~rjarry/aerc-discuss

12 9

Office 365 Authentication

Details
Message ID
<CA+rC5JmSTNDTd=KB0h-NeXRExB2QpHCWCOXch4+A=CiTX0wFAw@mail.gmail.com>
DKIM signature
pass
Download raw message
Hi Everyone -

Just an update on my efforts to log into Office365 email with aerc.

My university has restricted access to App Registrations in Azure
Active Directory, as well as App Passwords in the Office Portal
Security Information page in My Account. The vast majority of
documented methods to authenticate to Office365 require an App
Registration and then use the credentials in a script. I've tried a
few of them to no avail as I can't get the credentials. I've also
tried using powershell to create an app registration with no success.

I've looked at using a notmuch/mbsync backend, but office365
authentication problems appear to exist for mbsync as well.

The only success I've had so far has been the credentials provided for
alpine, that triggered the devicelogin 'flow' successfully. My best
situation would be that somehow that can be created in aerc. This used
xoauth2 rather than oauthbearer:
SMTP Server (for sending)  =
smtp.office365.com/user=sasdfon@uts.edu.au/submit/auth=xoauth2
Inbox Path = {outlook.office365.com/ssl/user=sasdfon@uts.edu.au/auth=xoauth2}INBOX

Could anyone provide any further suggestions - or am I out of luck?

Thanks
Sam Ferguson
Details
Message ID
<CMILTLNJPKQ9.2MPPH0AR0MUR5@mashenka>
In-Reply-To
<CA+rC5JmSTNDTd=KB0h-NeXRExB2QpHCWCOXch4+A=CiTX0wFAw@mail.gmail.com> (view parent)
DKIM signature
missing
Download raw message
I can't recall your previous emails, so maybe you already tried these, but I'm also on
a Uni outlook for another email and what worked for me is using plain
password authentication. I was also experimenting with oauth by
"borrowing" credentials from an open source email app, would that maybe
work? At least that got me past the sanctioned app barrier.

Best,
Bence


--
+36305425054
bence.ferdinandy.com
Details
Message ID
<CMILYUV6HDTY.OVZA8IBTPM7R@nix>
In-Reply-To
<CA+rC5JmSTNDTd=KB0h-NeXRExB2QpHCWCOXch4+A=CiTX0wFAw@mail.gmail.com> (view parent)
DKIM signature
pass
Download raw message
On Tue Aug 30, 2022 at 12:49 AM +1000, Sam Ferguson wrote:
> Could anyone provide any further suggestions - or am I out of luck?

My university recently disabled app password,
so I ended up forwarding to this mailbox
(glad that it hasn't disabled forwarding as well).
Details
Message ID
<CMJBVUDB5JKN.3PVKGRZ7GEVD1@Archetype>
In-Reply-To
<CA+rC5JmSTNDTd=KB0h-NeXRExB2QpHCWCOXch4+A=CiTX0wFAw@mail.gmail.com> (view parent)
DKIM signature
pass
Download raw message
On Mon Aug 29, 2022 at 4:49 PM CEST, Sam Ferguson wrote:
> Could anyone provide any further suggestions - or am I out of luck?

The only thing I could find which looked somewhat on target – and
which you no doubt already found – was this StackExchange about using
SASL OAuth2:
https://unix.stackexchange.com/questions/625637/configuring-mbsync-with-authmech-xoauth2

-- 
Moritz Poldrack
https://moritz.sh
Details
Message ID
<CMJRE32Z4NP2.31B4AZJXYT087@donbot>
In-Reply-To
<CMJBVUDB5JKN.3PVKGRZ7GEVD1@Archetype> (view parent)
DKIM signature
pass
Download raw message
Hi Moritz

I've been investigating this as it seems Microsoft will be disabling app
passwords at some point in October [1] and I ended up being at the wrong end of
an X/Y test that disabled my access to my work email.

After going through nightmarish Azure control panels, getting administrators to
add App registrations, "secrets", and such, and then trying to generate the
refresh tokens and such, I found the following:

- Office 365 uses XOAUTH2 - a pre-standard protocol that eventually became
  OAUTH2. They are not the same, but are very close.
- `aerc` currently has support for *only* the standard version. To add support
  for the pre-standard version, library support would be needed. Library support
  did exist, and was provided by emersion/go-sasl but was removed [2].
- The protocols are very similar, but they are not the same. Some copy-paste can
  be done.

If `aerc` is to support post-October-Office365, then one of the following things
needs to happen:
1. We get library support for SASL-XOAUTH2 and then add the corresponding
`Authenticate` function as currently exists in lib/oauthbearer.go
2. We maintain our own copy of the XOAUTH2 code removed from emersion/go-sasl
and add our own uses of it.
3. We don't support Office365 until Microsoft starts providing standard OAUTH2
support in their IMAP SASL implementation.

I would personally happily go with 3 if it weren't for the fact that my employer
uses Microsoft for email hosting, which means I would have to switch mail
clients at work; I don't want to do that.
I suspect lots of people will be in that situation.

