[Users] claws-mail with OAuth2 IMAP O365

Wed Jan 17 22:18:12 UTC 2024

Hi Philippe,

I've just been trying this 'pretend to be Thunderbird' approach. It
used to work, but I've found there's now several things going to make
it very difficult.

(1) The authorisation code filtering process has been tailored to filter
the automatically received codes. It's not going to accept a plain
authorisation code pasted into the authorisation box (except for Yahoo
which still works that way). The filtering code needs to see text
containing the code which has a very specific format. In the case of MS
Outlook it needs to look like this:

code=M.C106_BAY.2.ac5d1f87-5cc4-82ef-3ab5-71f09e270cb8 HTTP

note the URL localhost (or 127.0.0.1) has been removed, and 'space'
HTTP has been appended. Without this Claws will not find the
authorisation code as the string won't look as expected. For MS
Exchange the string &scope= must be appended (without a space) instead
of HTTP.

These expected server exchanges are specified in the OAUTH2CodeMarker
within oauth2.cI've just been trying this 'pretend to be Thunderbird'
approach. It used to work, but there's now several things going to make
it very difficult.

(1) The authorisation code filtering process has been tailored to filter
the automatically recieved codes. It's not going to accept a plain
authorisation code pasted into the authorisation box (except for Yahoo
which still works that way). The filtering code needs to see text
containing the code which has a very specific format. In the case of MS
Outlook it needs to look like this:

code=M.C106_BAY.2.ac5d1f87-5cc4-82ef-3ab5-71f09e270cb8 HTTP

note the URL localhost (or 127.0.0.1) has been remove, and 'space' HTTP
has been appended. Without this Claws will not find the authorisation
code as the string won't look as expected. For MS Exchange the string
&scope= must be appended (without a space) instead of HTTP.

These expected server exchanges are specified in the OAUTH2CodeMarker
within oauth2.c

(2) If you get through the code extraction by chopping and appending the
right strings you still reach an error saying that MS has not issued you
an Oauth2 access code (log: OAuth2 access token not obtained). I think
this is because the request for this code is sent by Claws as a POST
request which has within it User-Agent: ClawsMail. See the function
oauth2_post_request which does this request.

Almost certainly that's enough for MS to recognise that the request is
not really from Thunderbird - and therefore it won't issues the access
codes.

MS probably tightened this up to prevent other applications pretending to
be Thunderbird. During developing the Claws Oauth2 code it used to work
pretending to be Thunderbird, but now it's got a lot of blocks in the
way of doing this. Sorry - I think the approach is not going to work, at
least with Microsoft. It might still work for Google, I've not tried.

Another approach to all this is (or at least was) that you can obtain
Oauth2 access codes quite separately from Claws, and then just drop them
into the password field of the account configuration screen. Claws
really has two aspects to Oauth2: (a) Process for getting and refreshing
access codes, and (b) the use of the access code as your password when
you connect to the email server using Oauth2 authentication. These
processes are separate, and almost certainly it's only part (a) that's
broken for you. Scripts exist which you might adapt to obtain the codes
manually, e.g.
https://gist.github.com/LindaLawton/cff75182aac5fa42930a09f58b63a309 I
used that approach right at the start of developing Oauth2 in Claws, the
authorisation process to get the codes was added a little later.

Whether this manual approach works any more I don't know. And since
access codes need to be refreshed every hour it would be a total
nuisance. Without the automated refresh code handling by Claws it would
be a very tedious way to connect to email for real world use. Sorry - I
think this 'pretend to be Thunderbird' approach is reaching a dead
end, at least for Microsoft accounts.

Best regards, David.