[Users] [PATCH] OAUTH2: Recognize client secret for MS Exchange

Julian Wollrath jwollrath at web.de
Wed Aug 23 13:28:11 UTC 2023 

Hi David,

Am Wed, 23 Aug 2023 12:58:13 +0000
schrieb "David Fletcher" <David at megapico.co.uk>:

> Is there a change in requirement from MS that a secret is now
> required? Previously they did not require it. Or do you have a local
> requirement that you use the secret?

for my work account, the client secret is needed, I was not aware, that
that is not universal.

> 
> The patch will 'switch on' entry of a secret. But for those using MS
> services without using a secret it could lead to problems which would
> need checking out. It might not be as simple as those users just
> leaving the secret blank. For example, when the uri string to be sent
> to MS is constructed in oauth2.c around line 428/9:
> 
> uri = g_uri_escape_string (client_secret, NULL, FALSE);
> tmp = g_strconcat (body, "&client_secret=", uri, NULL);
> 
> An empty client secret where one is expected will lead to building uri
> with a query parameter that has no value. According to RCF3986 such a
> string would be valid - but it would need testing how MS responds to
> it. https://www.rfc-editor.org/rfc/rfc3986#section-3.4  Actually it
> would be a simple check to spot an empty client secret and avoid this
> issue if necessary.
> 
> Could you check whether this is an issue, or could you just operate
> without the secret? I don't think it adds much if anything to the
> security of the transaction since for a personally registered app you
> are the only one using the client ID anyway.

I modified the patch, so that an empty client secret will not result in
adding '&client_secret' to the URI.

Cheers,
Julian

-- >8 --
From 5ae63f061c6155d994269b9c6d2327236ccec82c Mon Sep 17 00:00:00 2001
From: Julian Wollrath <jwollrath at web.de>
Date: Wed, 23 Aug 2023 10:51:12 +0200
Subject: [PATCH] OAUTH2: Recognize client secret for MS Exchange

MS Outlook and MS Exchange require a client secret but setting a client
secret was ignored due to the field in OAUTH2info being empty. Fix this
by setting it.
---
 src/oauth2.c | 32 ++++++++++++++++++++------------
 1 file changed, 20 insertions(+), 12 deletions(-)

diff --git a/src/oauth2.c b/src/oauth2.c
index f9bd47802..0f90b99e2 100644
--- a/src/oauth2.c
+++ b/src/oauth2.c
@@ -68,7 +68,7 @@ static gchar *OAUTH2info[4][17]={
    ""},
   {"login.microsoftonline.com",
    "",
-   "",
+   ".",
    "http://127.0.0.1:8888",
    "/common/oauth2/v2.0/authorize",
    "/common/oauth2/v2.0/token",
@@ -85,7 +85,7 @@ static gchar *OAUTH2info[4][17]={
    ""},
   {"login.microsoftonline.com",
    "",
-   "",
+   ".",
    "http://127.0.0.1:8888",
    "/common/oauth2/v2.0/authorize",
    "/common/oauth2/v2.0/token",
@@ -282,13 +282,17 @@ int oauth2_obtain_tokens (Oauth2Service provider,
OAUTH2Data *OAUTH2Data, const //Only allow custom client secret if the
service provider would usually expect a client secret
if(OAUTH2Data->custom_client_secret) client_secret =
g_strdup(OAUTH2Data->custom_client_secret);
+	  else if(OAUTH2info[i][OA2_CLIENT_SECRET][0] == "." && (i ==
OAUTH2AUTH_OUTLOOK || i == OAUTH2AUTH_EXCHANGE))
+	    client_secret = g_strconcat ("", NULL);
 	  else
 	    client_secret =
oauth2_decode(OAUTH2info[i][OA2_CLIENT_SECRET]);
-	  uri = g_uri_escape_string (client_secret, NULL, FALSE);
-	  tmp = g_strconcat (body, "&client_secret=", uri, NULL);
-	  g_free(body);
-          g_free(uri);
-	  body = tmp;
+	  if(!(OAUTH2info[i][OA2_CLIENT_SECRET][0] == "." && (i ==
OAUTH2AUTH_OUTLOOK || i == OAUTH2AUTH_EXCHANGE))){
+	    uri = g_uri_escape_string (client_secret, NULL, FALSE);
+	    tmp = g_strconcat (body, "&client_secret=", uri, NULL);
+	    g_free(body);
+	    g_free(uri);
+	    body = tmp;
+	  }
 	}else{
 	  client_secret = g_strconcat ("", NULL);
 	}
@@ -423,13 +427,17 @@ gint oauth2_use_refresh_token (Oauth2Service
provider, OAUTH2Data *OAUTH2Data) //Only allow custom client secret if
the service provider would usually expect a client secret
if(OAUTH2Data->custom_client_secret) client_secret =
g_strdup(OAUTH2Data->custom_client_secret);
+	  else if(OAUTH2info[i][OA2_CLIENT_SECRET][0] == "." && (i ==
OAUTH2AUTH_OUTLOOK || i == OAUTH2AUTH_EXCHANGE))
+	    client_secret = g_strconcat ("", NULL);
 	  else
 	    client_secret =
oauth2_decode(OAUTH2info[i][OA2_CLIENT_SECRET]);
-	  uri = g_uri_escape_string (client_secret, NULL, FALSE);
-	  tmp = g_strconcat (body, "&client_secret=", uri, NULL);
-	  g_free(body);
-	  g_free(uri);
-	  body = tmp;
+	  if(!(OAUTH2info[i][OA2_CLIENT_SECRET][0] == "." && (i ==
OAUTH2AUTH_OUTLOOK || i == OAUTH2AUTH_EXCHANGE))){
+	    uri = g_uri_escape_string (client_secret, NULL, FALSE);
+	    tmp = g_strconcat (body, "&client_secret=", uri, NULL);
+	    g_free(body);
+	    g_free(uri);
+	    body = tmp;
+	  }
 	}else{
 	  client_secret = g_strconcat ("", NULL);
 	}


-- 
 ()  ascii ribbon campaign - against html e-mail 
 /\                        - against proprietary attachments

More information about the Users mailing list