Office 365 OAuth2 working correctly for IMAP, not working for POP3

%3CLINGO-SUB%20id%3D%22lingo-sub-2427135%22%20slang%3D%22en-US%22%3EOffice%20365%20OAuth2%20working%20correctly%20for%20IMAP%2C%20not%20working%20for%20POP3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2427135%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%20I%20implemented%20OAuth2%20for%20authenticating%20an%20IMAP%20and%20POP%20connection%20for%20Outlook.com%20accounts%20in%20my%20app%2C%20using%20the%20authorization%20code%20flow%2C%20following%20the%20steps%20defined%20in%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclient-developer%2Flegacy-protocols%2Fhow-to-authenticate-an-imap-pop-smtp-application-by-using-oauth%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclient-developer%2Flegacy-protocols%2Fhow-to-authenticate-an-imap-pop-smtp-application-by-using-oauth%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20implemented%20this%20in%20Node.js%20a%20few%20months%20ago%20and%20it%20was%20working%20correctly.%20However%20recently%20POP3%20stopped%20working%2C%20whilst%20IMAP%20still%20works%20fine.%20POP3%20works%20correctly%20when%20using%20Basic%20Authentication%20(username%20%2B%20password)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20are%20the%20steps%20I%20follow%20to%20see%20if%20the%20process%20works%20correctly%20(outside%20of%20my%20Node.js%20app).%20Please%20correct%20me%20if%20anything%20is%20wrong%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3E1.%20Create%20an%20app%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E-%20Go%20to%20portal.azure.com%2F%23home%3C%2FP%3E%3CP%3E-%20Manage%20Azure%20Active%20Directory%20%2F%20View%3C%2FP%3E%3CP%3E-%20App%20registrations%20%2F%20New%20Registration%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20-%20Set%20the%20name%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20-%20Set%20the%20supported%20account%20types%20to%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20-%20%22Accounts%20in%20any%20organizational%20directory%20(Any%20Azure%20AD%20directory%20-%20Multitenant)%20and%20personal%20Microsoft%20accounts%20(e.g.%20Skype%2C%20Xbox)%22%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20-%20Set%20the%20redirect%20URI%20to%20%3CA%20href%3D%22https%3A%2F%2F(myapp)%2Fcallback%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2F(myapp)%2Fcallback%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20-%20Create%20a%20secret%3A%20Certificates%20and%20secrets%20%2F%20New%20Client%20Secret%20(Set%20the%20name%20and%20the%20expiry%20time%20to%2024%20months)%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20-%20Set%20up%20permissions%3A%20API%20permissions%20%2F%20Add%20a%20permission%20%2F%20Microsoft%20Graph%20%2F%20Delegated%20permissions%20%2F%20add%20%22openid%22%2C%20%22offline_access%22%2C%20%22POP.AccessAsUser.All%22%2C%20%22IMAP.AccessAsUser.All%22.%20Then%20I%20remove%20the%20%22User.Read%22%20permission%20set%20by%20default.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20I%20get%20the%20Application%20(client)%20ID%20and%20the%20client%20secret%20that%20I%20will%20use%20later%20in%20my%20requests%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3E2.%20Create%20an%20account%20that%20I%20will%20connect%20to%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E-%20Go%20to%20outlook.live.com%2Fowa.%20Sign%20In%20%2F%20Create%20New%20Account%20%2F%20Set%20the%20new%20account%20details%3C%2FP%3E%3CP%3E-%20Then%20Settings%20%2F%20POP%20and%20IMAP%20%2F%20Set%20%22Let%20devices%20and%20apps%20use%20POP%22%20to%20Yes%2C%20and%20select%20%22Let%20apps%20and%20devices%20delete%20messages%20from%20Outlook%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3E3.