Can't connect to Outlook OAuth IMAP

[EthraZa]

I have hijacked the issue #50 but I guess it's better to create a new one.

   $client = Client::make([
            'host' => 'outlook.office365.com',
            'port' => 993,
            'encryption' => 'ssl', // 'tls',
            'validate_cert' => false,
            'username' => 'xyz@outlook.com',
            'password' => 'AccessToken',
            'protocol' => 'imap',
            'authentication' => "oauth",
   ]);

• User/pass on my email server works
• Gmail OAuth works
• Outlook OAuth don't

In the outlook webapp it says the IMAP info is:
Host: outlook.office365.com
Port: 993
Method: TLS

In the Azure panel, I have setup a Web authenticated App with Access Tokens and ID Tokens enabled, Live SDK Yes and Public client No.
With the following APIs permissions:

• Microsoft Graph
  -- email
  -- IMAP.AccessAsUser.All
  -- offline_access
  -- openid
  -- profile
  -- User.Read

I'm getting the tokens via oauth2-azure plugin for PHP League's OAuth 2.0 Client setting the scope as 'openid profile email offline_access %root%/IMAP.AccessAsUser.All %root%/User.Read'.

The MS Activity Page shows only my ok browser logins, nothing to validate there.

I got Google OAuth IMAP working in the same day, but after almost a week, Outlook is driving me nuts.

With SSL encryption Webklex/php-imap returns "Connection setup failed" and logs out "NOTICE: PHP message: got failure response: NO AUTHENTICATE failed.".
With TLS secutity it hangs till time-out after Nginx 1 minute limit.

Any ideas?

[Webklex]

Hi @EthraZa ,
thanks for the detailed report. Unfortunately I have no way to test / verify this.

In order to get some additional context you could enable the debug mode to see the communication with the mail server.
Open

php-imap/src/Connection/Protocols/Protocol.php

Line 32 in 6c2c54f

protected $debug = false;

and change the debug attribute from false to true.

If the TLS encryption method results in a timeout, the server is not responding. Maybe it's not supported by the server or runs under a different port?

Instead of using oAuth, could you generate an "app password" and use it instead?

Best regards,

[EthraZa]

Hi.
I have activated the debug and tested with Basic Auth (User/Pass) and OAuth.
As you can see bellow, M$ IMAP server works with Basic Auth but not with OAuth. And Basic Auth works with SSL, TLS just timeouts too.

Basic Auth:

>> TAG1 LOGIN "USER@outlook.com" "PASS"
<< []
>> TAG2 LIST "" "*"
<< [["LIST",["\\HasNoChildren"],"\/","Notes"],["LIST",["\\HasNoChildren"],"\/","Archive"],["LIST",["\\HasNoChildren"],"\/","Arquivo Morto"],["LIST",["\\Marked","\\HasNoChildren"],"\/","Inbox"],["LIST",["\\HasNoChildren"],"\/","Outbox"],["LIST",["\\HasNoChildren","\\Sent"],"\/","Sent"],["LIST",["\\HasNoChildren","\\Trash"],"\/","Deleted"],["LIST",["\\HasNoChildren","\\Junk"],"\/","Junk"],["LIST",["\\HasNoChildren","\\Drafts"],"\/","Drafts"]]
>> TAG3 LOGOUT
<< ["BYE Microsoft Exchange Server IMAP4 server signing off.\r\n"]
{"success":1,"S":[["Notes"],["Archive"],["Arquivo Morto"],["Inbox"],["Outbox"],["Sent"],["Deleted"],["Junk"],["Drafts"]]}

OAuth:

>> TAG1 AUTHENTICATE XOAUTH2 AbCdEfG=
>> TAG2 LOGOUT
<< ["BYE Microsoft Exchange Server IMAP4 server signing off.\r\n"]
{"success":1,"S":"connection setup failed"}

OAuth Log:
NOTICE: PHP message: got failure response: NO AUTHENTICATE failed.

I'm not sure, but it seems it's connecting to IMAP server, but failing elsewhere, maybe after authentication, don't know.

---

About App Password, it looks like it will not work for me because it needs 2FA and my system is a server-side app that collect emails attachments and need to work without user intervention. Anyways Google, Microsoft and everybody else seems to think that OAuth is the way to go and will deprecate other forms of login in the near future.

• Starting February 15, 2021, G Suite accounts will only allow access to apps using OAuth
• Microsoft's Outlook 365 will block IMAP except via OAuth2

[Webklex]

Hi @EthraZa ,
thanks for the quick followup.

