Feature request for Microsoft Exchange OAuth2

[chascode]

Microsoft are dropping support for app passwords in September.

With an extension similar to "GMail OAuth2" (where I enter my client id/secret provided by Microsoft) I can still use snappymail after September.

I've considered using DavMail (available in debian's default repositories) as a gateway between snappymail and Microsoft's exchange servers.

[the-djmaze]

I was looking at it a few weeks ago, but had some trouble with it due to other changes Microsoft is making.

Will document my draft code and see what can be done.

[the-djmaze]

I've added my draft code.
Microsoft requires an Azure account that has an active subscription.
I'm not going to pay, so feel free to get the code working yourself.

https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth

[the-djmaze]

Showstopper issue redirect_uri=https://domain.tld/?LoginO365:

invalid_request: The provided value for the input parameter 'redirect_uri' is not valid. The expected value is a URI which matches a redirect URI registered for this client application.

Problem is Microsoft:
https://learn.microsoft.com/en-us/entra/identity-platform/reply-url#query-parameter-support-in-redirect-uris

Query parameters are not allowed in redirect URIs for any app registration configured to sign in users with personal Microsoft accounts such as Outlook.com (Hotmail)

[the-djmaze]

For experimental usage with SnappyMail v2.36.1+ (requires Apache AcceptPathInfo):
https://github.com/the-djmaze/snappymail/tree/master/plugins/login-o365

This should be the most comprehensive "not working" draft code for anyone that wants to try using the most annoying OAuth implementer that exists.

I always advice to stop using Microsoft products, but somehow too many "advisors" keep selling the crap that Microsoft produces.
Since we don't have the power to kill it (i even tried through the EU-government, regarding email vendor lock-in), this code should be enough to get you going with implementing it.

[GregThib]

Hi!

This workaround seem to introduce a new failure: under Apache 2.4+, without mod_access_compat, giving a 500 error when trying to connect.
The Allow directive is obsolete and should not be employed now.

Maybe, a fix is to test the presence of mod_access_compat, and if not, use Require instead?

[the-djmaze]

@GregThib sorry, my bad. That rule shouldn't be in and i removed it.

[GregThib]

@GregThib sorry, my bad. That rule shouldn't be in and i removed it.

No problem, I use the in-dev version via git fetch, so these kinds of "bugs" are normal outside tagged versions.
I just wanted to prevent, in case the faulty code remain later.

[the-djmaze]

Ok, back to the drawing board.
It killed the Nextcloud integration #1703
47d18ca#r144395031