search

simonrob / email-oauth2-proxy

An IMAP/POP/SMTP proxy that transparently adds OAuth 2.0 authentication for email clients that don't support this method.
Apache License 2.0
863 stars 96 forks source link

Issue with Email OAuth 2.0 Proxy - Authentication Failure with O365 (CCG Flow) #288

Closed NecoInventtis closed 1 month ago

NecoInventtis commented 1 month ago

Hi,

I'm trying to use email-oauth2-proxy to communicate with O365 using the client credentials flow (CCG), but I'm encountering an authentication failure. Below is a summary of my setup:

Configuration: Here is my emailproxy.config file (anonymized):

[IMAP-8993]
server_address = outlook.office365.com
server_port = 993
local_address = my_public_ipv4

[SMTP-8587]
server_address = smtp-mail.outlook.com
server_port = 587
server_starttls = True
local_address = my_public_ipv4

[emailteste@xyz.com] 
documentation = *** O365 advanced account example ***
token_url = https://login.microsoftonline.com/$TENANT_ID/oauth2/v2.0/token
oauth2_scope = https://outlook.office365.com/.default
oauth2_flow = client_credentials
redirect_uri = http://localhost
client_id = $CLIENT_ID
client_secret = $CLIENT_SECRET

[emailproxy]
delete_account_token_on_password_error = True
use_login_password_as_client_credentials_secret = True
encrypt_client_secret_on_first_use = False
allow_catch_all_accounts = False

Note: The real config file contains the actual values for TENANT_ID, CLIENT_ID, and CLIENT_SECRET. These variables are just placeholders here.

Log Output:

2024-09-30 03:26:40: Initialising Email OAuth 2.0 Proxy (version 2024-09-24) in debug mode from config file /full-path/email-oauth2-proxy/emailproxy.config 
2024-09-30 03:26:40: Starting IMAP server at my_public_ipv4:8993 (unsecured) proxying outlook.office365.com:993 (SSL/TLS) 
2024-09-30 03:26:40: Starting SMTP server at my_public_ipv4:8587 (unsecured) proxying smtp-mail.outlook.com:587 (STARTTLS)
2024-09-30 03:26:40: Initialised Email OAuth 2.0 Proxy - listening for authentication requests. Connect your email client to begin

