We use in our company email addresses for each employee and for 3 departments (service, support and reports) - for example <employee_name>#<company_name>.de or support#<company_name>.de ("<..._name>" is just a placholder for posting here). Our programs use PHPMailer for sending Emails from the 3 departments via SMTP without user interaction (Host: smtp.office365.com), that means the PHPMailer is called by programs/scripts that are started by the Microsoft Task Scheduler on a computer where none of our Microsoft-Users is logged in. Now we want to switch from Basic SMTP Auth to Oauth2.
So we registered in the main tenant (<boss_name>#<company_name>.de) in the azure portal a web app "PHPMailer" and received the refresh token with the file "get_oauth_token.php", which is included in PHPMailer. The mail order via OAuth is working now, but only when <boss_name>#<company_name>.de is the username and the email sender (From).
It's not working when both are for example reports#<company_name>.de (prefered way)
SMTP INBOUND: "535 5.7.3 Authentication unsuccessful [AM6PR10CA0036.EURPRD10.PROD.OUTLOOK.COM]"
And it's not working when <boss_name>#<company_name>.de is the username and From is for example reports#<company_name>.de (willy-nilly compromise)
SMTP INBOUND: "554 5.2.252 SendAsDenied; <boss_name>#<company_name>.de not allowed to send as reports#<company_name>.de
We tried to change the configuration for <boss_name>#<company_name>.de ("SendAs" parameter) and of the app in the azure portal (for example defining the department email addresses as owner of the app or adding Mail.Send in the Micrsoft Graph API as application permission) and waited 24 hours (synchronization delay) - but no change.
So i've read in the past weeks countless tutorials from Microsoft, PHPMailer and others, and forums like stackoverflow. But nowhere i could find the necessary information, how to change the configuration.
Examples:
Microsoft
Give mailbox permissions to another Microsoft 365 user - Admin help
Authenticate an IMAP, POP or SMTP connection using OAuth
Get access on behalf of a user
PHPMailer
Using Gmail with XOAUTH2 (unfortunately no explanation for Microsoft)
Basic Usage of the OAuth 2.0 Client from the PHP League
Microsoft Provider for OAuth 2.0 Client Microsoft OAuth 2.0 support for PHPMailer from Steven Maguire
But in this answer to my older question #ADyson wrote that the app just needs the appropriate permissions in the Graph API - so it must be possible. Unfortunately he didn't write, how to set the permissions...
So, how can i achieve my goal?
(Because the PHPMailer is working and i think it's just a configuration problem, i omitted code snippets. If you although need code or more information, please tell me...)
Update:
PHPMailer
Thanks to #greew i found a well made explanation with helpfull screenshots for delegated permissions:
Microsoft Azure and XOAUTH2 setup guide
Unfortunately it doesn't help for my case with application permissions, because it is made for the case, that the Microsoft user is logged in on the compauter where PHPMailer is working.
Not supported?
I found in the Microsoft page Authenticate an IMAP, POP or SMTP connection using OAuth the following hint:
Note As per the current test with SMTP Oauth 2.0 client credential flow with non-interactive sign in is not supported.
Does this mean, that i'm trying it for nothing, because it is not supported???
#biberman
I just tried setting up a new mailer with the correct permissions and also clicking the "Grant admin consent.." button.
This resulted in me being able to both get the refresh token and also send mail without user interaction on my behalf.
Note: I'm using the single tenant option in the App.
After i found in the Microsoft page Authenticate an IMAP, POP or SMTP connection using OAuth the following hint:
Note As per the current test with SMTP Oauth 2.0 client credential flow with non-interactive sign in is not supported.
i asked the same question in the Microsoft Q&A forum. There i received the following answer/comment:
Currently the Client Credentials flow isn't supported with SMTP Auth (it maybe in the future but there isn't a roadmap item that i know of) so you need to grant SendAS permissions to whatever account you trying to send as in the from or switch to using the Graph API eg one example https://katystech.blog/projects/php-graph-mailer that does support the client credentials flow.
I tried to solve the issue by letting the administrator grant the SendAs permission to all necessary mailboxes, but i still get the error SendAsDenied - maybe it doesn't work with modern authentication (OAuth).