`mutt` does currently support XOAUTH2 as well as OAUTH2 - so if `mutt` ticks
your boxes - then it's `aerc`'s closest modern(ish) relative and might be worth
a shot.

However, we might consider doing a combination of 1 and 2.

I'll probably try to return to my nasty hacks in the next few weeks, but I'm not
a go programmer, and imagine maintainers might have things to say before
agreeing to even support this protocol in principal.

All the Best

Luke

[1] https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online
[2] https://github.com/emersion/go-sasl/commit/7bfe0ed36a210245143572d8f52f41485cbf57e1
Details
Message ID
<CMK19D4847N1.1RI3VNPIOZZCU@Archetype>
In-Reply-To
<CMJRE32Z4NP2.31B4AZJXYT087@donbot> (view parent)
DKIM signature
pass
Download raw message
Hi Luke,

thanks for your investigation.

On Wed Aug 31, 2022 at 1:40 AM CEST, Luke Drummond wrote:
> - Office 365 uses XOAUTH2 - a pre-standard protocol that eventually became
>   OAUTH2. They are not the same, but are very close.
I'd say I'm surprised, but we already had some "fun" with Gmail not
being standard compliant…

> If `aerc` is to support post-October-Office365, then one of the following things
> needs to happen:
> 1. We get library support for SASL-XOAUTH2 and then add the corresponding
> `Authenticate` function as currently exists in lib/oauthbearer.go
> 2. We maintain our own copy of the XOAUTH2 code removed from emersion/go-sasl
> and add our own uses of it.
I don't exactly like this idea, to be quite honest.
> 3. We don't support Office365 until Microsoft starts providing standard OAUTH2
> support in their IMAP SASL implementation.
I also don't like this idea.

So, I think #1 would be the best way forward; not sure on how to best
implement it though… OAuth2 has been a pain beyond belief every time I
touched it so far.

> I would personally happily go with 3 if it weren't for the fact that my employer
> uses Microsoft for email hosting, which means I would have to switch mail
> clients at work; I don't want to do that.
> I suspect lots of people will be in that situation.
I absolutely feel this. Had to use Outlook as per company policy and it
was the worst experience I've had so far.

> I'll probably try to return to my nasty hacks in the next few weeks, but I'm not
> a go programmer, and imagine maintainers might have things to say before
> agreeing to even support this protocol in principal.
I wouldn't be opposed to it, but I also wouldn't be happy. But we have
to acknowledge that "the people" won't get the oligopolists to care in
the slightest. Their market dominance comes from them being dominant, so
why bother being good?

-- 
Moritz Poldrack
https://moritz.sh
Details
Message ID
<CMK1SGUR1486.XC04QH7SHU95@marty>
In-Reply-To
<CMK19D4847N1.1RI3VNPIOZZCU@Archetype> (view parent)
DKIM signature
pass
Download raw message
Moritz Poldrack, Aug 31, 2022 at 09:24:
> > If `aerc` is to support post-October-Office365, then one of the following things
> > needs to happen:
> > 1. We get library support for SASL-XOAUTH2 and then add the corresponding
> > `Authenticate` function as currently exists in lib/oauthbearer.go
> > 2. We maintain our own copy of the XOAUTH2 code removed from emersion/go-sasl
> > and add our own uses of it.
> I don't exactly like this idea, to be quite honest.
> > 3. We don't support Office365 until Microsoft starts providing standard OAUTH2
> > support in their IMAP SASL implementation.
> I also don't like this idea.
>
> So, I think #1 would be the best way forward; not sure on how to best
> implement it though… OAuth2 has been a pain beyond belief every time I
> touched it so far.

Unfortunately, this seems to be a dead end. It was already discussed
when go-sasl removed XOAUTH2 support and they decided that they don't
want to maintain deprecated non-standard implementations.

https://github.com/emersion/go-sasl/issues/18#issuecomment-674888178

They recommend to go with #2 :)

Given the minimal amount of code that would be required, I think it is
the best course of action.
Details
Message ID
<CMK2CDH87ZMR.18PTFIBEXJAZW@Archetype>
In-Reply-To
<CMK1SGUR1486.XC04QH7SHU95@marty> (view parent)
DKIM signature
pass
Download raw message
On Wed Aug 31, 2022 at 9:49 AM CEST, Robin Jarry wrote:
> Given the minimal amount of code that would be required, I think it is
> the best course of action.
Thus the BDFL has spoken. :)
Details
Message ID
<CMK4PB8KU0OI.25Q149OF501WM@donbot>
In-Reply-To
<CMK1SGUR1486.XC04QH7SHU95@marty> (view parent)
DKIM signature
pass
Download raw message
On Wed Aug 31, 2022 at 8:49 AM BST, Robin Jarry wrote:
> They recommend to go with #2 :)
>
> Given the minimal amount of code that would be required, I think it is
> the best course of action.

