[Users] Outlook OAuth2 login has hard-coded wrong parameters
Federico Simonetta
federicosimonetta at zoho.com
Fri Oct 4 16:21:03 UTC 2024
Hi,
I wasn't following any doc, just what the web interface let you use.
Claws is using http, not https, which seems ok.
What is not ok is that Microsoft doesn't
accept http://127.0.0.1 (the one used by Claws), but only http://localhost
To me, it looks one of the many issues that is re-marketed as a security
feature.
Best,
f
On Fri, 04 Oct 2024 16:10:16 +0000
"David Fletcher" <David at megapico.co.uk> wrote:
> >The main issue is that Claws Mail interacts with the remote end
> >point by
> >using http://127.0.0.1:8888. Unfortunately, Microsoft consider this url a different parameter than http://localhost:8888. Since in Microsoft's system the `redirect_url` parameter is used to determine the OAuth2 workflow, they don't know which workflow to use if the `redirect_url` is different from the one set in remote application.
> >At the same time, they allow using htttp:// for redirection targets
> >only if it starts with `http://localhost`.
> >
> >So, the two things combined, makes it impossible to login with Claws
> >Mail. I retried the whole Claws Mail requests just using
> >`http://localhost:8888` and I was able to login and download my emails. Unfortunately, this parameter is hard-coded (https://git.claws-mail.org/?p=claws.git;a=blob_plain;f=src/oauth2.c;hb=87726652461a966c766a179863229620b21bc36d)
>
> Hi Federico,
>
> Can you link to the Microsoft documentation you're following? They
> have a publication dated 06/27/2024 which specifically says it's best
> to use 127.0.0.1.
>
> https://learn.microsoft.com/en-us/entra/identity-platform/reply-url#prefer-127001-over-localhost
>
> "To prevent your app from breaking due to misconfigured firewalls or
> renamed network interfaces, use the IP literal loopback address
> 127.0.0.1 in your redirect URI instead of localhost. For example,
> https://127.0.0.1."
>
> "To add a redirect URI that uses the http scheme with the 127.0.0.1
> loopback address, you must currently modify the replyUrlsWithType
> attribute in the application manifest."
>
> Without lots of complication in how Claws listens for this connection
> it needs to be http, not https. This is compliant with rfc8252 that
> specifies how this process works (and I think Microsoft is too!).
> https://datatracker.ietf.org/doc/html/rfc8252#section-8.3
>
> It's on the Claws Mail bug list to make these parameters user
> configurable but I've not had time to look at it.
>
> Best regards, David.
> _______________________________________________
> Users mailing list
> Users at lists.claws-mail.org
> https://lists.claws-mail.org/cgi-bin/mailman/listinfo/users
---
Federico Simonetta
Post-doc Researcher @ Laudare ERC project
Visiting Researcher @ LIM - Music Informatics Laboratory
GSSI - Gran Sasso Science Institute
https://federicosimonetta.eu.org | https://gssi.it | https://laudare.eu | https://lim.di.unimi.it
More information about the Users
mailing list