Author Topic: OAUTH2 Google = Great, Office365 failing... Update: works w/ different setting  (Read 7416 times)

Offline paulwh

  • Newbie
  • *
  • Posts: 1
Finally got MS Office 365 to cooperate on school / business accounts. If anyone else is having issues, here's what finally worked for us:

Registered App in Azure needs to be Any Azure AD Directory - Multitenant (*not* including any personal accounts and single tenant never worked). Web redirect URL as shown in defaults.cofig. Don't check either box in Authentication section for token type.

API Permissions need to be (MS Graph -> Delegated): email, IMAP.AccessAsUser.All, offline_access, openid, SMTP.Send, User.Read (didn't work here w/o openid; and adding any additional MS / Exchange Office365 app permissions in additional caused failed login).

$config['oauth_scope'] = "https://outlook.office365.com/IMAP.AccessAsUser.All https://outlook.office365.com/SMTP.Send User.Read offline_access email openid";

hosts slightly different than default:
$config['imap_host'] = 'ssl://outlook.office365.com';
$config['smtp_host'] = 'tls://smtp.office365.com'; // ssl:// doesn't connect, needs to be tls://

Fingers crossed it working now isn't a fluke, but sends and reads on 1.6 w/  those cslight hanges to config and settings in the Azure app.

Thanks again for Roundcube :)

ORIGINAL POST:
First: many thanks for creating, maintaining, and supporting Roundcube. Long time user, first time caller :)

I got OAUTH to work with Google after a few stumbles. However, ever since Microsoft moved 100% to "modern authentication" I've been searching every corner of every forum I can find for secret to make it work, but to no avail. As such, I'm finally posting / hoping for help getting RC to work with Office365 email for my setup. The App is registered in Azure and the token is getting issued. Permissions on the registered app are as listed in defaults.inc.php:

Config file:
// MS OAUTH
$config['imap_host'] = 'ssl://outlook.office365.com';
$config['smtp_host'] = 'ssl://smtp.office365.com';

$config['oauth_provider'] = 'outlook';
$config['oauth_provider_name'] = 'Office365';
$config['oauth_client_id'] = "0000----0000";
$config['oauth_client_secret'] = "00000---0000";
$config['oauth_auth_uri'] = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
$config['oauth_token_uri'] = "https://login.microsoftonline.com/common/oauth2/v2.0/token";
$config['oauth_identity_uri'] = "https://graph.microsoft.com/v1.0/me";
$config['oauth_identity_fields'] = ['email', 'userPrincipalName'];
$config['oauth_scope'] = "User.Read offline_access openid email https://outlook.office365.com/IMAP.AccessAsUser.All https://outlook.office365.com/SMTP.Send";
$config['oauth_auth_parameters'] = ['nonce' => mt_rand()];

*note: was getting errors with example scope; for some reason placing domain-scopes @ the end of the string worked to issue the token (probably a fluke); also added openid and email as a test to see if that might help, which is also added to the Azure app permissions.

It looks to get the token, but when it redirects back to eh RC login page / OAUTH, the user is shown a Login Failed notice.

Error log is: AUTHENTICATE XOAUTH2: A0001 NO AUTHENTICATE failed  in /home/myemailadmin/public_html/program/lib/Roundcube/rcube_imap.php on line 211 (GET /index.php/login/oauth?code=0.AX0Aat8ieBVMwES........

And IMAP log:
Connecting to ssl://outlook.office365.com:993...
[03-Nov-2022 17:08:39 +0000]: <f920a9da> [5B66] S: * OK The Microsoft Exchange IMAP4 service is ready. [-----]
[03-Nov-2022 17:08:39 +0000]: <f920a9da> [5B66] C: A0001 AUTHENTICATE ****** [2746]
[03-Nov-2022 17:08:40 +0000]: <f920a9da> [5B66] S: A0001 NO AUTHENTICATE failed.

IMAP is "allowed" in the MS account. I've tried adding app API permissions (beyond just the listed graph permissions), but cannot for the life of me get it to work with Office365. I've tried fresh installs of RC 1.5.1, 1.5.3 and 1.6, all w/ the same result.

Is anyone out there who has gotten Roundcube OAUTH to work with MS Office 365? And if so, would it be possible to post / share details on both sides (configs.php setup and Azure app registration w/ any "look out for ___" notes, so that others more newbie like me might be able to find what could be incorrect w/ their setup? Server is WHM, PHP 8 or 8.1... maybe there's something on the server side required about which I'm ignorant? (oauth (2.0.7) PHP module is installed if that makes any difference)... it would be greatly appreciated.

Thanks!

« Last Edit: November 04, 2022, 01:47:12 PM by paulwh »

Offline hindra1546

  • Jr. Member
  • **
  • Posts: 12
Hello, i want to use a microsoft account in roundcube webmail and i don't know how to do it !
I'm using laragon and nginx as server side in localhost .
Can someone help me please ?
In the installer, in the test config section, i'm trying to connect on the email using outlook 365 imap but i always receive a 'NOT OK' responses

Offline Dmitry42

  • Full Member
  • ***
  • Posts: 232

Offline hindra1546

  • Jr. Member
  • **
  • Posts: 12
I tried using OAUTH but i have a struggle with the URI of the application, as i mention earlier the webmail is hosted locally using laragon and nginx for now and i'll send it through the society server after the connectiong of the microsoft account to roundcube is done but i don't know what URI to put on , and the microsoft account too require some restriction from the administrator of the domains to allow the API so my questions is that :
-how about the URI
-the administrator should allow the API in the azure active directory or not ?
-what are the API that i need i f i want to connect the account in the rc webmail

Offline Dmitry42

  • Full Member
  • ***
  • Posts: 232
From this point I can't help - I don't setup OAuth