[Users] office365 oauth2

[dmacdoug]

On Mon, May 15, 2023 at 04:36:33PM +0600, Dustin Miller wrote:
> On Mon, 15 May 2023 03:02:32 -0700
> dmacdoug <dmacdoug at usc.edu> wrote:
> 
> > On Mon, May 15, 2023 at 08:45:14AM +0200, Paul Rolland wrote:
> > > Hello,
> > > 
> > > On Sun, 14 May 2023 15:37:47 -0700
> > > dmacdoug <dmacdoug at usc.edu> wrote:
> > >   
> > > > I know I should probably stop wasting time on getting claws-mail
> > > > to work with the oauth2 authentication and just continue to use
> > > > Thunderbird, but I just thought it would be nice to only have one
> > > > GUI mail client on my laptop which could access both accounts.
> > > > Sometimes I get obsessed with a problem when I should just let it
> > > > go, especially since I also have access from my phone as well and
> > > > as a last resort webmail.  
> > > 
> > > Well, I was one having issue with OAuth2 and M365, but since I got
> > > it working, a few month ago, it's perfect with Claws-mail. 
> > > One of the important point I don't see in the list of operations
> > > you did is declaring Claws as an accepted client application for
> > > M365. I'm lucky enough to be the admin of the tenant, so I did it
> > > in Azure, and may be what you do reusing TB id's is equivalent, but
> > > following the step-by-step guide really made it work for me.
> > >  
> > I think I'm beginning to see what my problem is.  I have just in the
> > last few days begun to see the word tenant used and I didn't know
> > what it meant, but I think I see that it means the particular
> > organization whose email is hosted by office365.  If I understand
> > correctly, the tenant in my case is my university, and so the admin
> > for the university decides which clients can be used.  
> > 
> DM: I don't know all the details of how everything works, but this is
> my understanding as well from my limited experience.
> > 
> > Since Thunderbird is a widely used email client it is on the list of
> > allowed clients, but since not many use Claws-mail it has not been so
> > accepted by the university admin.  Therefore Azure Active Directory
> > accepted Thunderbird for me but not Claws-Mail.
> > 
> > One thing I understand from my experience in getting getmail to work
> > is that the client developer needs to apply to Microsoft for approval
> > before it gets onto their list of clients the "tenant" admin can
> > approve.  
> > 
> > Since you were able to declare Claws an acceptable client, I would
> > have to assume that the Claws developers have gotten approval from
> > Microsoft and it is on their list.  The one man development team for
> > getmail wasn't about to jump through the hoops necessary to get
> > Microsoft's approval, so that left the option of using the client_id
> > and secret from Thunderbird to get a tokem from office365.
> > 
> DM: I'm going to guess that you're making an incorrect assumption here;
> I would be surprised if the Claws Mail developers have attempted to get
> any kind of approval / certification from Microsoft. Of course, I could
> be wrong. :) From my experience, it seems like it's up to the tenant
> (within reason) what email clients and/or third party apps it wants to
> allow, and Microsoft is happy to provide the tools to give more or less
> access as the tenant desires. I would guess that the tenants' primary
> concerns when considering how much to limit access are security-related
> (perceived or real) and ease of admin / support for their users. So, as
> I mentioned or alluded to before, with the error message you're getting
> here, your best next step might be to talk with your university email
> admin to see if they would even allow / support what you're trying to
> do, although of course there is the approach David Fletcher mentioned
> which sounds interesting, as well as the posing as Thunderbird that can
> get around one problem area later in the process.
> > 
> > Since apparently Claws is on Microsoft's list then there would be two
> > options.  Either ask our USC admin to add Claws to the list of
> > acceptible clients, or figure out how to insert the Thunderbird
> > client_id and secret into the Claws login process.
> > 
> DM: This is possible, as I and others have already done it. But I think
> it's only relevant if you can get past the problem you're facing now to
> make whatever other settings changes you need to make in Azure. Unless
> I'm misunderstanding something, I don't see how an issue with
> client_id, etc. would have any relation to the problem you described.
> Best, ---Dustin
> > 
> > If the id and secret are not easily changed in Claws-mail, then I may
> > have to just leave it at that and declare victory for just finally
> > understanding the problem.
> 
Thanks Dustin for your ideas.  I just replied to David Fletcher's post, and
what I said there may also apply to your suggestions as well.  If not,
please set me straight.

DWM