I understand that SMTP Basic Authentication on Office365-Tenants will be automatically disabled from the 1st October 2022 on. As SMPT Oauth 2.0 Client Credential Flow has not been implement yet by Microsoft we can't move our product implementation (non-interactive) away from Basic Authentication.
We therefore need our customers to be able to keep SMTP Basic Authentication enabled after the 1st. October.
Question:
Will existing Office365-Tenants be able to keep SMTP with Basic Authentication enabled until Oauth 2.0 Client Credential Flow will be available for SMTP?
Is the same also true for new Tenants that are created in future?
Thanks!
SMTP basic auth is not going away yet 😉
https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online#pop-imap-and-smtp-auth (last paragraph of this section)
https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-september-2021-update/ba-p/2772210 (Bolded line after the first paragraph)
Related
The messaging around DocuSign's upcoming authentication changes has been a bit confusing, especially when it comes to SOAP integrations. https://www.docusign.com/blog/developers/docusign-api-basic-user-password-authentication-retirement is the most recent announcement. SOAP integrations do use Basic Authentication, which is reason to think they will be impacted by this. But the article explicitly mentions the "X-DocuSign-Authentication" header, which SOAP integrations don't use. But since the SOAP api only supports basic authentication (right?), I would think they would clearly say that the SOAP api is no longer supported if that's what they meant. This recent article distinguishes between 2 different types of SOAP authentication, so is the announcement about the new method now being the only supported one?
Can I continue to use the SOAP api using App password authentication beyond October 2022?
thanks for the feedback! I'll pass your feedback along to see if we can clarify it to state what we mean by basic authentication. This announcement may be more relevant to your use-case.
If you are using an App Password (and not your DocuSign account password which you use to login to the Web UI) you will be fine to continue using it.
So I'm essentially trying to connect, via IMAP, to Outlook/Exchange email accounts, using Node.
Using the old Live Connect API I'm able to do an IMAP AUTHENTICATE command with the OAuth 2 token (https://msdn.microsoft.com/en-us/windows/desktop/dn440163). But this doesn't seem to work for Exchange accounts as attempting to do the Oauth flow with those just brings up an error "This Microsoft account doesn't exist."
Using the new Microsoft Identity Platform, I'm able to Oauth for the Exchange accounts just fine. But this brings up a totally different issue, where the tokens don't work for IMAP. I'm guessing I'm missing a scope here (I've added all the Mail scopes though), but there are no docs on this and I don't have a paid support plan with Microsoft.
When adding Exchange to Apple Mail, I see that it shows a different consent screen that asks for consent in a different manner. I believe Apple Mail also connects to Exchange via Oauth 2.0 mechanisms so I'm wondering how they go about it.
If anyone has experience with connecting via IMAP to Outlook or Exchange accounts I would be super grateful!
Office 365 IMAP4 and POP3 OAuth support has not been enabled yet. It will be enabled some time before October 2020, when Basic auth will go away for all protocols except SMTP.
I'm asking this question on the back of a previous question I raised, as the scope of the question has changed somewhat but that might be worth reading first for background info.
I'm trying to programatically obtain data out of our Dynamics CRM instance, using a single set of admin credentials within a Node powered Express app. This Express app is hosted on a separate server outside of our network where CRM is hosted. The app will then request, process and serve CRM data back to any logged in user who has access (controlled by roles/permissions within the app), meaning an end user only has to login into the Express app.
From my web browser, if I visit our on-premise CRM endpoint: https://my.crm.endpoint, I get prompted for a username and password.
If I provide correct credentials, I am authenticated and have full access to the CRM, allowing me to query the API.
Example
https://my.crm.endpoint/api/data/v8.2/contacts?$select=fullname,contactid
This returns a lovely JSON object containing all the data I want :)
NOW! Under the covers, I can see that it is using NTLM to authenticate, of which I have little knowledge :/ Having read up a little and watched a few YouTube videos, I have a basic understanding of the challenge/response mechanism but I'm still unsure as to how to proceed.
NB: I have read this from Microsoft which describes the mechanism, but doesn't give any specific examples. I don't even know what hashing algorithm should be used, or what headers to set etc.
Question Can anyone provide any sort of detail as to how I can authenticate with our CRM using NTLM from a Web App (Express in my case)?
Steps I can see the browser making...
