[Users] office365 oauth2

Dustin Miller dustbiz at gmail.com
Mon May 15 13:20:19 UTC 2023 

On Mon, 15 May 2023 04:28:37 -0700
dmacdoug <dmacdoug at usc.edu> wrote:

> On Mon, May 15, 2023 at 04:36:33PM +0600, Dustin Miller wrote:
> > On Mon, 15 May 2023 03:02:32 -0700
> > dmacdoug <dmacdoug at usc.edu> wrote:
> >   
> > > On Mon, May 15, 2023 at 08:45:14AM +0200, Paul Rolland wrote:  
> > > > 
> > > > On Sun, 14 May 2023 15:37:47 -0700
> > > > dmacdoug <dmacdoug at usc.edu> wrote:
> > > >     
> > > > > I know I should probably stop wasting time on getting
> > > > > claws-mail to work with the oauth2 authentication and just
> > > > > continue to use Thunderbird, but I just thought it would be
> > > > > nice to only have one GUI mail client on my laptop which
> > > > > could access both accounts. ...
> > > > 
> > > Since Thunderbird is a widely used email client it is on the list
> > > of allowed clients, but since not many use Claws-mail it has not
> > > been so accepted by the university admin.  Therefore Azure Active
> > > Directory accepted Thunderbird for me but not Claws-Mail.
> > > 
> > > One thing I understand from my experience in getting getmail to
> > > work is that the client developer needs to apply to Microsoft for
> > > approval before it gets onto their list of clients the "tenant"
> > > admin can approve.  
> > > 
> > > Since you were able to declare Claws an acceptable client, I would
> > > have to assume that the Claws developers have gotten approval from
> > > Microsoft and it is on their list.  The one man development team
> > > for getmail wasn't about to jump through the hoops necessary to
> > > get Microsoft's approval, so that left the option of using the
> > > client_id and secret from Thunderbird to get a tokem from
> > > office365. 
> > >
> > DM: I'm going to guess that you're making an incorrect assumption
> > here; I would be surprised if the Claws Mail developers have
> > attempted to get any kind of approval / certification from
> > Microsoft. Of course, I could be wrong. :) From my experience, it
> > seems like it's up to the tenant (within reason) what email clients
> > and/or third party apps it wants to allow, and Microsoft is happy
> > to provide the tools to give more or less access as the tenant
> > desires. I would guess that the tenants' primary concerns when
> > considering how much to limit access are security-related
> > (perceived or real) and ease of admin / support for their users.
> > So, as I mentioned or alluded to before, with the error message
> > you're getting here, your best next step might be to talk with your
> > university email admin to see if they would even allow / support
> > what you're trying to do, although of course there is the approach
> > David Fletcher mentioned which sounds interesting, as well as the
> > posing as Thunderbird that can get around one problem area later in
> > the process.  
> > > 
> > > Since apparently Claws is on Microsoft's list then there would be
> > > two options.  Either ask our USC admin to add Claws to the list of
> > > acceptible clients, or figure out how to insert the Thunderbird
> > > client_id and secret into the Claws login process.
> > >   
> > DM: This is possible, as I and others have already done it. But I
> > think it's only relevant if you can get past the problem you're
> > facing now to make whatever other settings changes you need to make
> > in Azure. Unless I'm misunderstanding something, I don't see how an
> > issue with client_id, etc. would have any relation to the problem
> > you described. Best, ---Dustin  
> > > 
> > > If the id and secret are not easily changed in Claws-mail, then I
> > > may have to just leave it at that and declare victory for just
> > > finally understanding the problem.  
> >   
> Thanks Dustin for your ideas.  I just replied to David Fletcher's
> post, and what I said there may also apply to your suggestions as
> well.  If not, please set me straight.
> 
DM: You're welcome. I can't really think of much else to add. My guess
is that there could be quite a lot of variation in different user
experiences because of how much control Microsoft allows their clients
/ tenants to have on how things work. This was my experience as I
remember it:

* 1. I was able to log in to Azure with my organization email account
  details and access all of the settings I needed to in order to set up
  Claws Mail for Oauth2.

* 2. When I tried to use the client ID / secret I had created to get the
  authentication token for Claws, the process led me to a browser page
  / window that said Claws was not authorized for use with this tenant,
  but that I could request for authorization. (In researching this, my
  understanding was that if I requested it, Microsoft would then let my
  organization know about my request and then if they approved it,
  Microsoft would allow access.) I tried this, but never heard back from
  Microsoft on it.

* 3. I then contacted my organization directly to see if they would be
  willing to go into their Azure settings and allow Claws access. They
  were not willing.

* 4. So I used the Thunderbird client ID (and secret? I can't remember
  whether this was required or not), and that worked fine, which I'm
  pretty sure was because my organization was okay at that time with
  people using Thunderbird. But now even that isn't allowed. :)

DM: Not sure if any of that will help, but there it is. :) Cheers,
---Dustin

More information about the Users mailing list