0

I am trying to authenticate a backend server with OAUTH in order to send emails from that backend server. The thing I don't understand is how can I do this if the server will only ever be run locally on a VLAN.

Is this even possible?

What I am currently doing:

Backend server (Running Node) uses Basic Authentication credentials (username & password) to authenticate then send an email through Office 365 account to a user using SMTP. Basic auth is being deprecated though and is being replaced by OAUTH.

What I want to do:

Replace basic authentication with OAUTH to authenticate and send emails from backend server through office 365 account.

Any help would be greatly appreciated.

Americo Perez
  • 63
  • 1
  • 6

2 Answers2

0

The usual migration path here is Client Credentials Flow which should work like this:

  • Back end on private VLAN must be able to make outbound calls to the Authorization Server (Azure AD in your case).

  • The advantage should be that the credential is not revealed every time you want to send an email, and OAuth access tokens are used instead.

This should work in locked down environments where outbound calls are restricted. Usually a whitelist is configured in the firewall - eg all URLs other than Azure AD are blocked.

Gary Archer
  • 22,534
  • 2
  • 12
  • 24
  • thank you for the quick reply. I think I understand this conceptually. Would you happen to have more concrete/detailed examples? – Americo Perez Sep 08 '21 at 20:37
  • A client credentials client is pretty simple - see [this repo](https://github.com/lelylan/simple-oauth2#client-credentials-grant) for a few lines of code. – Gary Archer Sep 08 '21 at 20:51
  • what do we do in the case where the callback url isn't guaranteed to be a specific URL or it can be multiple URLs at the same time, all of which are unknown URLs ? – Americo Perez Sep 09 '21 at 21:22
  • To answer my comment above, Client Credentials Flow does not require a Callback – Americo Perez Sep 10 '21 at 04:00
0

This is specially for how to implement it using Azure Active Directory & Office365 as the E-mail sender, but the main ideas for how to implement this should work for other services. The only caveat is that some other services will require you to obtain an accessToken first and use that in conjunction with their API.

Using the information about Client Credentials Flow provided by @Gary Archer combined with the
Microsoft Graph SDK as well as examples for how to:

  1. Register an app in Azure
  2. How to Create a Client
  3. Get ID of User by fetching user data
  4. How to send Emails

I was able to figure this out.

Americo Perez
  • 63
  • 1
  • 6