Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Outlook client ID #332

Closed
marco-brandizi opened this issue Feb 13, 2024 · 8 comments
Closed

Outlook client ID #332

marco-brandizi opened this issue Feb 13, 2024 · 8 comments

Comments

@marco-brandizi
Copy link

#71 shows an authentication method that could be used with corporate MS accounts that are behind the (techno-fascist) InTune.

Until today, it was possible to tell DavMail the client ID and redirect URI that identify the Outlook Web App. This used to work as a means to bridge Thunderbird and corporate O365 accounts that are under this form of digital authoritarianism.

However, today the method stopped working, the login dialog that DavMail sends me ends with "your app is not approved". Is there a new clientID for this? Is there some other workaround?

Thanks in advance.
@s-p-turner
Copy link

Fwiw, using the Outlook client ID and redirect URI in Davmail is still working for me. Therefore I'd say that neither value has changed from what's quoted in #71 . I don't know if it makes a difference, but I use O365Interactive Exchange Protocol to connect to my corporate account.

@marco-brandizi
Copy link
Author

marco-brandizi commented Feb 13, 2024
edited
Loading

Thanks @s-p-turner . Some more investigation:

  • I suspect some b**@*x!*d has disabled all browsers except Safari (I'm on a Mac), when I Open the auth link from the DavMail Manual Authentication pop-up, Chrome replies that I should enroll my device into InTune, when I 'Copy' from the DavMail pop-up and paste in Safari, I can get on with the usual authentication dialogue.
  • However, even in Safari, at the end I get the usual window saying "Are you trying to sign in to Microsoft Office?", and when I click 'Continue', Safari replies with a pop-up saying: "Safari cannot open the page because the address is invalid".
  • When I could use Chrome, after 'Continue' at the same step, I got a stuck page, but with the Javascript console saying something like "Can't open the address urn:ietf:wg:oauth... because the scheme isn't supported". That URN reported by the log message was the one to be put back in the DavMail pop-up. My understanding is Safari isn't equally geek-friendly.

Any idea how to fix it?

@s-p-turner
Copy link

Any idea how to fix it?

Sorry - no idea. I'm only an end user of Davmail.

I suspect some b**@*x!*d has disabled all browsers except Safari (I'm on a Mac)

Fwiw I use Firefox on Windows.

@marco-brandizi
Copy link
Author

Thanks, it does the same as Safari with FF (guess that at least, they're allowing Firefox too).

@marco-brandizi
Copy link
Author

Bingo! Reporting my solution, possibly useful to other victims of this filthy techno-fascism:

  • In FF, open Tools -> Browser Tools -> Web Developer Tools, low bottom box opens, select the 'Network' tab
  • In DavMail Manual Authenticate, Copy the URL for the auth challenge in FF (pop-ups waiting for too long won't work, so make DavMail trigger the box from your email client)
  • In FF, proceed until the page "Are you trying to use MS Office" (MS Office, my a**e!), in the 'Network' log, you should see an entry about login.microsoftonline.com, select it and select the 'Headers' tab on the right box,
  • now you should see the 'Location' response header, containing something like urn:ietf:wg:oauth:2.0:oob?code=***, right-click on it and select 'Copy Value', paste it back to the DavMail Manual Authenticate box and click on 'Send'. Now your email client should work fine.

It's obscene that I have go through all this pain, just because a bunch of capitalist sharks think that it's secure to dictate what apps the users should use for their work, but that's it, hope it will be useful.

@mguessan
Copy link
Owner

@marco-brandizi it seems that dev tools are named web inspector in Safari, with similar feature as Firefox and Chrome

https://developer.apple.com/safari/tools/

@mguessan
Copy link
Owner

As an addition, in order to validate the code you obtain is correct you can do a test completely outside DavMail:

  • extract code from urn: url, make sure you don't include additional parameters after '&'

Call token endpoint with curl:

curl -d "grant_type=authorization_code&client_id=d3590ed6-52b3-4102-aeff-aad2292ab01c&redirect_uri=urn:ietf:wg:oauth:2.0:oob&code=0......." -H "Content-Type: application/x-www-form-urlencoded" -X POST https://login.microsoftonline.com/common/oauth2/token

@ifinkelstein ifinkelstein mentioned this issue Mar 22, 2024
Closed
@mguessan
Copy link
Owner

Closing this as we answered the initial question.

For windows users I implemented a powershell script based on WebView2 to obtain a token on Entra ID joined workstations, available at: https://github.com/mguessan/o365psauth
Just fetch the source code zip, nothing to compile.

Script can work with interactive authentication or based on existing user session with -SSO option

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@marco-brandizi @mguessan @s-p-turner