I'll find some time next week to take another shot at this. I'll send terrible
patches as soon as I'm able ;)

All the Best

Luke
Details
Message ID
<CMK5B5WI0ANB.UR51HIVNL4GB@ramon>
In-Reply-To
<CMJBVUDB5JKN.3PVKGRZ7GEVD1@Archetype> (view parent)
DKIM signature
pass
Download raw message
Hi folks,

I'd love to see official support for Office365's XOAUTH2 in aerc as
well, but just wanted to chime in to say that I do have a working setup
via mbsync and msmtp.

I essentially followed the instructions in the aforementioned
StackExchange to install Cyrus SASL OAuth2, get credentials with
mutt_oauth2.py, and configure mbsync.
(https://unix.stackexchange.com/questions/625637/configuring-mbsync-with-authmech-xoauth2)

Setting up msmtp for sending mail is basically the same -- you set
`auth` to `xoauth2` and use `passwordeval` to get credentials via
mutt_oauth2.py.

I'm happy to provide a more in-depth explanation if anyone wants it.

Best,

-- 
Jason Cox
jasoncarloscox.com
Details
Message ID
<CA+rC5J=9g9Wn5j2HhEj1Ex7fNJG2UhaQNwaGeWZQHYa3vSMYDg@mail.gmail.com>
In-Reply-To
<CMK5B5WI0ANB.UR51HIVNL4GB@ramon> (view parent)
DKIM signature
pass
Download raw message
Hi All -

Excited to say that with Jason's instructions I have got mbsync to
authenticate with xoauth2 and sync my office365 email. I'm then using
aerc's maildir support to read the mail directories.

Briefly, I had to :
1) install cyrus-sasl with homebrew, then
2) download and compile the sasl xoauth2 plugin from source, then
3) move the plugin into the correct folder in the homebrew tree, and
test with 'pluginviewer'
4) install mbsync with home-brew
5) alter the brew formula to get mbsync to point to the homebrew sasl2
installation as you can't load plugins into /usr/bin ..., and rebuild
mbsync with homebrew
6) setup the .mbsyncrc config file with AuthMechs XOAUTH2 and the call
to the mutt_oauth2.py
7) Setup mutt_oauth2.py provided by Jason and Georgia Tech.
8) change the mutt_oauth2.py tenant id to my universities tenant ID
9) change the mutt_oauth2.py clientID and client secret to the one for
Thunderbird
10) Test by generating the key and store it.
11) Test syncing with mbsync
12) setup the msmtprc with a similar scheme to the mbsyncrc
13) Test it all out.

Seems to work so far but I haven't made sure every feature works yet.
I also haven't resolved the 'Sent Items' issue listed in the wiki.

I can write this up with all the gory details if it would help.

Cheers

Sam


On Wed, Aug 31, 2022 at 8:35 PM Jason Cox <me@jasoncarloscox.com> wrote:
>
> Hi folks,
>
> I'd love to see official support for Office365's XOAUTH2 in aerc as
> well, but just wanted to chime in to say that I do have a working setup
> via mbsync and msmtp.
>
> I essentially followed the instructions in the aforementioned
> StackExchange to install Cyrus SASL OAuth2, get credentials with
> mutt_oauth2.py, and configure mbsync.
> (https://unix.stackexchange.com/questions/625637/configuring-mbsync-with-authmech-xoauth2)
>
> Setting up msmtp for sending mail is basically the same -- you set
> `auth` to `xoauth2` and use `passwordeval` to get credentials via
> mutt_oauth2.py.
>
> I'm happy to provide a more in-depth explanation if anyone wants it.
>
> Best,
>
> --
> Jason Cox
> jasoncarloscox.com
Details
Message ID
<CMODEUB132K3.1XGENERN3FTD1@ryzen>
In-Reply-To
<CA+rC5J=9g9Wn5j2HhEj1Ex7fNJG2UhaQNwaGeWZQHYa3vSMYDg@mail.gmail.com> (view parent)
DKIM signature
missing
Download raw message
On Sun Sep 4, 2022 at 10:59 PM CEST, Sam Ferguson wrote:

> Excited to say that with Jason's instructions I have got mbsync to
> authenticate with xoauth2 and sync my office365 email. I'm then using
> aerc's maildir support to read the mail directories.

That's awesome!!!

> Briefly, I had to :
> 1) install cyrus-sasl with homebrew, then
 ...
> 13) Test it all out.

> I can write this up with all the gory details if it would help.

Seems like a candidate for the wiki, doesn't it?
Details
Message ID
<CN93ERRQUXH6.5V6KN2ZB6WCX@bisio>
In-Reply-To
<CMODEUB132K3.1XGENERN3FTD1@ryzen> (view parent)
DKIM signature
pass
Download raw message
Seems I missed this thread while being offline. 

I just wanted to add that, although an obscure and convoluted solution exists
for Maildir (I have used it myself for the last months, but it is precarious
and was a real pain to install), I think we should aim for IMAP access to o365
too.
Reply to thread Export thread (mbox)