harishkrupo / oauth2ms Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
License: Apache License 2.0
Must say that what this project is set to achieve is amazing!
Unfortunately on step 3 of Azure app set up an "Access denied You don't have permission to register applications in the " message shows up. There is no point in trying to ask for permission at my workplace, they are too inflexible/unhelpful. So my question, which is probably a shot in the dark, is if there is any alternative way to obtain a tenant ID, client ID and secret?
Other information I was able to gather: In Azure's Active directory Overview section there is a "My feed" subsection which under my name displays a code 189cdec2-7acf-4b53-bb9a-9080ff602f56
(possibly this is my tenant or client ID?). Under the same section I can also see an Azure AD Connect icon and the type of license used in my company is Azure AD Premium P2. Thank you in advance for any help.
I have been trying to follow the instructions, but I cannot get past step one as Azure simply won't let me create an ID (I only have the free account perhaps this is a reason).
Is it possible to just use a publicly available client_id and client_secret (such as what Thunderbird uses)?
Hello, after oauth2ms
has been working perfectly (thank you very much @harishkrupo) for a couple of months, with the arrival of the new year it started spitting out IMAP command 'NAMESPACE' returned an error: BAD User is authenticated but not connected.
. Removal and recreation of credentials.bin
did not have any effect, neither logging out from outlook.com
.
Any ideas what this is about?
I am attempting to setup oauth2ms
to work with mbsync
, and while troubleshooting ran into the following error:
Traceback (most recent call last):
File "~/.local/bin/oauth2ms", line 247, in <module>
token = fetch_token_from_cache(app_state)
File "~/.local/bin/oauth2ms", line 181, in fetch_token_from_cache
return result["access_token"]
TypeError: 'NoneType' object is not subscriptable
This occurs when executing both mbsync -a
and oauth2ms --encode-xoauth2
. I am not sure what is producing this as it seemed to be working fine, albeit with the incorrect base64.
Hi,
Is there an easy way to install this on a mac? I'm trying to configure apple mail to use with outlook 365 (imap disallowed). Thanks
Hi @harishkrupo,
Thanks for your efforts in this project! I see multi-account support is one of the TODO's and I'm willing to lend a hand if needed. I had some thoughts on how to implement this that I'd like to run by you. Would it be an option to:
I'm not sure how this would work with the credentials cache or indeed if anything else would break. What's your take?
While trying to configure oauth2ms, I get the following error after authenticating in my office365 server: AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: '20460e5d-ce91-49af-a3a5-70b6be7486d1'.
This is with the following values in the config (I'm using Evolution's client id, and it works in other scripts like mutt_oauth2):
{
"tenant_id": "common",
"client_id": "20460e5d-ce91-49af-a3a5-70b6be7486d1",
"client_secret": "",
"redirect_host": "localhost",
"redirect_port": "5000",
"redirect_path": "/GetToken/",
"scopes": ["https://outlook.office365.com/IMAP.AccessAsUser.All", "https://outlook.office365.com/SMTP.Send"]
}
I'm confused about the redirect uri: shouldn't it be something like https://login.microsoftonline.com/common/oauth2/nativeclient? This is what mutt_oauth2 uses. But then, I don't have a port or a path...
Thanks in advance!
Thanks for this tool!
I think it would be great if this supported saving client secrets and refresh tokens in the user's keyring. Perhaps the Secret Storage API (via secretstorage
)could be used to interact with the keyring.
after setting up the azure app with the correct permissions, after the first run of oauth2ms
I log in and grant permissions in the browser, then I get the following error after I see a blank page with "Authorization complete.".
Traceback (most recent call last):
File "/home/japhir/bin/oauth2ms", line 226, in <module>
app_state, token = build_new_app_state(crypt)
File "/home/japhir/bin/oauth2ms", line 143, in build_new_app_state
token = result["access_token"]
KeyError: 'access_token'
here's an overview of my permissions config:
what am I doing wrong?
Hi there,
I finally got a chance to try out this project on Saturday, but I've not been able to get it working with mbsync:
IMAPAccount mc
Host outlook.office365.com
Port 993
User [email protected]
PassCmd "oauth2ms"
SSLType IMAPS
AuthMechs XOAUTH2
IMAPStore mc-remote
Account mc
MaildirStore mc-local
Path ~/.mail/[email protected]/
Inbox ~/.mail/[email protected]/INBOX
# The SubFolders option allows to represent all
# IMAP subfolders as local subfolders
SubFolders Verbatim
Channel mc
Master :mc-remote:
Slave :mc-local:
Patterns *
Expunge None
CopyArrivalDate yes
Sync All
Create Slave
SyncState *
mbsync -l mc
IMAP command 'AUTHENTICATE XOAUTH2 <base64 hash>' returned an error: NO AUTHENTICATE failed.