At the end i used the graphMailer from the linked katystech.blog, which is a really slim solution compared to the PHPMailer. First i couldn't get it to work, because our administrator refused to grant the necessary Microsoft Graph permission Mail.ReadWrite (he has security concerns). But i changed the code, so that the email is "build" before sending it, instead of building the email step by step on the Microsoft server and then advising the server to send it (like in the original code).
Now the Mail.ReadWrite permission isn't necessary and i can send from different email addresses. To avoid rewriting the whole code, where the PHPMailer is used, i renamed the functions of Katys graphMailer (and adjusted the params), so that they are similar to the PHPMailer and i only need to replace = new PHPMailer( with = new graphMailer(...
Related
Recently Microsoft has started to authenticate user with OAuth 2.0 protocol. I have implemented it in Asp.net Core C# and got token.
Now I am able to access mails from main mail Inbox using Mailkit from Microsoft exchange server using OAuth 2.0. But how can I be able to access mails from shared mailbox?
In my code I have mentioned shared mailbox account id.
My code is as follows
Code
Getting exception as "Autheticated but not connected". Please guide
The "Authenticated but not connected" error is unique to Microsoft Exchange IMAP servers and means that your account is not authorized to connect via IMAP.
You will need to be granted permissions for IMAP access by the admin of your tenant.
Need to give shared mailbox permissions to OAuth app as well and shared mailbox will be accessible.
I configured Hybrid mode on a customer's Exchange 2016. Now users' mailboxes are exposed on the Microsoft Graph API using the individual consent flow (authorization code Oauth2 flow).
Getting an admin consent with a client credentials flow seems to work : a token is retreived on the Microsoft endpoint, the payload is correct (right scopes), but it triggers an "unknown error" when using it to get a mailbox content through the Microsoft Graph API. The same token does work to get directory information (meaning the token is valid at some point).
Is Hybrid mode compatible with the Client Credentials flow ? Is there any parameters to configure in Exchange to enable this flow ?
I stumbled upon the same issue some time ago. Just let it slide, as I thought it was some wrong configuration on the Exchange side.
If you inspect both tokens you'll see that the sid is missing on the Client Credentials token, I think exchange needs some sort of on-premise user id inside the token to work. I'm not sure if this flow is supported since I cannot find anything about this topic on their documentation websites.
I just found a totally related question, check out https://stackoverflow.com/a/56108226/639153 for a complete answer.
The issue is actually somewhere else - Exchange doesn't seem to support client_credentials flow. You can, however force it via following PowerShell (make sure to restart your IIS after applying):
$apps = Get-PartnerApplication
# Microsoft Graph is 2nd item in the array, if you are unsure, list the items by calling $apps first
$apps[1] | Set-PartnerApplication -AppOnlyPermissions $apps[1].ActAsPermissions
The full explanation can be found here: https://blog.thenetw.org/2019/05/13/using-client_credentials-with-microsoft-graph-in-hybrid-exchange-setup/
First post...here goes. I am trying to display email from a shared mailbox but run into "ErrorAccessDenied Access is denied. Check credentials and try again".
The user does have permission to the mailbox, I can access/read email in Outlook and in O365 portal. In my app I have also assigned Mail.Read.Shared and Mail.ReadWrite.Shared scopes.
At first I tried Graph Explorer
https://graph.microsoft.com/beta/users/<userPrincipalNameOfSharedMailbox>/messages
but same ErrorAccessDenied, assumed Graph Explorer did not have Mail.Read.Shared scope.
Next I tried to modify Microsoft Graph Snippets Sample for ASP.NET 4.6
I added Mail.Read.Shared and Mail.ReadWrite.Shared and was prompted to accept these permissions
• Read and write mail you can access
• Read mail you can access
but I get the same error when I try get mail from the shared mailbox
IUserMessagesCollectionPage messages = await graphClient.Users["userPrincipalNameOfSharedMailbox"].Messages.Request().GetAsync();
There was a similar post here Microsoft Graph API SDK .NET Issues getting other users emails and the answer implies this is possible. If it is can anyone provide some insight as to what I am missing? thanks
Right now, accessing shared messages is not supported for the authorization_code flow, but it is supported for the client_credentials flow. In order to incorporate this functionality, you will have to change your flow to incorporate this.
