search

simonrob / email-oauth2-proxy

An IMAP/POP/SMTP proxy that transparently adds OAuth 2.0 authentication for email clients that don't support this method.
Apache License 2.0
797 stars 86 forks source link

AADSTS70043: The refresh token has expired or is invalid due to sign-in frequency checks by conditional access #181

Closed brianjmurrell closed 1 year ago

brianjmurrell commented 1 year ago

When I try to authorize the proxy I get the following error:

python3[1644933]: Email OAuth 2.0 Proxy: Caught exception while requesting OAuth 2.0 credentials for [redacted]: {'error': 'invalid_grant', 'error_description': 'AADSTS70043: The refresh token has expired or is invalid due to sign-in frequency checks by conditional access. The token was issued on 2023-06-02T14:27:05.8405153Z and the maximum allowed lifetime for this request is 86400.\r\nTrace ID: [redacted]\r\nCorrelation ID: [redacted]\r\nTimestamp: 2023-07-06 13:35:42Z', 'error_codes': [70043], 'timestamp': '2023-07-06 13:35:42Z', 'trace_id': '[redacted]', 'correlation_id': '[redacted]', 'suberror': 'token_expired'}

What I find odd however is that I thought the refresh token was stored in the file pointed to by the --cache-store argument when starting the proxy. My proxy has the arguments: --cache-store /home/brian/.config/ac.robinson.email-oauth2-proxy/config --debug and /home/brian/.config/ac.robinson.email-oauth2-proxy/config doesn't even exist so where would a stale refresh token be coming from?

simonrob commented 1 year ago

That's an error I haven't seen before. Is this an account that you have previously authorised successfully? The reason I ask is that the proxy doesn't cache anything until authorisation is successful, so if this is the first use then the file may not yet exist.

If that is not the case, the only other place the token could be is the main proxy config file (i.e., the default behaviour). If this is happening then there's likely a bug – the proxy is intended to fail to save and print an error, rather than falling back to the main config file. Is there any more information you can share?

simonrob commented 1 year ago

I'm going to assume that this was resolved, and will close the issue given that I cant replicate this. However, please feel free to reopen if that's not the case.

brianjmurrell commented 1 year ago

Yes, I had previously successfully authorized this account. But I did, in the efforts of debugging this issue, rename the existing /home/brian/.config/ac.robinson.email-oauth2-proxy/config{,.old}.

But this issue does continue to persist and I don't seem to have any option to re-open this issue, so if you could, please do.

simonrob commented 1 year ago

If you didn't restart the proxy after renaming the config file then it may still have the stale token in memory. I'm happy to leave this open for a while if you can help narrow down the cause a bit more. I still am not able to replicate it myself, though. It's worth taking a look at the conditional access documentation too just to make sure there isn't an Azure AD issue.

simonrob commented 1 year ago

Were you able to find out any more about why this might be happening?

brianjmurrell commented 1 year ago

Not really. I suspect this was just more of the corporate VPN/proxy/source-ip restriction palaver.

I'll close until it happens again with no remedy.