The base64 hash looks like this when deserialized (I replaced some of the token to make it wrong):
[email protected]=Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6InJfMEU5VDU3aUh1Z21aaXXaaaaAaAaAA1aaA3AaAAa3A2AAAaA
Recently upgraded system (manjaro). Previous set up worked flawlessly. Now, running oauth2ms
gives the following error:
Traceback (most recent call last):
File "/usr/bin/oauth2ms", line 247, in <module>
token = fetch_token_from_cache(app_state)
File "/usr/bin/oauth2ms", line 181, in fetch_token_from_cache
return result["access_token"]
TypeError: 'NoneType' object is not subscriptable
I am not sure what might have caused this and happy to provide any additional info. This package has been great and it appears that something else has now broken it. Thanks for the work and making this available to us
Hi there. Great piece of code.
Is this error familiar?:
Server returned: {'error': 'invalid_client', 'error_description': "AADSTS700025: Client is public so neither 'client_assertion' nor 'client_secret' should be presented. ...
Hi All,
I really think my config is close but I get a parse error ?
oauth2ms
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/models.py", line 379, in prepare_url
scheme, auth, host, port, path, query, fragment = parse_url(url)
File "/usr/lib/python3/dist-packages/urllib3/util/url.py", line 392, in parse_url
return six.raise_from(LocationParseError(source_url), None)
File "<string>", line 2, in raise_from
urllib3.exceptions.LocationParseError: Failed to parse: https://login.microsoftonline.com/589c76f5-ca15-41f9-884b-55ec15a0672a/v2.0/.well-known/openid-configuration
During handling of the above exception, another exception occurred:
results in:
{"token_endpoint":"https://login.microsoftonline.com/589c76f5-ca15-41f9-884b-55ec15a0672a/oauth2/v2.0/token","token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","client_secret_basic"],"jwks_uri":"https://login.microsoftonline.com/589c76f5-ca15-41f9-884b-55ec15a0672a/discovery/v2.0/keys","response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"response_types_supported":["code","id_token","code id_token","id_token token"],"scopes_supported":["openid","profile","email","offline_access"],"issuer":"https://login.microsoftonline.com/589c76f5-ca15-41f9-884b-55ec15a0672a/v2.0","request_uri_parameter_supported":false,"userinfo_endpoint":"https://graph.microsoft.com/oidc/userinfo","authorization_endpoint":"https://login.microsoftonline.com/589c76f5-ca15-41f9-884b-55ec15a0672a/oauth2/v2.0/authorize","device_authorization_endpoint":"https://login.microsoftonline.com/589c76f5-ca15-41f9-884b-55ec15a0672a/oauth2/v2.0/devicecode","http_logout_supported":true,"frontchannel_logout_supported":true,"end_session_endpoint":"https://login.microsoftonline.com/589c76f5-ca15-41f9-884b-55ec15a0672a/oauth2/v2.0/logout","claims_supported":["sub","iss","cloud_instance_name","cloud_instance_host_name","cloud_graph_host_name","msgraph_host","aud","exp","iat","auth_time","acr","nonce","preferred_username","name","tid","ver","at_hash","c_hash","email"],"kerberos_endpoint":"https://login.microsoftonline.com/589c76f5-ca15-41f9-884b-55ec15a0672a/kerberos","tenant_region_scope":"NA","cloud_instance_name":"microsoftonline.com","cloud_graph_host_name":"graph.windows.net","msgraph_host":"graph.microsoft.com","rbac_url":"https://pas.windows.net"}
What am I doing wrong ?
Thank you very much for writing this code.
My university seems to use the device code flow, I guess it is https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code. I found https://docs.microsoft.com/en-us/python/api/msal/msal.application.publicclientapplication?view=azure-python and tried to edit your code to make it work, but I lack understanding of how everything works really. Could you help?
Thank you very much for developing this package which allows me to receive emails from my work email account using mbsync.
However, I am unable to use it to send emails. At my work they use a O365 server and SMTP Authentication is disabled. I am not sure if this package assumes that this option must be turned on? Specifically, when I try to send an email with the suggested configuration for SMTP
Sending...
Sending via mail...
