Stopped working with mbsync as local client side

[geeohgeegeeoh]

I know vague bug reports are very frustrating so I just want to observe this code didn't work on a clean install, run under uv to satisfy requirements. It hung at the auth phase and then started reporting invalid password/token.

IMAP server is O365 hosted on Microsoft. It hasn't changed afaik.

The client is mbsync (-from isync package) using gpg to decrypt the login password used for OAUTH2. I believe this set up attempts to use PLAIN. Confusing, but that's what it seemed to be negotiating across the TLS binding to office365. I don't have logs from the old set up, so it could be about the clean build of mbsync not tickling the right negotiation in the proxy to turn on OAUTH2.

This is after a 5 week Off-line hiatus, so it had no cached auth or refresh tokens. New mac (old one was wiped when I changed jobs)

Same client with cyrus-sasl2 mods works fine with mutt's oauth2.py code. Bootstrapped a secret store and with some gpg quirks continues to run. That uses XOAUTH2 validation.

Head osx version. Same uv instance for both to fix dependencies.

The .config file was identical, taken from a time machine backup.

[simonrob]

When you say it hangs at the auth phase, what do you mean? This is normally expected behaviour given that you need to interactively authorise your account.

Please post the configuration file and debug log so I can look into it further.

[geeohgeegeeoh]

When you say it hangs at the auth phase, what do you mean? This is normally expected behaviour given that you need to interactively authorise your account.

I have the secret in a gpg encoded file and use isync/mbsync to unlock it via PassCmd setting. This worked fine previously. But with a validly bootstrapped auth and renew token state and a long TTL written back into the proxy config. After 5 weeks Off-line, perhaps it had to invoke a higher cost function to re-establish a token chain? I have no idea. It didn't even look to be taking the input stream of the a1 login user@host password phase of IMAP. When it stopped hanging, it started saying both invalid password and invalid token.

Because I had to recompile isync it's always possible I had missed some component of logic like sasl linkage compared to my prior build. I don't think so but you would go to user error here plausibly

Please post the configuration file and debug log so I can look into it further.

Sure.

So it's clear: this configuration is substantively what came from the old working OSX build. because it had True for the token wipe, its devoid of token state. It's using the Thunderbird client ID and secret as before.

The isync/mbsync client is a rebuild, but running the same configuration (also from the old working OSX build) and with a refreshed gpg secret file in PassCmd for decoding, which has been tested.

I am tending to think the use of PLAIN is an indication something has changed in the binary, and it's failing to handshake correctly with the proxy to pass over the OAuth secret info.

It may also be that I now run the email-oauth-proxy under uv, and so the requirements chain is satisfied somehow differently and it e.g. misses the SASL config needed to turn on XOAUTH2 talking to the upstream, but these are uninformed comments.

the exact same GPG encoded secret key works with the mutt oauth2.py feeding mbsync via a slightly different configuration file for mbsync. So the input secret side, works, with a tool which successfully negotiates XOAUTH2 across the IMAP boundary.

I like the proxy, I'd rather use it. But I do have a working mutt-depending path to get mail into my hands. So If you can't work this one out, I am not bereft. You may well have more important bugs to triage.

[Email OAuth 2.0 Proxy configuration file]

[IMAP-1993]
local_address = localhost
server_address = outlook.office365.com
server_port = 993

[POP-1995]
server_address = outlook.office365.com
server_port = 995

[SMTP-1587]
server_address = smtp.office365.com
server_port = 587
starttls = True

[Account setup]

[ggm@apnic.net]
permission_url = https://login.microsoftonline.com/common/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/common/oauth2/v2.0/token
oauth2_scope = https://outlook.office365.com/IMAP.AccessAsUser.All https://outlook.office365.com/POP.AccessAsUser.All https://outlook.office365.com/SMTP.Send offline_access
redirect_uri = http://localhost
client_id = 08162f7c-0fd2-4200-a84a-f25a4db0b584
client_secret = TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82
last_activity = 1745976033

