IMAP - Microsoft Exchange Online basic auth deprecation
Closed this issue · 7 comments
With the deprecation of basic auth for Exchange Online by Microsoft (https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online) the IMAP option is most likely not going to work anymore.
What would be the best way to still use this with an Exchange Online account?
You probably got it working already, but I'll post my solution here in case anyone else is looking for one.
In dmarcts-report-parser.pl
:
- I got the token with curl, so I added WWW::Curl::Easy and Json to use, you can use Net::OAuth2 or whatever else you're comfortable with
- Add
$imapoauth, $client_id, $client_secret, $grant_type, $scope, $site
to the our definition at the beginning. - Just after the
# Setup connection to IMAP server.
definemy $imap
, after that add anif ($imapoauth == 1){}
, put the original define in anelse{}
(don't forget to remove my from the original) - In the if you added put: (if you're using something other than curl, change the token getting part)
my $curl = WWW::Curl::Easy->new;
$curl->setopt(CURLOPT_URL, $site);
my $response_body;
$curl->setopt(CURLOPT_WRITEDATA,\$response_body);
$curl->setopt(CURLOPT_POST, 1);
$curl->setopt(CURLOPT_POSTFIELDS, "client_id=$client_id&client_secret=$client_secret&grant_type=$grant_type&scope=$scope");
$curl->perform;
my $token = JSON->new->decode($response_body)->{"access_token"};
my $oauth_sign = encode_base64("user=".$imapuser."\x01auth=Bearer $token\x01\x01", '');
$imap = Mail::IMAPClient->new( Server => $imapserver,
Port => $imapport,
Ssl => $imapssl,
Starttls => $imapopt,
Debug => $debug,
Socketargs => $socketargs,
IgnoreSizeErrors => 1)
or die "IMAP Failure: $@";
$imap->authenticate('XOAUTH2', sub { return $oauth_sign }) or die("Auth error: ". $imap->LastError);
In dmarcts-report-parser.conf
add:
$imapoauth = 1;
$client_id='your-client_id';
$client_secret='your-client_secret';
$grant_type='client_credentials';
$scope='https://outlook.office365.com/.default';
$tenant_id='your-tenant_id';
$site="https://login.microsoftonline.com/$tenant_id/oauth2/v2.0/token";
Will @MatusGoc solution be included in the code base? If you can would greatly help if you do a PR.
@MatusGoc
Can you post your full dmarcts-report-parser.pl file where you have resolved the imap login issue,
Didn't want to do a PR because I made those changes on an earlier version of the file and reapplying them to the current version would be a pain, I might do a PR now.
My comments start with '#### ', so look for those or do a diff to see my changes.
I am getting Auth error: 1 NO AUTHENTICATE failed. error, can you let me know which all permissions required in azure app for it to work?
Also give your application at least read permission for the mailbox:
https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth#use-client-credentials-grant-flow-to-authenticate-imap-and-pop-connections
You can test if the APP is configured correctly with this PS script:
https://github.com/DanijelkMSFT/ThisandThat/blob/main/Get-IMAPAccessToken.ps1
I believe that @MatusGoc solution is what I'd recommend for now. Thanks for your solution!