[Users] Outlook OAuth2 login has hard-coded wrong parameters

[David Fletcher]

>The main issue is that Claws Mail interacts with the remote end point by using http://127.0.0.1:8888.
>Unfortunately, Microsoft consider this url a different parameter than http://localhost:8888.
>Since in Microsoft's system the `redirect_url` parameter is used to determine the OAuth2 workflow, they don't know which workflow to use if the `redirect_url` is different from the one set in remote application.
>At the same time, they allow using htttp:// for redirection targets only if it starts with `http://localhost`.
>
>So, the two things combined, makes it impossible to login with Claws Mail.
>I retried the whole Claws Mail requests just using `http://localhost:8888` and I was able to login and download my emails.
>Unfortunately, this parameter is hard-coded (https://git.claws-mail.org/?p=claws.git;a=blob_plain;f=src/oauth2.c;hb=87726652461a966c766a179863229620b21bc36d)

Hi Federico,

Can you link to the Microsoft documentation you're following? They have
a publication dated 06/27/2024 which specifically says it's best to use
127.0.0.1.

https://learn.microsoft.com/en-us/entra/identity-platform/reply-url#prefer-127001-over-localhost

"To prevent your app from breaking due to misconfigured firewalls or
renamed network interfaces, use the IP literal loopback address
127.0.0.1 in your redirect URI instead of localhost. For example,
https://127.0.0.1."

"To add a redirect URI that uses the http scheme with the 127.0.0.1
loopback address, you must currently modify the replyUrlsWithType
attribute in the application manifest."

Without lots of complication in how Claws listens for this connection it
needs to be http, not https. This is compliant with rfc8252 that
specifies how this process works (and I think Microsoft is too!).
https://datatracker.ietf.org/doc/html/rfc8252#section-8.3

It's on the Claws Mail bug list to make these parameters user
configurable but I've not had time to look at it.

Best regards, David.