Visit https://my.crm.endpoint
302 Redirected to: https://fs.our.domain/adfs/ls/?wa=wsignin1.0&wtrealm=https%3a%2f%2fmy.crm.endpoint%2f&wctx=rm%3d1%26id%3dfaf0791c-6a3a-4c4e-9e69-9dfa8fd4c2e8%26ru%3d%252fdefault.aspx&wct=2018-04-20T10%3a12%3a37Z&wauth=urn%3afederation%3aauthentication%3awindows
Prompted for user credentials
** enter credentials**
A whole bunch of stuff happens here and I get a little lost but looks like it gets a couple of 401's then a POST is made to the https://my.crm.endpoint. Another 302 is shown, then finally a GET to the actual default.aspx page.
I then have access to CRM.
NB: Once authenticated, I can see three cookies that have been set and which are sent when querying the api example above. These cookies are MSISAuth, MSISAuth1 and ReClientId.
If I'm missing any crucial info, please let me know and I'll provide what I can!
UPDATE
I have just installed httpntlm module and attempted to authenticate using this...
let httpntlm = require('httpntlm');
httpntlm.get({
url: 'https://my.crm.endpoint',
username: '<my.email#address.com>',
password: '<mypassword>',
workstation: '', // unsure what to put here if anything?
domain: '' // unsure what to put here if anything?
}, function (err, res){
if(err) return err;
console.log(res.headers);
console.log(res.body);
});
The response I get is this...
{ location: 'https://fs.our.domain/adfs/ls/?wa=wsignin1.0&wtrealm=https%3a%2f%2fmy.crm.endpoint%2f&wctx=rm%3d1%26id%3d93a4c6fd-5b17-4a2b-965f-07af5e96b08f%26ru%3d%252fdefault.aspx&wct=2018-04-20T14%3a08%3a00Z&wauth=urn%3afederation%3aauthentication%3awindows',
server: 'Microsoft-IIS/8.5',
req_id: '298acefc-53aa-46fa-96c4-e5d8762b1fd2',
'x-powered-by': 'ASP.NET',
date: 'Fri, 20 Apr 2018 14:08:00 GMT',
connection: 'close',
'content-length': '397' }
<html><head><title>Object moved</title></head><body>
<h2>Object moved to here.</h2>
</body></html>
Anyone able to shed any light on what I actually need to be doing?! :-/
UPDATE 2
Following #markgamache comment, and having read the suggested docs, we are indeed using WS-Fed! As the Wa=signin1.0 parameter informs the browser to pop up a login box, does this make it impossible to achieve this programmatically, without additional user interaction?
Based on my following understanding:
You are using CRM on premises with claims authentication (ADFS). This means that when an user accesses CRM, the user is redirected to ADFS for authentication (if the user is in the internal network, by default ADFS uses integrated Windows authentication) and then the user is redirected back to CRM.
You must call a CRM endpoint from an external (node.js) application. That call is NOT "client side" (i.e. via browser/javascript) but "server side" (i.e. from the web server hosting the application)
The ideal solution would be to apply here the S2S (server to server) scenario which involves an application user in CRM which in turn is used to call a CRM API using the OAuth client credentials flow (client id + secret). Problem is, as far as I know, currently the application user concept is only supported in CRM online, not on premises.
So then you can try one of these 3 options:
Despite the fact that you are using claims authentication in CRM, you can still use integrated Windows authentication (IWA). How? If you check the CRM IIS site, you must have an HTTPS binding. If you add an HTTP binding (i.e. port 80 no host header), you can access http://CRM_Server_Name/api/data/v8.2/contacts using IWA. So in this scenario, the httpntlm module you already tried could work. Please note that CRM supports one HTTPS IIS binding and one HTTP IIS binding - so make sure to not to add more of one binding of each type.
Mimic (programmatically of course) the authentication flow you observed in the browser. What does this mean? Generate an IWA authenticated request to https://fs.our.domain/adfs/ls/?wa=wsignin1.0&wtrealm=https%3a%2f%2fmy.crm.endpoint%2f&wauth=urn%3afederation%3aauthentication%3awindows. ADFS will authenticate you and will give you some cookies. You will need to store those cookies to make a subsequent request to https://my.crm.endpoint/api/data/v8.2/contacts. Not a great solution but should work.
