[Users] [PATCH] OAUTH2: Recognize client secret for MS Exchange

David Fletcher David at megapico.co.uk
Wed Aug 23 12:58:13 UTC 2023


>From: Julian Wollrath <jwollrath at web.de>
>To: users at lists.claws-mail.org
>Subject: [Users] [PATCH] OAUTH2: Recognize client secret for MS Exchange
>
>MS Outlook and MS Exchange require a client secret but setting a client
>secret was ignored due to the field in OAUTH2info being empty. Fix this
>by setting it.

Hi Julian,

Is there a change in requirement from MS that a secret is now required?
Previously they did not require it. Or do you have a local requirement
that you use the secret?

The patch will 'switch on' entry of a secret. But for those using MS
services without using a secret it could lead to problems which would
need checking out. It might not be as simple as those users just leaving
the secret blank. For example, when the uri string to be sent to MS is
constructed in oauth2.c around line 428/9:

uri = g_uri_escape_string (client_secret, NULL, FALSE);
tmp = g_strconcat (body, "&client_secret=", uri, NULL);

An empty client secret where one is expected will lead to building uri
with a query parameter that has no value. According to RCF3986 such a
string would be valid - but it would need testing how MS responds to it.
https://www.rfc-editor.org/rfc/rfc3986#section-3.4  Actually it would be
a simple check to spot an empty client secret and avoid this issue if
necessary.

Could you check whether this is an issue, or could you just operate
without the secret? I don't think it adds much if anything to the
security of the transaction since for a personally registered app you
are the only one using the client ID anyway.

Best regards, David.


More information about the Users mailing list