Does not handle Microsoft OAuth error #9543
Description
Steps to reproduce
- Set up app registration in Azure AD as described in the manual
- Instead of setting the supported account types to multi-tentant + personal accounts, select single tentant
- Configure the client ID and secret in the Groupware settings
- Try to connect a new mail account that uses this Microsoft 365 app
- Fill in the correct credentials in the OAuth pop-up and allow the app access
Expected behavior
After logging in the error should be handled that the app is misconfigured instead of creating a non-functional account.
Actual behavior
Account setup fails. The error logs contain the error message
OC\\Security\\Crypto::decrypt(): Argument #1 ($authenticatedCiphertext) must be of type string, null given, called in /var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php on line 112 in file '/var/www/html/lib/private/Security/Crypto.php' line 113
So, the account was created without valid credentials.
Mail app version
3.5.7
Mailserver or service
Microsoft 365
Operating system
Debian GNU/Linux 12 (bookworm)
PHP engine version
PHP 8.2
Web server
Apache (supported)
Database
PostgreSQL
Additional info
When the OAuth flow redirects after going through the pop-up, the returned error (information) is not handled, thus account creation is not blocked/cancelled. The redirect URL is as follows:
W.X.Y.Z - - [09/Apr/2024:11:44:40 +0200] "GET /apps/mail/integration/microsoft-auth?error=invalid_request&error_description=AADSTS50194%3a+Application+%27[...]+is+not+configured+as+a+multi-tenant+application.+Usage+of+the+%2fcommon+endpoint+is+not+supported+for+such+applications+created+after+%2710%2f15%2f2018%27.+Use+a+tenant-specific+endpoint+or+configure+the+application+to+be+multi-tenant.[...]
Nextcloud log entries of the error
{
"reqId": "2obomk7psF2hURvNwOc1",
"level": 3,
"time": "2024-04-09T08:55:56+00:00",
"remoteAddr": "[...]",
"user": "[...]",
"app": "mail",
"method": "GET",
"url": "/apps/mail/api/mailboxes?accountId=3",
"message": "OC\\Security\\Crypto::decrypt(): Argument #1 ($authenticatedCiphertext) must be of type string, null given, called in /var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php on line 112 in file '/var/www/html/lib/private/Security/Crypto.php' line 113",
"userAgent": "[...]",
"version": "28.0.4.1",
"exception": {
"Exception": "Exception",
"Message": "OC\\Security\\Crypto::decrypt(): Argument #1 ($authenticatedCiphertext) must be of type string, null given, called in /var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php on line 112 in file '/var/www/html/lib/private/Security/Crypto.php' line 113",
"Code": 0,
"Trace": [
{
"file": "/var/www/html/lib/private/AppFramework/App.php",
"line": 184,
"function": "dispatch",
"class": "OC\\AppFramework\\Http\\Dispatcher",
"type": "->",
"args": [
[
"OCA\\Mail\\Controller\\MailboxesController"
],
"index"
]
},
{
"file": "/var/www/html/lib/private/Route/Router.php",
"line": 315,
"function": "main",
"class": "OC\\AppFramework\\App",
"type": "::",
"args": [
"OCA\\Mail\\Controller\\MailboxesController",
"index",
[
"OC\\AppFramework\\DependencyInjection\\DIContainer"
],
[
"mail.mailboxes.index"
]
]
},
{
"file": "/var/www/html/lib/base.php",
"line": 1069,
"function": "match",
"class": "OC\\Route\\Router",
"type": "->",
"args": [
"/apps/mail/api/mailboxes"
]
},
{
"file": "/var/www/html/index.php",
"line": 39,
"function": "handleRequest",
"class": "OC",
"type": "::",
"args": []
}
],
"File": "/var/www/html/lib/private/AppFramework/Http/Dispatcher.php",
"Line": 169,
"Previous": {
"Exception": "TypeError",
"Message": "OC\\Security\\Crypto::decrypt(): Argument #1 ($authenticatedCiphertext) must be of type string, null given, called in /var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php on line 112",
"Code": 0,
"Trace": [
{
"file": "/var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php",
