Does Rebex support Office 365 mailbox using IMAP with an OAuth 2.0 token?

0 votes
asked May 25 by vanchuri (140 points)

Hi,

I see that Microsoft has rolled out OAuth 2.0 support for IMAP and SMTP recently.
https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-oauth-2-0-support-for-imap-and-smtp-auth-protocols-in/ba-p/1330432

What I understood from above link is that, "we need to use Graph API" for non-interactive applications using client credentials flow.

I have enabled the following permissions in my app Graph API permission settings
IMAP.AccessAsUser.All -> Delegated -> Granted admin consent
Mail.Read -> Delegated -> Granted admin consent
Mail.Read -> Application -> Granted admin consent

I gave my client ID, client secret and tenant ID details in my IMAP sample app code. Created confidential client app object.
Defined the scope to be "https://graph.microsoft.com/.default"

I have passed the access token to my IMAP object without any modification. It says "Server reported error: AUTHENTICATE failed (NO)." when I try to login.

Did I miss something here? Or Rebex doesn't support it yet?
Can someone guide me a way forward from here?

Regards,
Vijay Anchuri

Applies to: Rebex Secure Mail

2 Answers

0 votes
answered May 25 by Pavel Matyska (13,340 points)

Hi,

It seems your scope when obtaining your access token is wrong. According to Microsoft's How to enable OAuth for IMAP protocol on Office 365 you should use this string as a scope from your application: https://outlook.office.com/IMAP.AccessAsUser.All. Also note that you should use your access token in a SASL XOAUTH2 string and encode it with Base64 as described on the same page in Authenticate connection requests paragraph. Use this Base64 string in our Imap.Login method.
You can find a sample code for this conversion on our blog How to authenticate to Gmail with Rebex Secure Mail using OAuth 2.0, paragraph 4 and 5. The mechanism is the same, obtaining your access token is different.

commented May 25 by vanchuri (140 points)
Hi,
Thanks for the immediate response. But, when I set the scope to the above string that you've mentioned, It's throwing MsalServiceException with
Errorcode: Invalid_scope
Error description: AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://outlook.office.com/IMAP.AccessAsUser.All is not valid.

Even I tried setting the scope to "https://graph.microsoft.com/IMAP.AccessAsUser.All". It throws me the same exception again!!!
commented May 25 by Pavel Matyska (13,340 points)
The string is from Microsoft own page. But please make sure it is URL encoded. When I tried it and make mistake to send it to the azure endpoint "as is", I got the same error. But when I send it in this form: https%3A%2F%2Foutlook.office.com%2FIMAP.AccessAsUser.All I was able to obtain a token. Although it won't let me authorize to the Imap portion of the outlook.office365.com  servers. I'll keep investigating what is going on. But I tried it some time ago with same effect. I obtained a token but with no luck to authenticate then as now. Unfortunately Microsoft documentation is not helpful much.
commented Jun 2 by vanchuri (140 points)
Hi,
Is there any update on this yet?
commented Jun 3 by Pavel Matyska (13,340 points)
Hi,
This StackOverflow question is the only one that has somewhat happy ending as authenticating with OAuth to Microsoft Office 365 using IMAP protocol: https://stackoverflow.com/questions/61597263/office-365-xoauth2-for-imap-and-smtp-authentication-fails/61678485#61678485
I was not fortunate still but my app registration can be misconfigured from many different attempts to make it work. I'll try to register it as clean as possible again and hopefully it will authenticate me.
commented Jun 3 by Pavel Matyska (13,340 points)
Hi,

it turned out that office 365 imap server has same bug as former outlook.com servers. We added a workaround for it back then and when we enable the workaround for office 365 server we were able to authenticate as well. I'll prepare a hotfix and give a link to it here.
Original forum post about the workaround can be found here: https://forum.rebex.net/5863/imapauthentication-oauth20-authentication-outlook-yahoo
0 votes
answered Jun 4 by Pavel Matyska (13,340 points)

Hi,

Here is a link to a trial hotfix that makes it possible to connect to Office365 IMAP server.

https://www.rebex.net/getfile/5fbeb9d0d84b44249298725928d3d2b6/RebexSecureMail-ImapOAuth-HotfixBuild7460-Trial-Binaries.zip

Full version of this hotfix is for available for paying customers at support@rebex.net as part of their support contract.

This fix will be in the next release of our component.

commented Jun 5 by vanchuri (140 points)
Thank you for the hotfix. Let me give a try with this binaries.
...