Jul 19 2022
10:45 AM
- last edited on
Feb 01 2023
10:22 AM
by
TechCommunityAP
Jul 19 2022
10:45 AM
- last edited on
Feb 01 2023
10:22 AM
by
TechCommunityAP
I am facing an authentication failure issue while trying to connect for both IMAP and POP3 protocols using the Client Credential Grant flow for OAuth2.0
Where, I have been following the steps suggested in "Authenticate an IMAP, POP or SMTP connection using OAuth"
I have been using this github project to fetch the Access Token using Client Credential Grant flow:
MSAL Client Credential Grant using Java
Java Code for IMAP:
public static void connectIMAP(String userEmail, String accessToken){
String SSL_FACTORY = "javax.net.ssl.SSLSocketFactory";
Properties props= new Properties();
props.put("mail.imap.ssl.enable", "true");
props.put("mail.imap.port", "993");
props.put("mail.imap.auth.mechanisms", "XOAUTH2");
props.put("mail.imap.sasl.mechanisms", "XOAUTH2");
props.put("mail.imap.auth.login.disable", "true");
props.put("mail.imap.auth.plain.disable", "true");
props.setProperty("mail.imap.socketFactory.class", SSL_FACTORY);
props.setProperty("mail.imap.socketFactory.fallback", "false");
props.setProperty("mail.imap.socketFactory.port", "993");
props.setProperty("mail.imap.starttls.enable", "true");
props.put("mail.debug", "true");
props.put("mail.debug.auth", "true");
Session session = Session.getInstance(props);
session.setDebug(true);
try {
final Store store = session.getStore("imap");
store.connect("outlook.office365.com",userEmail, accessToken);
if(store.isConnected()){
System.out.println("Connection Established using imap protocol successfully !");
}
} catch (NoSuchProviderException e) { // session.getStore()
e.printStackTrace();
} catch (MessagingException e) { // store.connect()
e.printStackTrace();
}
}
Java code for POP3:
public static void connectPOP(String email, String accessToken){
Properties properties= new Properties();
properties.put("mail.pop3.port", 995);
properties.put("mail.pop3.forgettopheaders", "true");
properties.put("mail.pop3.auth.mechanisms", "XOAUTH2");
properties.put("mail.pop3.auth.login.disable", "true"); // If true, prevents use of the USER and PASS commands. Default is false.
properties.put("mail.pop3.auth.plain.disable", "true"); // If true, prevents use of the AUTH PLAIN command. Default is false.
properties.put("mail.pop3.auth.xoauth2.disable","false"); // If true, prevents use of the AUTHENTICATE XOAUTH2 command. Hence set it to false
properties.put("mail.pop3.auth.xoauth2.two.line.authentication.format", "true"); // If true, splits authentication command on two lines. Default is false.
properties.put("mail.pop3.connectiontimeout", 15000);
properties.put("mail.pop3.timeout", 15000);
properties.put("mail.debug", "true");
Session session = Session.getInstance(properties);
session.setDebug(true);
try{
Store store = session.getStore("pop3");
store.connect("outlook.office365.com", email, accessToken);
if(store.isConnected()){
System.out.println("Connected with pop3 successfully !");
}
}catch(Exception e){
e.printStackTrace();
}
}
Following are the credentials which I have used while performing the Client Credential Grant flow
Note: I have been using the Default Active Directory, and the default user(Admin) for my Azure account. Is it fine this way ? or does it require a new custom Azure AD and a separate tenant for performing client credential flow |
Below Image contains list of permissions I have applied in my app:
Error Logs:
Spoiler *** IMAP *** DEBUG: JavaMail version 1.5.6
DEBUG: JavaMail version 1.5.6 |
Following is the list of jars I have used as a part of this development:
My Java Code Link(ideone): ClientCredentialGrantAndConnect.java
Please help and let me know if the program is not correct.
Or if any important step seems to be missing.
Thank you.
Jul 26 2022 12:22 AM
@manish1614I'm also facing the same issue with IMAP OAuth Authentication with Client Credentials flow. I have followed Microsoft's documentation as you mentioned above. I have given IMAP.AccessAsApp, POP.AccessAsApp permissions, but the access_token is not working with those permissions. Did you find any solution for this?
Jul 26 2022 12:46 PM - edited Jul 26 2022 12:59 PM
I'm having the same issue as well. I've tried every combination of things the documentation provides. If anyone finds a solution, please post it here.
Not sure if it helps you guys but I noticed the first post shows the scope as "https://outlook.office.com/.default" but in this post from 7/12/22 it specifically says to use "https://outlook.office365.com/.default".
Jul 27 2022 03:45 AM
Jul 27 2022 03:48 AM
Jul 27 2022 10:18 AM
We're in the same same boat here.. been working on this the entire day and haven't been able to get it to work. One thing I am confused about. How does Office 365 link the username (.e.g. email address removed for privacy reasons) to the OAUTH2 credential? Am I supposed to be able to login into any mailbox using the access token? I am getting the access token from a certificate attached to a created application in Azure.
Jul 27 2022 11:54 AM
Jul 27 2022 12:23 PM - edited Jul 27 2022 02:10 PM
What once was a simple process, has now become infinitely more complicated! [cut this post because it contained potentially misleading info]
Jul 27 2022 12:42 PM
Jul 27 2022 12:47 PM
Jul 27 2022 12:58 PM
Jul 27 2022 01:13 PM - edited Jul 27 2022 02:10 PM
Thanks, However, in my case it doesn't help as my app access Imap in the background, and therefore requires an application permission. I don't see the requisite permissions in the Azure GuI. To me, it looks like Microsoft has some unfinished work to do.
Jul 27 2022 01:30 PM
Jul 27 2022 02:01 PM
Jul 27 2022 11:53 PM
Jul 28 2022 02:22 PM
Jul 29 2022 01:11 AM
Jul 29 2022 01:22 AM
If your app is a long-running process that runs in the background, my understanding is that you need to add https://ps.outlook.com/IMAP.AccessAsApp permission. I've done this, but still AUTHENTICATE failed.
Jul 29 2022 05:19 AM - edited Jul 29 2022 06:41 AM
SolutionHi. I had the same problem, but I think I made some progress.
I read documentation few times, tried few times from the start with same error. I even have tried using client and object ids instead of email as username, in lack of better ideas.
So this is where I think I have made mistake previous times.
When you are at the part that you need to register service principal, you need to execute
New-ServicePrincipal -AppId <APPLICATION_ID> -ServiceId <OBJECT_ID> [-Organization <ORGANIZATION_ID>]
here I put enterprise application object id as ServiceId argument. And that is ok.
But on
Add-MailboxPermission -Identity "email address removed for privacy reasons" -User
<SERVICE_PRINCIPAL_ID> -AccessRights FullAccess
I have put my registered application object id as User argument. I also tried setting object id of enterprise application, but it did not have success.
I also tried New-ServicePrincipal but with registered app object id as service id, but it gave me the same result.
When I executed
Get-ServicePrincipal -Organization <ORGANIZATION_ID> | fl
I did not pay attention to ServiceId property, even with documentation specifying it and saying it will be different.
Now I cleared everything and started fresh.
I executed all the steps again, but on the step when I need to add mail permission, I list service principals, and then use `ServiceId` value from the output, as argument for user.
With that, I was able to authorise.
Unfortunately, now I receive `C3 BAD User is authenticated but not connected.` when I try to list inbox. But it is step forward.
I am not sure if you made the same error as me, but maybe it will help you in some way.
I will post info, when I find fix for the new error if somebody comes across same issue.
Jul 29 2022 06:35 AM