%20Request%20access%20to%20emails%20via%20IMAP%20using%20Postman%20(this%20works%20correctly)%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E-%20Create%20the%20following%20url%20which%20I%20paste%20in%20a%20browser%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-bash%22%3E%3CCODE%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fv2.0%2Fauthorize%3F%0A%20%20%20%20client_id%3D(my_client_id)%26amp%3B%0A%20%20%20%20response_type%3Dcode%26amp%3B%0A%20%20%20%20redirect_uri%3D(my_redirect_uri)%26amp%3B%0A%20%20%20%20response_mode%3Dquery%26amp%3B%0A%20%20%20%20scope%3D%0A%20%20%20%20%20%20%20%20openid%2520%0A%20%20%20%20%20%20%20%20email%2520%0A%20%20%20%20%20%20%20%20offline_access%2520%0A%20%20%20%20%20%20%20%20https%253A%252F%252Foutlook.office.com%252FIMAP.AccessAsUser.All%0A%20%20%20%20%20%20%20%20%26amp%3B%0A%20%20%20%20state%3D12345%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20This%20will%20show%20a%20popup%20which%20I%20click%20Yes%2C%20and%20I%20get%20redirected%20to%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-bash%22%3E%3CCODE%3E(my_redirect_uri)%3Fcode%3D(code)%26amp%3Bstate%3D12345%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20I%20use%20the%20code%20to%20send%20another%20request%2C%20now%20to%20obtain%20tokens%2C%20to%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fv2.0%2Ftoken%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%26nbsp%3Bhttps%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fv2.0%2Ftoken%3C%2FA%3E%3C%2FSPAN%3E%20with%20the%20following%20key-value%20pairs%20in%20the%20body%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-bash%22%3E%3CCODE%3Eclient_id%3A%20(my_client_id)%0Ascope%3A%20openid%20email%20offline_access%20https%3A%2F%2Foutlook.office.com%2FIMAP.AccessAsUser.All%0Aredirect_uri%3A%20(my_redirect_uri)%0Agrant_type%3A%20authorization_code%0Aclient_secret%20(my_client_secret)%0Acode%3A%20(code)%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20And%20I%20get%20the%20following%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-json%22%3E%3CCODE%3E%7B%0A%20%20%22token_type%22%3A%20%22Bearer%22%2C%0A%20%20%22scope%22%3A%20%22https%3A%2F%2Foutlook.office.com%2FIMAP.AccessAsUser.All%22%2C%0A%20%20%22expires_in%22%3A%203600%2C%0A%20%20%22ext_expires_in%22%3A%203600%2C%0A%20%20%22access_token%22%3A%20(access_token)%2C%0A%20%20%22refresh_token%22%3A%20(refresh_token)%2C%0A%20%20%22id_token%22%3A%20(id_token)%0A%7D%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20Now%20with%20the%20access%20token%20I%20create%20the%20xoauth2%20token.%20One%20way%20to%20create%20it%20is%20in%20Javascript%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-javascript%22%3E%3CCODE%3Ebtoa(%22user%3D(the_user_that_gave_permission)%5Cx01auth%3DBearer%20(access_token)%5Cx01%5Cx01%22)%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20This%20creates%20the%20xoauth2%20token%2C%20which%20I%20then%20use%20to%20connect%20via%20IMAP%20using%20openssl%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-bash%22%3E%3CCODE%3Eopenssl%20s_client%20-showcerts%20-connect%20outlook.office365.com%3A993%20-servername%20outlook.office365.com%20-crlf%0A*%20OK%20The%20Microsoft%20Exchange%20IMAP4%20service%20is%20ready.%0A%3F%20AUTHENTICATE%20XOAUTH2%20(xoauth2_token)%0A%3F%20OK%20AUTHENTICATE%20completed.%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThen%20I%20can%20see%20the%20contents%20of%20the%20inbox%2C%20e.g.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-bash%22%3E%3CCODE%3E%3F%20SELECT%20%22INBOX%22%0A*%202%20EXISTS%0A*%202%20RECENT%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3E4.