2024-09-30 03:26:43: New incoming connection to IMAP server at my_public_ipv4:8993 (unsecured) proxying outlook.office365.com:993 (SSL/TLS)
2024-09-30 03:26:43: Accepting new connection from client_email_ipv4:60712 to IMAP server at my_public_ipv4:8993 (unsecured) proxying outlook.office365.com:993 (SSL/TLS) 
2024-09-30 03:26:44: IMAP (client_email_ipv4:60712-{my_public_ipv4:8993}-outlook.office365.com:993) --> [ Client connected ] 
2024-09-30 03:26:44: IMAP (client_email_ipv4:60712-{my_public_ipv4:8993}-outlook.office365.com:993) <-> [ Starting TLS handshake ]
2024-09-30 03:26:44: IMAP (client_email_ipv4:60712-{my_public_ipv4:8993}-outlook.office365.com:993) <-> [ TLSv1.2 handshake complete ]
2024-09-30 03:26:44: IMAP (client_email_ipv4:60712-{my_public_ipv4:8993}-outlook.office365.com:993)     <-- b'* OK The Microsoft Exchange IMAP4 service is ready. [QwBQADYAUAAyADgANABDAEEAMAAwADMANgAuAEIAUgBBAFAAMgA4ADQALgBQAFIATwBEAC4ATwBVAFQATABPAE8ASwAuAEMATwBNAA==]\r\n'
2024-09-30 03:26:44: IMAP (client_email_ipv4:60712-{my_public_ipv4:8993}-outlook.office365.com:993) <-- b'* OK The Microsoft Exchange IMAP4 service is ready. [QwBQADYAUAAyADgANABDAEEAMAAwADMANgAuAEIAUgBBAFAAMgA4ADQALgBQAFIATwBEAC4ATwBVAFQATABPAE8ASwAuAEMATwBNAA==]\r\n'
2024-09-30 03:26:44: IMAP (client_email_ipv4:60712-{my_public_ipv4:8993}-outlook.office365.com:993) --> b'W1 CAPABILITY\r\n'
2024-09-30 03:26:44: IMAP (client_email_ipv4:60712-{my_public_ipv4:8993}-outlook.office365.com:993)     --> b'W1 CAPABILITY\r\n'
2024-09-30 03:26:44: IMAP (client_email_ipv4:60712-{my_public_ipv4:8993}-outlook.office365.com:993)     <-- b'* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+\r\n'
2024-09-30 03:26:44: IMAP (client_email_ipv4:60712-{my_public_ipv4:8993}-outlook.office365.com:993) <-- b'* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN SASL-IR UIDPLUS ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+\r\n'
2024-09-30 03:26:44: IMAP (client_email_ipv4:60712-{my_public_ipv4:8993}-outlook.office365.com:993)     <-- b'W1 OK CAPABILITY completed.\r\n'
2024-09-30 03:26:44: IMAP (client_email_ipv4:60712-{my_public_ipv4:8993}-outlook.office365.com:993) <-- b'W1 OK CAPABILITY completed.\r\n'
2024-09-30 03:26:44: IMAP (client_email_ipv4:60712-{my_public_ipv4:8993}-outlook.office365.com:993) --> b'W2 ID NIL\r\n'
2024-09-30 03:26:44: IMAP (client_email_ipv4:60712-{my_public_ipv4:8993}-outlook.office365.com:993)     --> b'W2 ID NIL\r\n'
2024-09-30 03:26:44: IMAP (client_email_ipv4:60712-{my_public_ipv4:8993}-outlook.office365.com:993)     <-- b'* ID ("name" "Microsoft.Exchange.Imap4.Imap4Server" "version" "15.20")\r\n'
2024-09-30 03:26:44: IMAP (client_email_ipv4:60712-{my_public_ipv4:8993}-outlook.office365.com:993) <-- b'* ID ("name" "Microsoft.Exchange.Imap4.Imap4Server" "version" "15.20")\r\n'
2024-09-30 03:26:44: IMAP (client_email_ipv4:60712-{my_public_ipv4:8993}-outlook.office365.com:993)     <-- b'W2 OK ID completed\r\n'
2024-09-30 03:26:44: IMAP (client_email_ipv4:60712-{my_public_ipv4:8993}-outlook.office365.com:993) <-- b'W2 OK ID completed\r\n'
2024-09-30 03:26:44: IMAP (client_email_ipv4:60712-{my_public_ipv4:8993}-outlook.office365.com:993) --> b'W3 login [[ Credentials removed from proxy log ]]\r\n'
2024-09-30 03:26:46: IMAP (client_email_ipv4:60712-{my_public_ipv4:8993}-outlook.office365.com:993)     --> b'W3 AUTHENTICATE XOAUTH2 '
2024-09-30 03:26:46: IMAP (client_email_ipv4:60712-{my_public_ipv4:8993}-outlook.office365.com:993)     --> b'[[ Credentials removed from proxy log ]]\r\n'
2024-09-30 03:26:47: IMAP (client_email_ipv4:60712-{my_public_ipv4:8993}-outlook.office365.com:993; emailteste@xyz.com)     <-- b'W3 NO AUTHENTICATE failed.\r\n' 
2024-09-30 03:26:47: IMAP (client_email_ipv4:60712-{my_public_ipv4:8993}-outlook.office365.com:993; emailteste@xyz.com) <-- b'W3 NO AUTHENTICATE failed.\r\n'
2024-09-30 03:26:47: IMAP (client_email_ipv4:60712-{my_public_ipv4:8993}-outlook.office365.com:993) <-- [ Server disconnected ]
2024-09-30 03:26:47: IMAP (client_email_ipv4:60712-{my_public_ipv4:8993}-outlook.office365.com:993; emailteste@xyz.com) --> [ Client disconnected ]
^C2024-09-30 03:27:27: Stopping Email OAuth 2.0 Proxy
2024-09-30 03:27:27: Stopping IMAP server at my_public_ipv4:8993 (unsecured) proxying outlook.office365.com:993 (SSL/TLS)
2024-09-30 03:27:27: Stopping SMTP server at my_public_ipv4:8587 (unsecured) proxying smtp-mail.outlook.com:587 (STARTTLS)

Problem:

After connecting successfully to the O365 IMAP server, the authentication (AUTH XOAUTH2) fails with a NO AUTHENTICATE failed message, despite using correct client_id and client_secret.

I've double-checked my TENANT_ID, CLIENT_ID, and CLIENT_SECRET, and confirmed they are correct using a shell script to fetch the tokens. The same credentials work outside of the proxy when using OAuth2 with other tools.

Could you provide guidance on what might be causing the failure during the authentication process or suggest any additional steps for debugging?

Thanks in advance for your support!

Best regards, Neco

simonrob commented 1 month ago

The only thing that immediately stands out is that you've set use_login_password_as_client_credentials_secret = True but also provided a client_secret value. This will lead to this option being ignored, and the value you've provided in the configuration file will be used instead of the login password.

Typically when there are problems with a CCG flow setup there is an issue with the Azure / Entra configuration (for example, not granting permission for the required scopes, or missing admin approval, etc). So, just to be clear, when you say the credentials work outside of the proxy, do you mean they work with IMAP/SMTP when you authenticate manually? Or are you referring to other services?

simonrob commented 1 month ago

I'm assuming this was resolved, so will close this issue.