auth-source-search: found 1 backends matching (:max 1 :host "smtp.office365.com" :port "587")
Decrypting /home/myusername/.authinfo.gpg...done
auth-source-search-backend: got 1 (max 1) in netrc:~/.authinfo.gpg matching (:max 1 :host "smtp.office365.com" :port "587")
auth-source-search: found 1 results (max 1) matching (:max 1 :host "smtp.office365.com" :port "587")
auth-source-search: found 1 backends matching (:host "smtp.office365.com" :port "587" :user nil :max 1 :require nil :create nil)
auth-source-netrc-parse: using CACHED file data for ~/.authinfo.gpg
auth-source-search-backend: got 1 (max 1) in netrc:~/.authinfo.gpg matching (:host "smtp.office365.com" :port "587" :user nil :max 1 :require nil :create nil)
auth-source-search: found 1 results (max 1) matching (:host "smtp.office365.com" :port "587" :user nil :max 1 :require nil :create nil)
[mu4e] Update process returned with non-zero exit code
535 5.7.139 Authentication unsuccessful, SmtpClientAuthentication is disabled for the Tenant. Visit https://aka.ms/smtp_auth_disabled for more information. [FR3P281CA0054.DEUP281.PROD.OUTLOOK.COM]
221 2.0.0 Service closing transmission channel
smtpmail-send-it: Sending failed: 535 5.7.139 Authentication unsuccessful, SmtpClientAuthentication is disabled for the Tenant. Visit https://aka.ms/smtp_auth_disabled for more information. [FR3P281CA0054.DEUP281.PROD.OUTLOOK.COM] in response to AUTH
At a broader level, if nowadays SMTP is being disabled by MS what protocol is actually supported to send emails, and is there a way to replicate it? Thank you in advance for any help.
My msmtprc config file is
account work
host smtp.office365.com
from [email protected]
port 587
user [email protected]
passwordeval gpg2 -q --for-your-eyes-only --no-tty -d ~/.authinfo.gpg | awk '/machine smtp.office365.com login [email protected]/ {print $NF}'
auth login
tls on
tls_starttls on
tls_certcheck on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile ~/.msmtp.log
Hello, thanks for this package - finally able to work with email on emacs. Unfortunately, I am unable to send any emails.
I copied the code recommended in steps.org
and added my smtp server details. When I try to send an email in emacs I am prompted for my password (rightly or wrongly, I was expecting to not be prompted, so I just hit return
). It quickly fails after that. Here is what I can see (from the *Messages* buffer:
Sending...
530 5.7.57 Client not authenticated to send mail. [server.prod.outlook.com]
451 4.7.0 Temporary server error. Please try again later. PRX4 [server.prod.outlook.com]
221 2.0.0 Service closing transmission channel
smtpmail-send-it: Sending failed: 451 4.7.0 Temporary server error. Please try again later. PRX4 [server.prod.outlook.com] in response to AUTH
For more detail here is the trace of the SMTP session:
220 server.outlook.office365.com Microsoft ESMTP MAIL Service ready at Fri, 26 Feb 2021 22:05:56 +0000
250-server.outlook.office365.com Hello [98.217.221.170]
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8
220 2.0.0 SMTP server ready
250-server.outlook.office365.com Hello [98.217.221.170]
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-AUTH LOGIN XOAUTH2
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8
AUTH XOAUTH2 [...token..] [note: the token matches the output of the most recent `oauth2ms --encode-xoauth2`]
451 4.7.0 Temporary server error. Please try again later. PRX4 [server.prod.outlook.com]
QUIT
221 2.0.0 Service closing transmission channel
Process smtpmail connection broken by remote peer
I appreciate any guidance you can provide. Thank you!
I obtained the token using instructions given here. I am able to download email with it. I tried to adapt the code you give for SMTP to use that token. I came up with this,
(use-package smtpmail
:ensure t
:config
(add-to-list 'smtpmail-auth-supported 'xoauth2)
:init
(cl-defmethod smtpmail-try-auth-method
(process (_mech (eql xoauth2)) user password)
(let* ((access-token "<token string here"))
(smtpmail-command-or-throw
process
(concat "AUTH XOAUTH2 " access-token)
235)))
(setq message-send-mail-function 'smtpmail-send-it
message-kill-buffer-on-exit t
starttls-use-gnutls t
smtpmail-default-smtp-server "smtp.example.com"
smtpmail-smtp-server "smtp.example.com"
smtpmail-stream-type 'starttls
smtpmail-starttls-credentials
'(("smtp.example.com" 587 nil nil))
smtpmail-auth-credentials
'(("smtp.example.com" 587 "[email protected]" nil))
smtpmail-smtp-service 587))
When sending the email, the authentication still fails. Any ideas?
Hi @harishkrupo,
First off, thank you for writing this script and the step-by-step instructions here - they've been incredibly helpful to someone just starting out learning how this kind of authentication works. I have a slightly different error than issue #2.
When I run oauth2ms directly from the shell, I get a token that when plugged into jwt.ms seems correct (unique_id, scope, tenant and client ID all look right - but I do not know much about what I am looking at and might be missing something).
When I run mbsync -V, I receive the following output:
Opening far side store rice-remote...
Resolving outlook.office365.com... ok
Connecting to outlook.office365.com (52.96.103.18:143)...
Opening near side store rice-local...
Connection is now encrypted
Logging in...
Authenticating with SASL mechanism XOAUTH2...
