script.

[Notmarrco]

thank you @dkwo , it works indeed with thunderbird client_id and mutt_oauth2.py.

I haven't tried but gnome evolution also has a public client_id that can be used: https://gitlab.gnome.org/GNOME/evolution/-/wikis/EWS-OAuth2

@pdobsan I would like to use oama instead of mutt_oauth2.py, so that I can have all my conf and secrets managed by a single tool. IIUC using an already existing client_id stops us from using a "localhost" redirect_uri, since thunderbird or evolution were not configured to do that. (and I don't know of any "open source" client_id having a localhost redirect_uri)

Could it be possible to add at least "devicecode" authentication method in oama please ? it needs user action in copying-pasting the code in the browser, so it's less "automatic" than oama's actual workflow, but it could allow us to use thunderbird client_id in oama, since microsoft client creation is so cumbersome. thanks anyway for the software !