[Users] Oauth2 not working with Microsoft Exchange

Paul Rolland rol at witbe.net
Tue Oct 11 07:21:02 UTC 2022


Hello David,

On Mon, 10 Oct 2022 19:47:42 +0000
"David Fletcher" <David at megapico.co.uk> wrote:

> A further thought on this issue - when you registered the app at the
> Microsoft Azure portal, was there a choice about "Supported account
> types"? See the instructions here:
> https://learn.microsoft.com/en-us/graph/auth-register-app-v2

Checked that, thanks for the link
 
> Did you set it as the Claws Mail FAQ says to "Accounts in any
> organizational directory and personal Microsoft accounts"?

Yes, I did. This is what's instructed in the Claws FAQ, and I'm following
the instructions as closely as I can.
 
> The more restrictive account type settings required a different
> authorisation URL, of the format
> https://login.microsoftonline.com/<tenant-name>.onmicrosoft.com/oauth2/v2.0/authorize
> 
> instead of the less restrictive one
> https://login.microsoftonline.com/common/oauth2/v2.0/authorize.

Good point. Despite configuring as indicated above, maybe I could try the
requests using a browser or a curl/wget client, and see if I need to go to
the more restrictive form.
 
> If the client ID is linked to a more restrictive one Microsoft may be
> kicking out the TLS request sent to the less restrictive one. I'd have
> hoped it would give an error in that case, but maybe it doesn't and
> just drops the connection?

Well, I think MS is "abruptly" terminating the connection, causing that TLS
error, but I we look at the traces I've provided, it seems that there is a
reply anyway:

oauth2.c:239:Auth token: <--- I've a a token displayed here
oauth2.c:244:Connect: login.microsoftonline.com:443 <--- we are connecting
... various ssl and ssl_certificate messages here, looks OK
oauth2.c:273:Body: client_id=.... <--- there is a body printed
oauth2.c:327:Complete body: client_id... <--- previous body with added permissions
socket.c:1268:rol - GNUTLS_E_PREMATURE_TERMINATION <--- my debug message
** Message: 09:13:58.947: OAuth2 access token not obtained

but this I have:
oauth2.c:339:OAuth2 - request: POST /common/oauth2/v2.0/token HTTP/1.1
<HTTP HEADER>
<MESSAGE BODY>

and a HTTP response !!!
 Response: HTTP/1.1 400 Bad Request
Cache-Control: no-store, no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
....
with

{"error":"invalid_grant","error_description":"AADSTS70008: The provided authorization code or refresh token has expired due to inactivity. Send a new interactive authorization request for this user and resource.\r\nTrace ID: 660bb117-dffc-4b9f-b054-3764a07d0900\r\nCorrelation ID: 3e7e9a29-e3c7-42e8-bb73-7635f8f44dfe\r\nTimestamp: 2022-10-11 07:13:58Z","error_codes":[70008],"timestamp":"2022-10-11 07:13:58Z","trace_id":"660bb117-dffc-4b9f-b054-3764a07d0900","correlation_id":"3e7e9a29-e3c7-42e8-bb73-7635f8f44dfe","error_uri":"https://login.microsoftonline.com/error?code=70008"}

So, I think that the TLS error is simply that the MS server is considering
that it can drop the TLS connection following the 400 error message it sent
to me.

What is this expiration ? Do I need to go again through the whole process 
in the OAuth2 tab of the account ?

Paul

-- 
Paul Rolland                                E-Mail : rol(at)witbe.net
CTO - Witbe.net SA                          Tel. +33 (0)1 47 67 77 77
18 Rue d'Arras, Bat. A11                    Fax. +33 (0)1 47 67 77 99
F-92000 Nanterre                            RIPE : PR12-RIPE

Please no HTML, I'm not a browser - Pas d'HTML, je ne suis pas un
navigateur "Some people dream of success... while others wake up and work
hard at it" 

"I worry about my child and the Internet all the time, even though she's
too young to have logged on yet. Here's what I worry about. I worry that 10
or 15 years from now, she will come to me and say 'Daddy, where were you
when they took freedom of the press away from the Internet?'"
--Mike Godwin, Electronic Frontier Foundation 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.claws-mail.org/pipermail/users/attachments/20221011/4d7b3a49/attachment.sig>


More information about the Users mailing list