Author Topic: OAUTH2 Google = Great, Office365 failing... Update: works w/ different setting  (Read 129 times)

Offline paulwh

  • Newbie
  • *
  • Posts: 1
Finally got MS Office 365 to cooperate on school / business accounts. If anyone else is having issues, here's what finally worked for us:

Registered App in Azure needs to be Any Azure AD Directory - Multitenant (*not* including any personal accounts and single tenant never worked). Web redirect URL as shown in defaults.cofig. Don't check either box in Authentication section for token type.

API Permissions need to be (MS Graph -> Delegated): email, IMAP.AccessAsUser.All, offline_access, openid, SMTP.Send, User.Read (didn't work here w/o openid; and adding any additional MS / Exchange Office365 app permissions in additional caused failed login).

$config['oauth_scope'] = "https://outlook.office365.com/IMAP.AccessAsUser.All https://outlook.office365.com/SMTP.Send User.Read offline_access email openid";

hosts slightly different than default:
$config['imap_host'] = 'ssl://outlook.office365.com';
$config['smtp_host'] = 'tls://smtp.office365.com'; // ssl:// doesn't connect, needs to be tls://

Fingers crossed it working now isn't a fluke, but sends and reads on 1.6 w/  those cslight hanges to config and settings in the Azure app.

Thanks again for Roundcube :)

ORIGINAL POST:
First: many thanks for creating, maintaining, and supporting Roundcube. Long time user, first time caller :)

I got OAUTH to work with Google after a few stumbles. However, ever since Microsoft moved 100% to "modern authentication" I've been searching every corner of every forum I can find for secret to make it work, but to no avail. As such, I'm finally posting / hoping for help getting RC to work with Office365 email for my setup. The App is registered in Azure and the token is getting issued. Permissions on the registered app are as listed in defaults.inc.php:

Config file:
// MS OAUTH
$config['imap_host'] = 'ssl://outlook.office365.com';
$config['smtp_host'] = 'ssl://smtp.office365.com';

$config['oauth_provider'] = 'outlook';
$config['oauth_provider_name'] = 'Office365';
$config['oauth_client_id'] = "0000----0000";
$config['oauth_client_secret'] = "00000---0000";
$config['oauth_auth_uri'] = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
$config['oauth_token_uri'] = "https://login.microsoftonline.com/common/oauth2/v2.0/token";
$config['oauth_identity_uri'] = "https://graph.microsoft.com/v1.0/me";
$config['oauth_identity_fields'] = ['email', 'userPrincipalName'];
$config['oauth_scope'] = "User.Read offline_access openid email https://outlook.office365.com/IMAP.AccessAsUser.All https://outlook.office365.com/SMTP.Send";
$config['oauth_auth_parameters'] = ['nonce' => mt_rand()];

*note: was getting errors with example scope; for some reason placing domain-scopes @ the end of the string worked to issue the token (probably a fluke); also added openid and email as a test to see if that might help, which is also added to the Azure app permissions.

It looks to get the token, but when it redirects back to eh RC login page / OAUTH, the user is shown a Login Failed notice.

Error log is: AUTHENTICATE XOAUTH2: A0001 NO AUTHENTICATE failed  in /home/myemailadmin/public_html/program/lib/Roundcube/rcube_imap.php on line 211 (GET /index.php/login/oauth?code=0.AX0Aat8ieBVMwES........

And IMAP log:
Connecting to ssl://outlook.office365.com:993...
[03-Nov-2022 17:08:39 +0000]: <f920a9da> [5B66] S: * OK The Microsoft Exchange IMAP4 service is ready. [-----]
[03-Nov-2022 17:08:39 +0000]: <f920a9da> [5B66] C: A0001 AUTHENTICATE ****** [2746]
[03-Nov-2022 17:08:40 +0000]: <f920a9da> [5B66] S: A0001 NO AUTHENTICATE failed.

IMAP is "allowed" in the MS account. I've tried adding app API permissions (beyond just the listed graph permissions), but cannot for the life of me get it to work with Office365. I've tried fresh installs of RC 1.5.1, 1.5.3 and 1.6, all w/ the same result.

Is anyone out there who has gotten Roundcube OAUTH to work with MS Office 365? And if so, would it be possible to post / share details on both sides (configs.php setup and Azure app registration w/ any "look out for ___" notes, so that others more newbie like me might be able to find what could be incorrect w/ their setup? Server is WHM, PHP 8 or 8.1... maybe there's something on the server side required about which I'm ignorant? (oauth (2.0.7) PHP module is installed if that makes any difference)... it would be greatly appreciated.

Thanks!

« Last Edit: November 04, 2022, 01:47:12 PM by paulwh »