Error performing SASL authentication step: SASL(-1): generic failure: Unable to find a callback: 18948
Here's the relevant part of my .mbsyncrc:
Host outlook.office365.com
User [email protected]
AuthMechs XOAUTH2
Passcmd oauth2ms
Searching for the whole or part of that error message has not gotten me to anything that has helped me. I am on macos and had to install the cyrus-sasl-xoauth2 plugin to /usr/local/lib/sasl2 instead of /usr/lib/sasl2, so it might be something with not finding the right plugin, but I was receiving a different error message before, and I think that I've resolved that piece of it. Changing to passcmd "oauth2ms --encode-xoauth2"
returned the same behavior.
So my working hypothesis is that oauth2ms is properly fetching a token, mbsync is finding something to attempt xoauth2, but perhaps not the right plugin. It's also possible there's a setting in my azure that has been set by my organization's IT department that prevents this from working without an extra step (for example, I had to request permission the first time I ran oauth2ms, but that was granted).
I realize this is likely outside of the scope of issues for oauth2ms, but any troubleshooting advice you have would be much appreciated.
Hello - I'd like to incorporate oauth2ms to manage outlook.com (MS public email domain) emails with mu/mu4e with mbsync. I'm able to successfully create credentials.bin with oauth2ms on command line. But when syncing, mbsync returns this error.
I noticed Issue 27 with the similar (same?) error code, which was raised more than a year ago, but don't see a solution posted there. Any suggestions greatly appreciated.
Thanks!
Thank you for oauth2ms! This helped me continue to use emacs mbsync and mu4e when my university forced oauth2 imap this summer. At that time, smtp did not yet require oauth2 so I did not add code to my mu4e setup to use oauth2. That changed today. Therefore, I added to my .emacs based on the code in steps.org. I also made sure the config.json file had
"scopes": ["https://outlook.office365.com/IMAP.AccessAsUser.All", "https://outlook.office365.com/SMTP.Send"]
And I had already set the smtp permissions in azure.
But attempting to send smtp results in an smtp trace like shown below (I deleted the token string). Any suggestion on where to start?
220 SN7P220CA0005.outlook.office365.com Microsoft ESMTP MAIL Service ready at Mon, 3 Oct 2022 15:50:36 +0000
250-SN7P220CA0005.outlook.office365.com Hello [<ip address>]
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8
220 2.0.0 SMTP server ready
250-SN7P220CA0005.outlook.office365.com Hello [<ip address>]
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-AUTH LOGIN XOAUTH2
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8
AUTH XOAUTH2
[TOKEN CHUNK HERE DELETED]
535 5.7.3 Authentication unsuccessful [SN7P220CA0005.NAMP220.PROD.OUTLOOK.COM]
QUIT
221 2.0.0 Service closing transmission channel
I've set up oauth2ms according to the instructions provided in steps.org, and I've searched the web for any clues to what I may have done incorrectly. I've spent about 15 hours trying to troubleshoot this, I'm out of ideas, and I would be very grateful to anyone who could help! :)
Every time I execute oauth2ms it opens a browser window and returns a token there, with the message "Authorization complete." Back in the terminal I see this:
tfry@tfryX1:~$ oauth2ms Opening in existing browser session. libva error: vaGetDriverNameByIndex() failed with unknown libva error, driver_name = (null) Something went wrong during authorization Server returned: {'error': 'invalid_client', 'error_description': "AADSTS700025: Client is public so neither 'client_assertion' nor 'client_secret' should be presented.\r\nTrace ID: 262be02c-ead2-4c32-a8e0-1007dc5ba700\r\nCorrelation ID: 5c9b96da-0533-46c7-b5ca-cdbfdd77f22f\r\nTimestamp: 2022-10-06 17:26:37Z", 'error_codes': [700025], 'timestamp': '2022-10-06 17:26:37Z', 'trace_id': '262be02c-ead2-4c32-a8e0-1007dc5ba700', 'correlation_id': '5c9b96da-0533-46c7-b5ca-cdbfdd77f22f'} Traceback (most recent call last): File "/usr/local/bin/oauth2ms", line 240, in <module> app_state, token = build_new_app_state(crypt) TypeError: cannot unpack non-iterable NoneType object tfry@tfryX1:~$
My config.json (the XXXs are simply obfuscating stuff):
{ "tenant_id": "9XXXXXX6-3bbd-49b8-a5bc-ecXXXXXX0b8", "client_id": "9XXXXXX5-10e4-4cdb-a13d-21XXXXXXXX71", "client_secret": "gYvXXXXXXXXXXXXXXXXXXXXXXXyfbAy", "redirect_host": "localhost", "redirect_port": "5000", "redirect_path": "/getToken/", "scopes": ["https://outlook.office.com/IMAP.AccessAsUser.All", "https://outlook.office.com/SMTP.Send"] }
What have I done wrong, and can you point me to next steps in troubleshooting this? Thank you so much in advance!!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.