[Users] office365 oauth2

Mon May 15 11:05:17 UTC 2023

On Mon, May 15, 2023 at 09:41:47AM +0000, David Fletcher wrote:
> >dmacdoug <dmacdoug at usc.edu> wrote:
> >
> >> Step 1 is to login to portal.azure.com which works.
> 
> Hi Don,
> 
> I wonder if this very first step, which appears to work, is also where
> things go wrong. Are you connecting to Azure using your university
> login?

I went to a university webpage which used a two step authentication to ID 
me against the university directory, which then in the case of Thunderbird
put me directly into my email account, but in the case of Claws-mail bounced
me to the Azure page.

>  That means you're then restricted by the permissions granted to
> you by the university - for example they may not want you to create
> applications under their name.
> 
> However, there's no need to use the university Azure account to create
> your Claws Mail ClientID. Just as Thunderbird's Client ID is not
> created under an Azure account linked to your university.
> 
> I would suggest using a personal Azure account, under which you can set
> up the ClientID exactly as you need for Claws. You then authorise Claws
> to connect to your university email using that ClientID. This way the
> university just sees an email client being authorised to read/write
> email. It does not see an whole application being created under their
> name/account/tenancy or whatever the Microsoft term for this is.
> 
> In the Claw Oauth2 FAQ for Microsoft if says "set Supported account
> types to the most premissive option: "Accounts in any organizational
> directory and personal Microsoft accounts"". This is the part that
> lets you create the ClientID under one account (e.g. your personal Azure
> account), but create the ClientID that will allow you to connect to
> other organisations (e.g. your university).
> 
> See if this works, best wishes,
> 
> David.

I'm not sure that's the full story.  In the case of getmail, I recall that
the use of the Thunderbird client_id and secret were first described by
someone who used them to get into their their gmail account.  They couldn't
do it on their own.  The ID and secret came from Thunderbird.

Then later the same id and secret were used with office365.  The id and
secret are in one of the source files for T-bird.  One could use the ID and
secret from Outlook or any other client if you knew it but since they are
proprietary you can't get at it, but since T-bird is open source the id and
secret are accessible to the public.  I don't think Thunderbird, Outlook,
etc.  have different id and secret pairs for each and every individual email
system that requires oauth2 authentication.

But, perhaps it would work anyway.  If so, a similar method would have
worked for getmail as well.  It would require me to set up my own account on
Azure that I have no intention of using other than to get the token which I
would then use for a completely different purpose.

Do I have this correct or have I misunderstood you?

DWM