Forum Discussion
Authentication Failure for IMAP and POP3 using Client Credential flow for OAuth2.0 | Java
Hi. I had the same problem, but I think I made some progress.
I read documentation few times, tried few times from the start with same error. I even have tried using client and object ids instead of email as username, in lack of better ideas.
So this is where I think I have made mistake previous times.When you are at the part that you need to register service principal, you need to execute
New-ServicePrincipal -AppId <APPLICATION_ID> -ServiceId <OBJECT_ID> [-Organization <ORGANIZATION_ID>]here I put enterprise application object id as ServiceId argument. And that is ok.
But on
Add-MailboxPermission -Identity "email address removed for privacy reasons" -User <SERVICE_PRINCIPAL_ID> -AccessRights FullAccessI have put my registered application object id as User argument. I also tried setting object id of enterprise application, but it did not have success.
I also tried New-ServicePrincipal but with registered app object id as service id, but it gave me the same result.
When I executed
Get-ServicePrincipal -Organization <ORGANIZATION_ID> | flI did not pay attention to ServiceId property, even with documentation specifying it and saying it will be different.
Now I cleared everything and started fresh.
I executed all the steps again, but on the step when I need to add mail permission, I list service principals, and then use `ServiceId` value from the output, as argument for user.
With that, I was able to authorise.
Unfortunately, now I receive `C3 BAD User is authenticated but not connected.` when I try to list inbox. But it is step forward.
I am not sure if you made the same error as me, but maybe it will help you in some way.
I will post info, when I find fix for the new error if somebody comes across same issue.
It seems like your POP3 authentication command is incorrect?
The https://docs.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth says to use:
AUTH XOAUTH2
<base64 string in XOAUTH2 format>
For example:
[connection begins]
C: AUTH XOAUTH2
S: +
C: dXNlcj1zb21ldXNlckBleGFtcGxlLmNvbQFhdXRoPUJlYX
JlciB5YTI5LnZGOWRmdDRxbVRjMk52YjNSbGNrQmhkSFJoZG1semRHRXVZMjl0
Q2cBAQ==
S: +OK User successfully authenticated.
[connection continues...]
DestryHines Thanks for pointing this out. For me, this command is executed internally from the JavaMail library functions. After reviewing your comment I tried to split the command into 2 lines using the property, "mail.pop3.auth.xoauth2.two.line.authentication.format" as true
Reference was taken from https://javadoc.io/static/com.sun.mail/jakarta.mail/2.0.1/jakarta.mail/com/sun/mail/pop3/package-summary.html
But I am still unable to establish a connection with POP3 protocol. And getting the same error message.
| Note: Updated the POP3 code in this post |
jambo Thank you for suggesting me to apply this property. I have tried to implement it in my existing code but I haven't got any success in establishing a connection through POP3.
Apart from this property, I tried setting:-
- mail.pop3.auth.xoauth2.disable as false
- mail.pop3.auth.mechanisms as XOAUTH2
- mail.pop3.starttls.enable as true
Please let me know if any other parameters are required, or an existing parameter needs to be removed.
- kirill247742. I think you're mixing functionalities.
This is not Microsoft graph. Look at the documentation shared in this thread, because you need to create an application in order to make everything.
If you want to use Microsoft Graph is a complete different implementation. - Thanks, LinaMM2022 for the help!
Well, I don't see any library conflict and the token is correct. As for permissions in Azure for POP3, I'm not sure.
Now I have 6 of them:
Microsoft Graph (6)
- email
- IMAP.AccessAsUser.All
- offline_access
- POP.AccessAsUser.All
- SMTP.Send
- User.Read
Did I miss something important? - Hi kirill247742.
Well, it should be working with those parameteres. Maybe you should confirme that your fonts are indeed using jakarta and you don't have maybe library conflict.
Apart from that, make sure you're using the token (not the password from account) and have all the permissions in Azure for POP3. - Hi LinaMM2022
Thanks for the advice, at least the error is already different)
Maybe you have encountered a similar error and can tell how to solve it
DEBUG POP3: AUTH XOAUTH2 using two line authentication format
DEBUG POP3: AUTH XOAUTH2 failed
Authentication failure: unknow user name or bad password
I am sure the data is correct. Perhaps I missed some access? Or something else.. Hi kirill247742.
The most important property for me was (And according to your log you're not using it):
properties.put("mail.pop3s.auth.xoauth2.two.line.authentication.format", "true");
Apart from that, properties were basically the same from IMAP:
"mail.pop3s.auth.mechanisms", "XOAUTH2"
"mail.pop3.ssl.enable", "true"
- Hi LinaMM2022
I have a similar problem with POP3, and when I installed jakarta.mail 1.6.7 problem still exists. Did you do anything else?
I have this debug text:
DEBUG POP3: Attempt to authenticate using mechanisms: XOAUTH2
DEBUG POP3: Using mechanism XOAUTH2
DEBUG POP3: AUTH XOAUTH2 command trace suppressed
DEBUG POP3: mail.pop3s.auth.xoath2.two.line.authentication.format: false
DEBUG POP3: AUTH XOAUTH2 using one line authentication format
DEBUG POP3: AUTH XOAUTH2 failed LinaMM2022 Thank you for suggesting this change, but for my case we are currently moving forward with only IMAP based connections because there were other modules in my product which highly depends on the JavaMail jar.
In case if we plan to implement POP3, we would definitely try to connect using the Jakarta Mail api.Thanks alot.
Hi manish1614
I had a similar problem with POP3 with the latest version of javax.mail (1.6.2)
However, I was looking at the documentation and the project move to jakarta mail. I replaced project dependency with jakarta.mail 1.6.7 and POP3 started to work.
Hopefully it can worked for you as well.
- I have been using JavaMail jar 1.5.5 all this time, so I tried to update it to 1.6.2(latest).
I have checked the msal4j jar, which have version 1.12.0(released on May 06, 2022), seems fine.
Post updating the jars I ran the flow for POP3 connection again, but didn't got any success till now.
In some posts they say that we need to add the scope as "https://outlook.office.com/POP.AccessAsUser.All" explicitly in the code, but never tell how or where to specify it exactly.
As per my findings, the only valid scope value is "https://outlook.office365.com/.default" - I'm not using Java but I'm having a similar problem in PHP using a third-party library called PHPMailer with SMTP now. I think most implementations didn't properly support client_crendentials for the grant type because Microsoft didn't have it working properly. You may need to get an updated version or figure out in your Java code how it's handling the oAuth grant type and update the code until there's an update.