"line": 112,
"function": "decrypt",
"class": "OC\\Security\\Crypto",
"type": "->",
"args": [
"*** sensitive parameters replaced ***"
]
},
{
"file": "/var/www/html/custom_apps/:",
"line": 39,
"function": "handleRequest",
"class": "OC",
"type": "::",
"args": []
}
],
"File": "/var/www/html/apps/text/lib/Service/DocumentService.php",
"Line": 501,
"message": "No permission to access this file",
"exception": {},
"CustomMessage": "No permission to access this file"
}
}
}{
"reqId": "JWjfvreE1UDOj7eqnc8E",
"level": 3,
"time": "2024-04-09T08:59:11+00:00",
"remoteAddr": "[...]",
"user": "[...]",
"app": "mail",
"method": "GET",
"url": "/apps/mail/",
"message": "Could not load account mailboxes: OC\\Security\\Crypto::decrypt(): Argument #1 ($authenticatedCiphertext) must be of type string, null given, called in /var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php on line 112",
"userAgent": "[...]",
"version": "28.0.4.1",
"exception": {
"Exception": "TypeError",
"Message": "OC\\Security\\Crypto::decrypt(): Argument #1 ($authenticatedCiphertext) must be of type string, null given, called in /var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php on line 112",
"Code": 0,
"Trace": [
{
"file": "/var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php",
"line": 112,
"function": "decrypt",
"class": "OC\\Security\\Crypto",
"type": "->",
"args": [
"*** sensitive parameters replaced ***"
]
},
{
"file": "/var/www/html/custom_apps/mail/lib/IMAP/MailboxSync.php",
"line": 103,
"function": "getClient",
"class": "OCA\\Mail\\IMAP\\IMAPClientFactory",
"type": "->",
"args": [
"*** sensitive parameters replaced ***"
]
},
{
"file": "/var/www/html/custom_apps/mail/lib/Service/MailManager.php",
"line": 148,
"function": "sync",
"class": "OCA\\Mail\\IMAP\\MailboxSync",
"type": "->",
"args": [
"*** sensitive parameters replaced ***"
]
},
{
"file": "/var/www/html/custom_apps/mail/lib/Controller/PageController.php",
"line": 160,
"function": "getMailboxes",
"class": "OCA\\Mail\\Service\\MailManager",
"type": "->",
"args": [
"*** sensitive parameters replaced ***"
]
},
{
"file": "/var/www/html/lib/private/AppFramework/Http/Dispatcher.php",
"line": 230,
"function": "index",
"class": "OCA\\Mail\\Controller\\PageController",
"type": "->",
"args": []
},
{
"file": "/var/www/html/lib/private/AppFramework/Http/Dispatcher.php",
"line": 137,
"function": "executeController",
"class": "OC\\AppFramework\\Http\\Dispatcher",
"type": "->",
"args": [
[
"OCA\\Mail\\Controller\\PageController"
],
"index"
]
},
{
"file": "/var/www/html/lib/private/AppFramework/App.php",
"line": 184,
"function": "dispatch",
"class": "OC\\AppFramework\\Http\\Dispatcher",
"type": "->",
"args": [
[
"OCA\\Mail\\Controller\\PageController"
],
"index"
]
},
{
"file": "/var/www/html/lib/private/Route/Router.php",
"line": 315,
"function": "main",
"class": "OC\\AppFramework\\App",
"type": "::",
"args": [
"OCA\\Mail\\Controller\\PageController",
"index",
[
"OC\\AppFramework\\DependencyInjection\\DIContainer"
],
[
"mail.page.index"
]
]
},
{
"file": "/var/www/html/lib/base.php",
"line": 1069,
"function": "match",
"class": "OC\\Route\\Router",
"type": "->",
"args": [
"/apps/mail/"
]
},
{
"file": "/var/www/html/index.php",
"line": 39,
"function": "handleRequest",
"class": "OC",
"type": "::",
"args": []
}
],
"File": "/var/www/html/lib/private/Security/Crypto.php",
"Line": 113,
"message": "Could not load account mailboxes: OC\\Security\\Crypto::decrypt(): Argument #1 ($authenticatedCiphertext) must be of type string, null given, called in /var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php on line 112",
"exception": {},
"CustomMessage": "Could not load account mailboxes: OC\\Security\\Crypto::decrypt(): Argument #1 ($authenticatedCiphertext) must be of type string, null given, called in /var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php on line 112"
}
}