%20Request%20access%20to%20emails%20via%20POP%20using%20Postman%20(it%20doesn't%20work)%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20The%20authorize%20url%20now%20looks%20like%20this%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-bash%22%3E%3CCODE%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fv2.0%2Fauthorize%3F%0A%20%20client_id%3D(my_client_id)%26amp%3B%0A%20%20response_type%3Dcode%26amp%3B%0A%20%20redirect_uri%3D(my_redirect_uri)%26amp%3B%0A%20%20response_mode%3Dquery%26amp%3B%0A%20%20scope%3D%0A%20%20%20%20openid%2520%0A%20%20%20%20email%2520%0A%20%20%20%20offline_access%2520%0A%20%20%20%20https%253A%252F%252Foutlook.office.com%252FPOP.AccessAsUser.All%0A%20%20%26amp%3B%0A%20%20state%3D12345%E2%80%8B%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20Get%20the%20popup%20again%2C%20click%20Yes%2C%20get%20redirected%20with%20a%20code%20as%20before%3C%2FP%3E%3CP%3E-%20Use%20the%20code%20to%20send%20another%20request%3CSPAN%3E%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fv2.0%2Ftoken%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fv2.0%2Ftoken%3C%2FA%3E%3C%2FSPAN%3E%20to%20obtain%20tokens%20for%20POP%2C%20with%20the%20following%20key%20value%20pairs%20in%20the%20body%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-bash%22%3E%3CCODE%3Eclient_id%3A%20(my_client_id)%0Ascope%3A%20openid%20email%20offline_access%20https%3A%2F%2Foutlook.office.com%2FPOP.AccessAsUser.All%0Aredirect_uri%3A%20(my_redirect_uri)%0Agrant_type%3A%20authorization_code%0Aclient_secret%20(my_client_secret)%0Acode%3A%20(code)%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20I%20get%20the%20following%20response%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-json%22%3E%3CCODE%3E%7B%0A%20%20%22token_type%22%3A%20%22Bearer%22%2C%0A%20%20%22scope%22%3A%20%22https%3A%2F%2Foutlook.office.com%2FPOP.AccessAsUser.All%20https%3A%2F%2Foutlook.office.com%2FIMAP.AccessAsUser.All%22%2C%0A%20%20%22expires_in%22%3A%203600%2C%0A%20%20%22ext_expires_in%22%3A%203600%2C%0A%20%20%22access_token%22%3A%20(access_token)%2C%0A%20%20%22refresh_token%22%3A%20(refresh_token)%2C%0A%20%20%22id_token%22%3A%20(id_token)%0A%7D%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20Create%20the%20xoauth2%20token%2C%20connect%20via%20openssl%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3Eopenssl%20s_client%20-showcerts%20-connect%20outlook.office365.com%3A995%20-servername%20outlook.office365.com%20-crlf%0A%2BOK%20The%20Microsoft%20Exchange%20POP3%20service%20is%20ready.%20%5BTABPADIAUAAyADYANQBDAEEAMAAzADcANwAuAEcAQgBSAFAAMgA2ADUALgBQAFIATwBEAC4ATwBVAFQATABPAE8ASwAuAEMATwBNAA%3D%3D%5D%0AAUTH%20XOAUTH2%0A%2B%0A(xoauth2_token)%0A-ERR%20Authentication%20failure%3A%20unknown%20user%20name%20or%20bad%20password.%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20It%20fails.%20I%20create%20another%20email%20account%20from%20scratch%2C%20only%20asking%20for%20POP3%2C%20in%20case%20the%20fact%20that%20I%20was%20asking%20for%20IMAP%20and%20POP%20is%20causing%20a%20conflict.%20When%20I%20create%20this%20new%20account%2C%20allow%20POP3%20connections%20as%20mentioned%20before.%20Follow%20all%20the%20steps%20mentioned%20above%2C%20and%20it%20fails%20to%20connect%20again.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20Can%20anyone%20help%20me%20with%20what%20is%20the%20problem%2C%20or%20what%20am%20I%20missing%3F%20this%20was%20working%20correctly%20a%20few%20months%20ago.%20Is%20there%20a%20way%20that%20I%20can%20see%20the%20status%20of%20the%20POP3%20servers%3F%20Or%20a%20wait%20to%20get%20information%20about%20what%20is%20causing%20this%20issue%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hello, I implemented OAuth2 for authenticating an IMAP and POP connection for Outlook.com accounts in my app, using the authorization code flow, following the steps defined in https://docs.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-i...