Use OAuth. Problem is that as I described at the beginning, the ideal OAuth flow for this scenario (client credentials) is not available for CRM on prem as far as I know. So then you must use the Authorization Code Grant flow, described here. First you will need to register an ADFS application and then again, you will need to make several HTTPS calls (one of them will be a call to the ADFS IWA authentication endpoint) to finally obtain a token that you can use to make calls to the CRM endpoint.
that is a redirect to an ADFS server for claims based authentication. That page, or the next redirect, will ask you to authenticate with either cert, forms, or windows integrated (NTLM or Kerberos). If you pass auth, your browser will be given a token to send to https://my.crm.endpoint. The URL suggest the claims will be via WS*. https://blogs.technet.microsoft.com/askpfeplat/2014/11/02/adfs-deep-dive-comparing-ws-fed-saml-and-oauth/
What security can we implement in PHPmailer to make it a more secure app for Gmail? https://support.google.com/accounts/answer/6010255
I am using PHPmailer to send emails via Gmail. PS: I don't want to enable "access for less secure apps" here: https://www.google.com/settings/security/lesssecureapps, I want to make the app more secure.
Gmail has started imposing a new authentication mechanism that substitutes SMTP athentication for OAuth2-based authorisation. The docs on their changes can be found here.
This doens't really improve security much because ultimately you still need to submit your username and password over SSL at some point (the very mechanism that google deems insecure) to authenticate to get an OAuth token, which is exactly as secure as existing SMTP auth systems.
As yet, PHPMailer does not support this new mechanism - PRs welcome! You will need an OAuth2 class, such as this one, and perhaps make use of this code example.
In the mean time, you do have to "enable access for less secure apps", and you should set SMTPSecure = 'tls' and Port = 587 and use normal auth to connect using PHPMailer.
Update
PHPMailer supports Gmail's XOAUTH2 authentication as of version 5.2.11. See this guide. It's being expanded in version 6.0 to support other services too.
I have seen in the some articles, It is said that OpenID Connect would replace SAML as the dominant protocol for SSO. I am not sure how openID connect would handle the session management capabilities with different service providers and how it could be used to implement single logout? Currently, Are there are IDM servers (open source or commercial) that supports OpenID connect as a SSO IDP (as replacement for SAML2 SSO IDP)?
PingFederate [disclaimer: as it says in my name, I work for PingIdentity] built OIDC into the product in April 2013 - version 7.0. Additionally, we've supported OpenID since December 2010 via an integration kit.
That said, "SLO" (Single Logout) under OIDC is a whole new ballgame. I'd suggest having a read through the Session Management portion of the OID Spec. The gist of it is that SLO is done completely different than the way most SAML systems implemented it, and it's very user-centric, rather than OP or RP specific.
One last thing... While it's possible that OIDC will replace SAML eventually, I'd just like to point out that we've finally got a serious snowball effect going with SAML. OIDC isn't yet final, and it's going to take time to migrate to. Will the focus shift? Quite possible. But it won't happen this year, or next, and most likely not for a couple more after that. If you're looking at products that are bleeding edge that support OIDC, fair enough... But if you're actually wanting to implement, the opportunities are few and far between. There just aren't a lot of RPs out there yet - primarily because the spec isn't "final".
I should also mention that some of our competitors, like Gluu, Okta, IBM, and Layer7 have shown support for OIDC (by competing in interop testing), but I can't speak to the extent of their support in current products.
OpenAM seems to support it from release 11. wikis.forgerock.org/confluence/display/openam/OpenAM+Roadmap
Yes, no question. No one wants to use a SOAP/XML standard from 2005 (pre-mobile) when they can use a JSON/REST API from 2014. See Gluu's protocol predictions: http://www.gluu.co/sso-protocol-predictions
If you doubt it, see Forrester's predictions...
http://www.gluu.org/blog/wp-content/uploads/2014/06/eve_uma_irmsummit_2014-300x225.jpg
Notice SAML on the "moderate success" curve, and OpenID Connect on the "significant success" curve.
The problem is that SAML vendors would not agree to breaking changes, and mobile/headless API's broke some of the assumptions made in the design of SAML.
Mike Schwartz
Founder / CEO Gluu
http://gluu.org
I would expect that OIDC will replace SAML based authentication over time.
Apache Fediz (since version 1.3.0) provides support for
* SAML Web SSO
* WS-Federation
* OIDC
The great think about Fediz is, that is also supports a protocol bridge.
So you can login with an IDP using SAML Web SSO and finally login to an OIDC Web Portal.
https://cxf.apache.org/fediz.html
http://janbernhardt.blogspot.de/2015/12/fediz-with-openid-connect-support-and.html
However SLO is currently not supported for OIDC. But since it is an open source project it should be simple to add this, as contributions are always welcome.