Please try to connect to the mail server via cli:

openssl s_client -crlf -connect outlook.office365.com:993

..and enter:

TAG1 AUTHENTICATE XOAUTH2 AbCdEfG=

I suspect you'll receive something like this: NO AUTHENTICATE failed

If so this would indicate that the auth payload

php-imap/src/Connection/Protocols/ImapProtocol.php

Line 393 in 6c2c54f

$authenticateParams = ['XOAUTH2', base64_encode("user=$user\1auth=Bearer $token\1\1")];

is invalid.

Try to update L393 and replace \1 with \001. Or generate a new payload on the fly by calling:

echo base64_encode("user={User}\001auth=Bearer {Token}\001\001");

If you receive something else as a response, please let me know.

I'm aware of the upcoming changes regarding Google and Microsoft :)

Best regards and thanks a lot for testing and debugging.

[EthraZa]

I have tryed the openssl command with access_tokens generated before and after changing line 393, both have returned:
TAG1 NO AUTHENTICATE failed.

Here is the full session after change the line:

# openssl s_client -crlf -connect outlook.office365.com:993
CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G3
verify return:1
depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = outlook.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = outlook.com
   i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G3
 1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G3
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIIqzCCB5OgAwIBAgIMbeoL4ZcnYKFZsYVgMA0GCSqGSIb3DQEBCwUAMGYxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTwwOgYDVQQDEzNH
bG9iYWxTaWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0g
RzMwHhcNMjAwODEzMjMxODQ5WhcNMjIwODE0MjMxODQ5WjBqMQswCQYDVQQGEwJV
UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE
ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMRQwEgYDVQQDEwtvdXRsb29rLmNvbTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMkgP1e5+XGqPGoKXT/JjZml
UCYlTtxpUrMzcOdyooOSVNHUhhXyxGX4vOXSHhIlnnWOd9KOlMoDS/TIyuPjm2aj
oTd0zP7EHmTc4xi6wXs5W7FH6RGS7+7mCM2TewnHOf7l4kc/aHikF3gTyxI4nYkr
H3Wbh11T/LAqry2GinY7zl6uQ3Rowyi/EC/d2UNLLabcH22Q0M4UHmzcewbke6mB
QO3eGLffU2G8GIMRx7Qbme8U5GM541wv54lYW9oDOjmWispP2ONsf27T5zA0nNuL
6GqmCHcdY9ZXnc2nRwU5lnv9mgmZ70mxiQK+T7jvoAQpdPuafp2oEPt+sGxgT1cC
AwEAAaOCBVMwggVPMA4GA1UdDwEB/wQEAwIFoDCBngYIKwYBBQUHAQEEgZEwgY4w
SwYIKwYBBQUHMAKGP2h0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0
L2dzb3JnYW5pemF0aW9udmFsc2hhMmczLmNydDA/BggrBgEFBQcwAYYzaHR0cDov
L29jc3AyLmdsb2JhbHNpZ24uY29tL2dzb3JnYW5pemF0aW9udmFsc2hhMmczMFYG
A1UdIARPME0wQQYJKwYBBAGgMgEUMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3
Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAECAjAJBgNVHRMEAjAA
MEYGA1UdHwQ/MD0wO6A5oDeGNWh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3Nv
cmdhbml6YXRpb252YWxzaGEyZzMuY3JsMIICEAYDVR0RBIICBzCCAgOCC291dGxv
b2suY29tghYqLmNsby5mb290cHJpbnRkbnMuY29tgg0qLmhvdG1haWwuY29tghYq
LmludGVybmFsLm91dGxvb2suY29tggoqLmxpdmUuY29tghYqLm5yYi5mb290cHJp
bnRkbnMuY29tggwqLm9mZmljZS5jb22CDyoub2ZmaWNlMzY1LmNvbYINKi5vdXRs
b29rLmNvbYIXKi5vdXRsb29rLm9mZmljZTM2NS5jb22CG2F0dGFjaG1lbnQub3V0
bG9vay5saXZlLm5ldIIdYXR0YWNobWVudC5vdXRsb29rLm9mZmljZS5uZXSCIGF0
dGFjaG1lbnQub3V0bG9vay5vZmZpY2VwcGUubmV0ghZhdHRhY2htZW50cy5vZmZp
Y2UubmV0ghphdHRhY2htZW50cy1zZGYub2ZmaWNlLm5ldIIdY2NzLmxvZ2luLm1p
Y3Jvc29mdG9ubGluZS5jb22CIWNjcy1zZGYubG9naW4ubWljcm9zb2Z0b25saW5l
LmNvbYILaG90bWFpbC5jb22CFm1haWwuc2VydmljZXMubGl2ZS5jb22CDW9mZmlj
ZTM2NS5jb22CEm91dGxvb2sub2ZmaWNlLmNvbYIUc3Vic3RyYXRlLm9mZmljZS5j
b22CGHN1YnN0cmF0ZS1zZGYub2ZmaWNlLmNvbTAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUaIa4fXrZbUlrhy8YixU0bNe0eg4wHQYD
VR0OBBYEFIp8c0RwqE2DJW+mU9pCUpbJFXEhMIIBfAYKKwYBBAHWeQIEAgSCAWwE
ggFoAWYAdgAiRUUHWVUkVpY/oS/x922G4CMmY63AS39dxoNcbuIPAgAAAXPqHn0v
AAAEAwBHMEUCIQD0UI/nOMl60ff3acUF6o4DgCyHBgO2m+algy+5r3u0rAIgUaaP
6OVsp/8WAX4VQhEx3NzHN3xkLKzdQrs8eTF0zJ0AdQApeb7wnjk5IfBWc59jpXfl
vld9nGAK+PlNXSZcJV3HhAAAAXPqHnqnAAAEAwBGMEQCIAPxGdcPL8SphKAz1Ham
7vGu4APnrphDF7AP+xK7E9o0AiAQ5qkdixxk1Mn3wD08d0mxCD0dXjT52RB8dGsY
xl5tBwB1AFWB1MIWkDYBSuoLm1c8U/DA5Dh4cCUIFy+jqh0HE9MMAAABc+oefa4A
AAQDAEYwRAIgJiFk26biPTJ9n6iutym3QptJqvWlwBIBobbn8gHUL0UCIE4Zukd1
i0nXS7oEYt2it2sF0AEffDYXJymyFxx/EIGKMA0GCSqGSIb3DQEBCwUAA4IBAQAm
9KN3HdyexBqIIzCM4RT5Yg6/rSTJq6vQaIu88ewc0Jat+V/d4O6o4Cw6GaVoDG7+
5oDOoztsAIhcvzzYaAg2uZ6Em1+X+3fqcvtzRwCwqHxkOPHMwClxZ2V2TIBYl8hi
Yz7xPsAOSF9VIY+WaL1BFHoLjDFbOayjoJlYJPrZGTIcny2p7bmXpGYwKdiCovX8
bRDxrB0/+96hDraEkNRVXCEbHyFFksWaRwUPuBx4brlro6mNsVn/9OZxdzgS/kGP
BJIIPzIqkl4Ke34E7iQQOfOsXgSTkaKPkAQzXFyUs4ArQ7/jdGQg9ACybHuod/t0
Nc7dtl+DGMTnMRqNMA3E
-----END CERTIFICATE-----
subject=C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = outlook.com

issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 3913 bytes and written 471 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: BB250000BC2041427B6953AE49C04B712878A809F66FBE17ABF2A62A6509768F
    Session-ID-ctx: 
    Master-Key: 65E75660D1D96EA0A646E4EA32CB8ED2AE8B9DB520D97FAE4316ABF78C32FFFD7A8F6697892F37DC1AE8317402294FAD
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1609856631
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
* OK The Microsoft Exchange IMAP4 service is ready. [QwBQADIAUAAyADEANQBDAEEAMAAwADMAOQAuAEwAQQBNAFAAMgAxADUALgBQAFIATwBEAC4ATwBVAFQATABPAE8ASwAuAEMATwBNAA==]
TAG1 AUTHENTICATE XOAUTH2 {REDACTED}
TAG1 NO AUTHENTICATE failed.

Response from php-imap after line changing:

>> TAG1 AUTHENTICATE XOAUTH2  {REDACTED}
>> TAG2 LOGOUT
<< ["BYE Microsoft Exchange Server IMAP4 server signing off.\r\n"]
{"success":1,"S":"connection setup failed"}

---

• I have retested the openssl command with the right payload at TAG1 but got the same result.

[EthraZa]

It's maybe related to https://github.com/MicrosoftDocs/office-developer-exchange-docs/issues/87 and https://github.com/MicrosoftDocs/office-developer-exchange-docs/issues/100

[Webklex]

According to these two the payload should be correct and the request as well, or am I missing something?

[EthraZa]

Now I am feeling a mixture of shame (of not RTFM), anger (to the M$) and relief (to get things work).

According to the issue 87, the guy find out that the scope should be https://outlook.office365.com/IMAP.AccessAsUser.All instead of https://graph.microsoft.com/IMAP.AccessAsUser.All.
But since M$ can't make up their minds about what their domain should be, at least for now, the scope must be https://outlook.office.com/IMAP.AccessAsUser.All.

Thank you so much for your attention. Webklex rocks.

[Webklex]

Hi @EthraZa ,
thank you for finding and posting a solution. I'll add it to the documentation (including credits of course) :)

Thanks again,

Update 22.01.2021:
Documentation updated: https://www.php-imap.com/examples/oauth

[freescout-helpdesk]

@EthraZa Did you connect to the free Outlook mail? or to Microsoft Exchange Server?

By some reason we keep receiving NO AUTHENTICATE failed. error when trying to connect via IMAP: #207