 

I implemented this in Node.js a few months ago and it was working correctly. However recently POP3 stopped working, whilst IMAP still works fine. POP3 works correctly when using Basic Authentication (username + password)

 

There are the steps I follow to see if the process works correctly (outside of my Node.js app). Please correct me if anything is wrong:

 

1. Create an app

- Go to portal.azure.com/#home

- Manage Azure Active Directory / View

- App registrations / New Registration

    - Set the name

    - Set the supported account types to:

        - "Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)"

    - Set the redirect URI to https://(myapp)/callback/

    - Create a secret: Certificates and secrets / New Client Secret (Set the name and the expiry time to 24 months)

    - Set up permissions: API permissions / Add a permission / Microsoft Graph / Delegated permissions / add "openid", "offline_access", "POP.AccessAsUser.All", "IMAP.AccessAsUser.All". Then I remove the "User.Read" permission set by default.

 

- I get the Application (client) ID and the client secret that I will use later in my requests

 

2. Create an account that I will connect to

- Go to outlook.live.com/owa. Sign In / Create New Account / Set the new account details

- Then Settings / POP and IMAP / Set "Let devices and apps use POP" to Yes, and select "Let apps and devices delete messages from Outlook"

 

3. Request access to emails via IMAP using Postman (this works correctly)

- Create the following url which I paste in a browser

 

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
    client_id=(my_client_id)&
    response_type=code&
    redirect_uri=(my_redirect_uri)&
    response_mode=query&
    scope=
        openid%20
        email%20
        offline_access%20
        https%3A%2F%2Foutlook.office.com%2FIMAP.AccessAsUser.All
        &
    state=12345

 

 

- This will show a popup which I click Yes, and I get redirected to

 

(my_redirect_uri)?code=(code)&state=12345

 

- I use the code to send another request, now to obtain tokens, to https://login.microsoftonline.com/common/oauth2/v2.0/token with the following key-value pairs in the body

 

client_id: (my_client_id)
scope: openid email offline_access https://outlook.office.com/IMAP.AccessAsUser.All
redirect_uri: (my_redirect_uri)
grant_type: authorization_code
client_secret (my_client_secret)
code: (code)

 

- And I get the following:

 

{
  "token_type": "Bearer",
  "scope": "https://outlook.office.com/IMAP.AccessAsUser.All",
  "expires_in": 3600,
  "ext_expires_in": 3600,
  "access_token": (access_token),
  "refresh_token": (refresh_token),
  "id_token": (id_token)
}

 

- Now with the access token I create the xoauth2 token. One way to create it is in Javascript

 

btoa("user=(the_user_that_gave_permission)\x01auth=Bearer (access_token)\x01\x01")

 

- This creates the xoauth2 token, which I then use to connect via IMAP using openssl:

 

openssl s_client -showcerts -connect outlook.office365.com:993 -servername outlook.office365.com -crlf
* OK The Microsoft Exchange IMAP4 service is ready.
? AUTHENTICATE XOAUTH2 (xoauth2_token)
? OK AUTHENTICATE completed.

 

Then I can see the contents of the inbox, e.g.

 

? SELECT "INBOX"
* 2 EXISTS
* 2 RECENT

 

 

4. Request access to emails via POP using Postman (it doesn't work)

 

- The authorize url now looks like this

 

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
  client_id=(my_client_id)&
  response_type=code&
  redirect_uri=(my_redirect_uri)&
  response_mode=query&
  scope=
    openid%20
    email%20
    offline_access%20
    https%3A%2F%2Foutlook.office.com%2FPOP.AccessAsUser.All
  &
  state=12345​

 

- Get the popup again, click Yes, get redirected with a code as before

- Use the code to send another request to https://login.microsoftonline.com/common/oauth2/v2.0/token to obtain tokens for POP, with the following key value pairs in the body:

 

client_id: (my_client_id)
scope: openid email offline_access https://outlook.office.com/POP.AccessAsUser.All
redirect_uri: (my_redirect_uri)
grant_type: authorization_code
client_secret (my_client_secret)
code: (code)

 

- I get the following response

 

{
  "token_type": "Bearer",
  "scope": "https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/IMAP.AccessAsUser.All",
  "expires_in": 3600,
  "ext_expires_in": 3600,
  "access_token": (access_token),
  "refresh_token": (refresh_token),
  "id_token": (id_token)
}

 

- Create the xoauth2 token, connect via openssl:

 

openssl s_client -showcerts -connect outlook.office365.com:995 -servername outlook.office365.com -crlf
+OK The Microsoft Exchange POP3 service is ready. [TABPADIAUAAyADYANQBDAEEAMAAzADcANwAuAEcAQgBSAFAAMgA2ADUALgBQAFIATwBEAC4ATwBVAFQATABPAE8ASwAuAEMATwBNAA==]
AUTH XOAUTH2
+
(xoauth2_token)
-ERR Authentication failure: unknown user name or bad password.

 

 

- It fails. I create another email account from scratch, only asking for POP3, in case the fact that I was asking for IMAP and POP is causing a conflict. When I create this new account, allow POP3 connections as mentioned before. Follow all the steps mentioned above, and it fails to connect again.

 

- Can anyone help me with what is the problem, or what am I missing? this was working correctly a few months ago. Is there a way that I can see the status of the POP3 servers? Or a wait to get information about what is causing this issue?

 

Thanks in advance.

0 Replies