~petrus/mailctl-discuss

5 4

Re-direct to institution auth (Microsoft 365) not working

Details
Message ID
<CS629DEVRAL1.4D3DSWGVAG8P@manjaro>
DKIM signature
missing
Download raw message
Hi, I just manually installed the latest version of mailctl, with the
distribution config.yaml and services.yaml, using the Thunderbird
clientID/secret.

Unfortunately, I'm stuck:
trying 
~~~
mailctl authorize microsoft robert.winkler@cinvestav.mx
~~~
gets me to a very ugly page (C 2016 Microsoft); I can give my PW, but
then an error page 'invalid request' is presented.

using
~~~
mailctl authorize microsoft robert.winkler@cinvestav.mx --company
~~~
seems to work first. I need to choose my domain and I can choose my
correct account. However, then a page is presented where it displays
'company-mail' and a password field. 
I enter my password, but my credentials are not recognized.

I'm running out of options now...

Best, Robert
Details
Message ID
<CS64OG7VLPKD.8T35JT53YHVT@mashenka>
In-Reply-To
<CS629DEVRAL1.4D3DSWGVAG8P@manjaro> (view parent)
DKIM signature
missing
Download raw message
On Tue Apr 25, 2023 at 20:56, Robert Winkler wrote:
> Hi, I just manually installed the latest version of mailctl, with the
> distribution config.yaml and services.yaml, using the Thunderbird
> clientID/secret.
>
> Unfortunately, I'm stuck:
> trying 
> ~~~
> mailctl authorize microsoft robert.winkler@cinvestav.mx
> ~~~
> gets me to a very ugly page (C 2016 Microsoft); I can give my PW, but
> then an error page 'invalid request' is presented.
>
> using
> ~~~
> mailctl authorize microsoft robert.winkler@cinvestav.mx --company
> ~~~
> seems to work first. I need to choose my domain and I can choose my
> correct account. However, then a page is presented where it displays
> 'company-mail' and a password field. 
> I enter my password, but my credentials are not recognized.
>

This route also takes me to login.live.com, which is for non-company addresses.
I don't think mailctl will work with such an SSO. I also think that if
a company has SSO they will have a strict policy of not allowing Thunderbird to
connect. Have you tried connecting with Thunderbird? Just to see if that works
at all?

Best,
Bence

> I'm running out of options now...
>
> Best, Robert

-- 
+36305425054
bence.ferdinandy.com
Details
Message ID
<CS6WI2R7O6TU.13RDVI1178PL6@rob-itx-mini>
In-Reply-To
<CS64OG7VLPKD.8T35JT53YHVT@mashenka> (view parent)
DKIM signature
missing
Download raw message
On Tue Apr 25, 2023 at 2:44 PM CST, Bence Ferdinandy wrote:
>
> On Tue Apr 25, 2023 at 20:56, Robert Winkler wrote:
> > Hi, I just manually installed the latest version of mailctl, with the
> > distribution config.yaml and services.yaml, using the Thunderbird
> > clientID/secret.
> >
> > Unfortunately, I'm stuck:
> > trying 
> > ~~~
> > mailctl authorize microsoft robert.winkler@cinvestav.mx
> > ~~~
> > gets me to a very ugly page (C 2016 Microsoft); I can give my PW, but
> > then an error page 'invalid request' is presented.
> >
> > using
> > ~~~
> > mailctl authorize microsoft robert.winkler@cinvestav.mx --company
> > ~~~
> > seems to work first. I need to choose my domain and I can choose my
> > correct account. However, then a page is presented where it displays
> > 'company-mail' and a password field. 
> > I enter my password, but my credentials are not recognized.
> >
>
> This route also takes me to login.live.com, which is for non-company addresses.
> I don't think mailctl will work with such an SSO. I also think that if
> a company has SSO they will have a strict policy of not allowing Thunderbird to
> connect. Have you tried connecting with Thunderbird? Just to see if that works
> at all?
>
> Best,
> Bence
>
> > I'm running out of options now...
> >
> > Best, Robert

