So I'm essentially trying to connect, via IMAP, to Outlook/Exchange email accounts, using Node.
Using the old Live Connect API I'm able to do an IMAP AUTHENTICATE command with the OAuth 2 token (https://msdn.microsoft.com/en-us/windows/desktop/dn440163). But this doesn't seem to work for Exchange accounts as attempting to do the Oauth flow with those just brings up an error "This Microsoft account doesn't exist."
Using the new Microsoft Identity Platform, I'm able to Oauth for the Exchange accounts just fine. But this brings up a totally different issue, where the tokens don't work for IMAP. I'm guessing I'm missing a scope here (I've added all the Mail scopes though), but there are no docs on this and I don't have a paid support plan with Microsoft.
When adding Exchange to Apple Mail, I see that it shows a different consent screen that asks for consent in a different manner. I believe Apple Mail also connects to Exchange via Oauth 2.0 mechanisms so I'm wondering how they go about it.
If anyone has experience with connecting via IMAP to Outlook or Exchange accounts I would be super grateful!
Office 365 IMAP4 and POP3 OAuth support has not been enabled yet. It will be enabled some time before October 2020, when Basic auth will go away for all protocols except SMTP.
Related
I am trying to authenticate a backend server with OAUTH in order to send emails from that backend server. The thing I don't understand is how can I do this if the server will only ever be run locally on a VLAN.
Is this even possible?
What I am currently doing:
Backend server (Running Node) uses Basic Authentication credentials (username & password) to authenticate then send an email through Office 365 account to a user using SMTP. Basic auth is being deprecated though and is being replaced by OAUTH.
What I want to do:
Replace basic authentication with OAUTH to authenticate and send emails from backend server through office 365 account.
Any help would be greatly appreciated.
The usual migration path here is Client Credentials Flow which should work like this:
Back end on private VLAN must be able to make outbound calls to the Authorization Server (Azure AD in your case).
The advantage should be that the credential is not revealed every time you want to send an email, and OAuth access tokens are used instead.
This should work in locked down environments where outbound calls are restricted. Usually a whitelist is configured in the firewall - eg all URLs other than Azure AD are blocked.
This is specially for how to implement it using Azure Active Directory & Office365 as the E-mail sender, but the main ideas for how to implement this should work for other services. The only caveat is that some other services will require you to obtain an accessToken first and use that in conjunction with their API.
Using the information about Client Credentials Flow provided by #Gary Archer
combined with the Microsoft Graph SDK
as well as examples for how to:
Register an app in Azure
How to Create a Client
Get ID of User by fetching user data
How to send Emails
I was able to figure this out.
Google recently introduced stricter privacy policies for their Gmail API that requires a security audit for sensitive scopes, such as accessing email. Can this be circumvented by relying exclusively on connecting to user inboxes via IMAP?
Context.io shut down because of these policies and I don't understand why they don't just connect to user inboxes via IMAP. https://blog.context.io/context-io-deprecation-notice-ce8b77e6e477
A technical answer is that you can't connect to GMail's IMAP accounts (in general) without using OAuth authentication; which is subject to the same technical requirements via your apps OAuth registration.
Otherwise, you have to get users to generate server specific passwords or lower the security requirements for their accounts, which is a no-go for all but the most technical of users.
By default GMail's IMAP server blocks simple password logins.
I have built an integration with the Docusign API, but am unable to successfully complete the JWT auth flow with our production account.
Everything works fine in our sandbox account - I went through all the steps described in the docs (https://developers.docusign.com/esign-rest-api/guides/authentication/oauth2-jsonwebtoken),
and successfully promoted the integration key to our production account.
However, with the production account, running through the same code to initiate the JWT results in a 400 Bad Request error, with no additional information about the nature of the failure. I've double checked that we are using the correct oauth base domain (what Docusign calls aud) and that RSA keys and redirect URLs are correctly
configured for the production account.
I've also gone through all of the "go live" steps, except for one which mentions migrating users, since it doesn't seem
like this functionality is available on our production account dashboard. On the sandbox account, which has all enterprise features enabled,
the sidebar has a section for "Users and Groups" but there is no such section on our production account.
I'm wondering if the root of the problem is that our production account, which is the Basic API level account, doesn't have adequate permissions
to support the use case I'm building for.
Unfortunately I can't get a straight answer from either account reps or tech support folks as to whether this is true.
are you trying to use the same RSA key you used in Sandbox in Production by any chance?
Also, did you actually get your IK certified and active in production?
I'm building an app that should be able to send emails. I'm using OAuth2 to verify the user, and I've looked at the Xamarin Forms Sample which works great with gmail after setup.
However it doesn't work with my Microsoft account.
I've created a cliendId and all that stuff on Microsoft. Do I have to have a Azure AD as well?
I'm calling the authentication with:
new OAuth2Authenticator(
"myClientId",
"User.Read",
new Uri("https://login.live.com/oauth20_authorize.srf?client_id=myid&scope=user.read&response_type=token&redirect_uri=https://login.live.com/oauth20_desktop.srf"),
new Uri("myRedirectUri"),
null,
true);
But am reaching a screen saying: We cannot perform your request.
Microsoft-accounts is having technical issues right now. Try again later.
Have looked at this sample, where the author uses Google and Microsoft accounts in similar ways.
If I'm instead using this sample it works with the original setup, but not if I change to my own clientId and redirectUrl. Is this since I don't have any Azure account?
Would not like to pay to get it, and since the first approach works fine with my gmail I would love if it could work with Microsoft as well.
/Oliver
Have you tried the microsoftonline.com endpoints instead? I've also implemented this using Xamarin.Auth and could get it working that way.
AuthorizeUrl: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
AccessTokenUrl: https://login.microsoftonline.com/common/oauth2/v2.0/token
"common" is the {tenant} which you can replace with "consumers" if you only wanna allow personal accounts.
An alternative to coding it yourself, is to use a 3rd party library to handle authentication.
CloudRail have SDKs for Xamarin, with build-in integrations for social login/authentication, and also for email sending, which you mention.
I am using EWS Java APIs and passing OAuth tokens to fetch data from office 365 mailboxes.
Because I am developing Web APIs I preferred using "Application Permissions" defined in Azure active directory application for Office 365, and used "client credential flow" OAuth flow to fetch OAuth token specific to application which will allow "Have full access via EWS to all mailboxes in the organisation".
After fetching token with the procedure specified in the document "http://blogs.msdn.com/b/exchangedev/archive/2015/01/21/building-demon-or-service-apps-with-office-365-mail-calendar-and-contacts-apis-oauth2-client-credential-flow.aspx"
I passed this token to EWS Java APIs,
it gave me error saying:
microsoft.exchange.webservices.data.ServiceResponseException: Exchange Web Services are not currently available for this request because none of the Client Access Servers in the destination site could process the request.
I tried similar thing with EWS managed APIs for .net. Got similar error.
Can anyone provide some help and direction to resolve this error.
Thanks & Best Regards,
Pranjal
I was able to resolve the issue, by simply adding following line of code
service.getHttpHeaders().put("X-AnchorMailbox","smtpemailaddress");