0

I am adding oAuth authentication support to daemon application. In case of IMAP, application logs on to every mailbox by specifying userID/password. Office365 oAuth access requires application registration and uses Clients Credential Grant flow. In this case, application authenticates with Azure AD once and accesses every mailbox using oAuth token. This authentication flow requires significant changes of existing code base. I would like to access mailbox in logically same way as IMAP (specify user credentials for every mailbox). Office365 supports that authentication flow but it uses system browser where interactive user gives consent to access mailbox. My daemon application runs as headless service with no access to system browser. How to logon to users mailbox with users credential?

zdenko.s
  • 931
  • 1
  • 12
  • 29

1 Answers1

0

OAuth 2.0 Resource Owner Password Credentials (ROPC) grant allows an application to sign in the user by directly handling their password.

An authorization request sample for your reference:

// Line breaks and spaces are for legibility only.  This is a public client, so no secret is required. 

POST {tenant}/oauth2/v2.0/token
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&scope=user.read%20openid%20profile%20offline_access
&username=MyUsername@myTenant.com
&password=SuperS3cret
&grant_type=password

Please note that there is a warning:

Microsoft recommends you do not use the ROPC flow. In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks which are not present in other flows. You should only use this flow when other more secure flows can't be used.

Allen Wu
  • 15,529
  • 1
  • 9
  • 20
  • I had to add resource and client_secret fields to request. Resource is https://graph.microsoft.com and same secret when requesting Client Credentials Flow. I got response but scope contains only "User.Read" although I requested 'scope=https://graph.microsoft.com/Mail.ReadWrite'. This scope is specified in application registration. Please note: When using Client Credentials Flow, application gets token which is used to read e-mail, delete, move... – zdenko.s Apr 14 '20 at 20:53
  • @zdenko.s ROPC flow requires delegated permissions rather than application permissions. See this screenshot: https://i.stack.imgur.com/Sjl5o.png. – Allen Wu Apr 15 '20 at 04:21
  • Sounds logical. I tested token with GET https://graph.microsoft.com/v1.0/users/johndoe@test.onmicrosoft.com and it works. But does not work with GET https://graph.microsoft.com/v1.0/users/johndoe@test.onmicrosoft.com/mailfolders/inbox/messages . I got error "Access denied". I will create another app registration and test it – zdenko.s Apr 15 '20 at 04:48
  • Thanks. I am able to get mails. About warning and ROPC. I am modifying legacy application and adding oAuth authentication since MS is stopping support for IMAP basic authentication October 13th. ROPC flow is not less secure than existing IMAP basic authentication and I do not see any security related issue. – zdenko.s Apr 15 '20 at 05:07
  • @zdenko.s NP. I'm glad to know it helps! – Allen Wu Apr 15 '20 at 05:45