Here is an article on creating a client_credentials flow app if you are interested in going this route.
I am prototyping HipChat client and I'm stuck at building good authentication experience. I would like to implement similar authentication dialog as HipChat clients built by Atlassian provide. There is no need to generate auth tokens/etc, you just type email/password and client is able to obtain oauth token.
How do they do? Clients use com.atlassian.hipchat.win-clients as client_name in request to https://www.hipchat.com/users/authorize.
Question that I have: how do I register my own client? If I use any random name I get "Named OAuthClient not found ".
How to register client name that will work with any HipChat server, including hipchat.com?
Updated:
I made an example. Please take a look.
https://github.com/chenghuang-mdsol/StandupCat
#VitaliyGanzha
There's a way I used: Build an auth provider based on the integration token.
Make an integration, take down the auth_token.
Use this auth_token on the api here: https://www.hipchat.com/docs/apiv2/method/generate_token
use grant_type 'password', and fill username and password in your post request.
It will return the user info.
Based on the user info it returned, you do your membership provider.
Note that this auth_token has very limited permission. If you want to do more than authentication, you need another personal auth_token which can be generated in your account center.
Tested in C# WCF
Here I've got an answer that it is not possible right now:
This is currently not possible. The flow you described with the
com.atlassian.hipchat.win-clients oauth id is used internally inside
our new desktop and mobile clients. The only other way to obtain an
access token via a 3-legged oauth flow is to create an add-on that you
have to require a HipChat customer to install. Our OAuth tokens are
scoped by group. We don't have allow global tokens. Sorry about that.
https://answers.atlassian.com/questions/32989448/writing-hipchat-client-hipchat-authentication
Hello kind people of the internet.
Does Google OAuth2.0 support an OAuth-flow for a Resource Owner Password Credential Flow?
...and if so, then:
A.) can this type of OAuth flow be tested on the Google OAuth2 Playground?
B.) are there any examples of the "Resource Owner Password Credential Flow" with Google OAuth2.0 and the Google APIs?
Per an OAuth presentation recently in Oslo NDC 2013, this subject flow apparently skips the authorization end point all together and directly talks to the token end point of the OAuth2 server. The request syntax incantation would supposedly look something like this:
grant_type=password&
scope=resource&
user_name=owner&
password=password&
My understanding is the Resource Owner Password Credential Flow is for trusted applications in a back-end enterprise type of situations (where a name-password pair could be securely stored).
This particular OAuth flow would require no end-user consent interaction (no pop-up of a browser to Accept, then get a returned authorization-code, etc). In this subject flow the access & refresh token are directly returned, again: with no end-user interaction (albeit after an entry of a username-password).
Looking through the Google OAuth documentation ( link to Google OAuth2 docs ) there does not seem to be any mention of anything resembling Resource Password Credential Flow, but not sure that necessarily means it is explicitly not supported by Google.
Any help or advice would be much appreciated.
thanks in advance
Dear kind internet person,
it is true that Resource Owner Password Credential Flow is not supported on Google but google suggests you use the Installed Application Flow, which is described in: https://developers.google.com/accounts/docs/OAuth2InstalledApp.
You would need to create an Installed Application in the Google Console (https://code.google.com/apis/console), when you do that you can fetch the client_id and build a GET request with the parameters, which would look like so:
https://accounts.google.com/o/oauth2/auth\?
scope\=<scope>\&
redirect_uri\=urn:ietf:wg:oauth:2.0:oob\&
response_type\=code\&
client_id\=<client_id fetched from google console>
You would construct this URL and navigate to it on your browser, allow access for the app and google would give you what I believe is a code which you can use to get credentials. You can use those credentials to get an access token and refresh it, and this credentials is permanent. There's a good example of that on github. Note that you only need to get those credentials manually once, and then you save those credentials somewhere and keep using them to get/refresh tokens.
Hope this helps!
As far as I know, No. The OAuth 2.0 stuff is for Google accounts, for which Google does authentication.