Hi, Thunderbird works! As well, K-9 and other 3rd-party software. Thus,
there must be a solution. However, I don't understand how this
technically works.
Details
Message ID
<CS7TIAZCV5MZ.1I58IARTDIV9N@mashenka>
In-Reply-To
<CS6WI2R7O6TU.13RDVI1178PL6@rob-itx-mini> (view parent)
DKIM signature
missing
Download raw message
On Wed Apr 26, 2023 at 20:32, Robert Winkler wrote:
> On Tue Apr 25, 2023 at 2:44 PM CST, Bence Ferdinandy wrote:
> >
> > On Tue Apr 25, 2023 at 20:56, Robert Winkler wrote:
> > > Hi, I just manually installed the latest version of mailctl, with the
> > > distribution config.yaml and services.yaml, using the Thunderbird
> > > clientID/secret.
> > >
> > > Unfortunately, I'm stuck:
> > > trying 
> > > ~~~
> > > mailctl authorize microsoft robert.winkler@cinvestav.mx
> > > ~~~
> > > gets me to a very ugly page (C 2016 Microsoft); I can give my PW, but
> > > then an error page 'invalid request' is presented.
> > >
> > > using
> > > ~~~
> > > mailctl authorize microsoft robert.winkler@cinvestav.mx --company
> > > ~~~
> > > seems to work first. I need to choose my domain and I can choose my
> > > correct account. However, then a page is presented where it displays
> > > 'company-mail' and a password field. 
> > > I enter my password, but my credentials are not recognized.
> > >
> >
> > This route also takes me to login.live.com, which is for non-company addresses.
> > I don't think mailctl will work with such an SSO. I also think that if
> > a company has SSO they will have a strict policy of not allowing Thunderbird to
> > connect. Have you tried connecting with Thunderbird? Just to see if that works
> > at all?
> >
> > Best,
> > Bence
> >
> > > I'm running out of options now...
> > >
> > > Best, Robert
>
> Hi, Thunderbird works! As well, K-9 and other 3rd-party software. Thus,
> there must be a solution. However, I don't understand how this
> technically works.

That at least sounds hopeful, my company is definitely exchange only
unfortunately ...

Best,
Bence

-- 
+36305425054
bence.ferdinandy.com
Details
Message ID
<CSUJ7VNATJII.1JVB8X6Z5ZOQS@antusb>
In-Reply-To
<CS64OG7VLPKD.8T35JT53YHVT@mashenka> (view parent)
DKIM signature
missing
Download raw message
Hi,

mailctl doesn't seem to work for Outlook (Office365) institutional accounts with
an SSO. In my case, it is possible to configure Thunderbird for the same account
even though mailctl fails to generate a token.

I have used the following configuration for mailctl:
https://github.com/ferdinandyb/dotfiles/tree/master/.config/mailctl/

The problem that I am encountering while attempting to use mailctl is as
follows. After running mailctl with `mailctl authorize microsoft
<you@company.email>` (with `<you@company.email>` obviously replaced), I go to
http://localhost:8080 and am greeted with my institutional SSO page. However,
the SSO page is not fully operational because, as it appears, some additional
resources for the page are not loaded by the page's JS scripts. This prevents
the entire SSO auth flow from proceeding, making using mailctl to generate a
token impossible for my use case.

My guess as to why this is happening is that resources cannot be fetched by SSO
scripts due to strict CORS policies. After all, mailctl is presenting the SSO
auth flow through localhost:8080, even though the SSO is located on an internet-
facing external server. Requesting actual SSO resources from localhost:8080 is
probably rejected because the request is coming from an different origin to the
SSO, thus violating the CORS policies in place.

To prevent such issues from arising, mailctl could do the following:

  1. Upon startup, generate an OAuth flow endpoint URL. This should not be
     localhost, but rather a URL under the SSO domain.

  2. The user opens the OAuth endpoint URL in their browser, and completes the
     OAuth flow under the domain of their institutional SSO.

  3. The SSO auth completes, and Outlook returns a token to the registered
     OAuth client redirect URL (which is localhost)

  4. mailctl, listening on a port on localhost, reads the token.

Having the OAuth flow complete under the domain of the platform should, as I
understand, eliminate these issues and allow mailctl to generate a token for
users whose institutions employ SSOs rather than use the regular Outlook login
mechanism.

Forgive me if any of the information above is wrong. The investigation I have
done into this issue was not in-depth and the conclusions presented in this
email may be reflective of that.

Cheers,
kvo
Details
Message ID
<mi3c36ixr4iggvznv6bs37m3gsvgtlx4hcm2w7l4autilubxwp@ksy6f5gafdeg>
In-Reply-To
<CSUJ7VNATJII.1JVB8X6Z5ZOQS@antusb> (view parent)
DKIM signature
missing
Download raw message
On Wed, May 24, 2023 at 11:13:06PM +0930, kvo wrote:
> mailctl doesn't seem to work for Outlook (Office365) institutional accounts with
> an SSO.

Yes, it works for some people and it doesn't for others. Also some people
worked out some tricks to get it working. I suppose you read the threads.

> My guess as to why this is happening is that resources cannot be fetched by SSO
> scripts due to strict CORS policies. After all, mailctl is presenting the SSO
> auth flow through localhost:8080, even though the SSO is located on an internet-
> facing external server. Requesting actual SSO resources from localhost:8080 is

Not sure what "SSO script" means. Anyway, it is not what really happens,
mailctl (that is the local webserver in it) is not supposed to present
your login page whatever it is, instead it should just redirect to
`auth_endpoint` and so you can be talking to the real remote server.
In some cases, like yours, that does not happen.

Anyway, the bottom line is that I do not have an Office365 institutional
account so I am unable to figure out what is going on. Until somebody
provides me such an account I see very little chance to fix this issue.
These endless guessing games over long email threads don't work and I
don't want to waste any more of my time (or yours) on them.

Sorry for not being more helpful.
Reply to thread Export thread (mbox)