[emailproxy]
delete_account_token_on_password_error = True
encrypt_client_secret_on_first_use = False
allow_catch_all_accounts = False

and the log stream:

log stream --predicate 'subsystem == "ac.robinson.email-oauth2-proxy"' --level=debug
Filtering the log data using "subsystem == "ac.robinson.email-oauth2-proxy""

Timestamp                       Thread     Type        Activity             PID    TTL  
2025-08-26 18:41:40.059842+1000 0x10722b   Info        0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] Initialising Email OAuth 2.0 Proxy (version 2025-07-18) in debug mode from config file /Users/ggm/Source/email-oauth2-proxy/emailproxy.config
2025-08-26 18:41:40.060462+1000 0x10722b   Info        0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] Starting IMAP server at localhost:1993 (unsecured) proxying outlook.office365.com:993 (SSL/TLS)
2025-08-26 18:41:40.063627+1000 0x10722b   Info        0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] Starting POP server at [::]:1995 (unsecured) proxying outlook.office365.com:995 (SSL/TLS)
2025-08-26 18:41:40.063846+1000 0x10722b   Info        0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] Starting SMTP server at [::]:1587 (unsecured) proxying smtp.office365.com:587 (STARTTLS)
2025-08-26 18:41:40.064032+1000 0x10722b   Info        0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] Initialised Email OAuth 2.0 Proxy - listening for authentication requests. Connect your email client to begin

2025-08-26 18:47:04.181133+1000 0x107234   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] New incoming connection to IMAP server at localhost:1993 (unsecured) proxying outlook.office365.com:993 (SSL/TLS)
2025-08-26 18:47:04.181476+1000 0x107234   Info        0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] Accepting new connection from [::1]:54652 to IMAP server at localhost:1993 (unsecured) proxying outlook.office365.com:993 (SSL/TLS)
2025-08-26 18:47:04.261019+1000 0x10999b   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54652-{[::1]:1993}-outlook.office365.com:993) --> [ Client connected ]
2025-08-26 18:47:04.261150+1000 0x10999b   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54652-{[::1]:1993}-outlook.office365.com:993) <-> [ Starting TLS handshake ]
2025-08-26 18:47:04.309396+1000 0x10999b   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54652-{[::1]:1993}-outlook.office365.com:993) <-> [ TLSv1.2 handshake complete ]
2025-08-26 18:47:04.321075+1000 0x10999b   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54652-{[::1]:1993}-outlook.office365.com:993)     <-- b'* OK The Microsoft Exchange IMAP4 service is ready. [UwBZADUAUABSADAAMQBDAEEAMAAxADEAMgAuAGEAdQBzAHAAcgBkADAAMQAuAHAAcgBvAGQALgBvAHUAdABsAG8AbwBrAC4AYwBvAG0A]\r\n'
2025-08-26 18:47:04.321165+1000 0x10999b   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54652-{[::1]:1993}-outlook.office365.com:993) <-- b'* OK The Microsoft Exchange IMAP4 service is ready. [UwBZADUAUABSADAAMQBDAEEAMAAxADEAMgAuAGEAdQBzAHAAcgBkADAAMQAuAHAAcgBvAGQALgBvAHUAdABsAG8AbwBrAC4AYwBvAG0A]\r\n'
2025-08-26 18:47:04.321908+1000 0x10999b   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54652-{[::1]:1993}-outlook.office365.com:993) --> b'1 CAPABILITY\r\n'
2025-08-26 18:47:04.321959+1000 0x10999b   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54652-{[::1]:1993}-outlook.office365.com:993)     --> b'1 CAPABILITY\r\n'
2025-08-26 18:47:04.339290+1000 0x10999b   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54652-{[::1]:1993}-outlook.office365.com:993)     <-- b'* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+\r\n'
2025-08-26 18:47:04.339694+1000 0x10999b   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54652-{[::1]:1993}-outlook.office365.com:993) <-- b'* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN SASL-IR UIDPLUS ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+\r\n'
2025-08-26 18:47:04.339818+1000 0x10999b   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54652-{[::1]:1993}-outlook.office365.com:993)     <-- b'1 OK CAPABILITY completed.\r\n'
2025-08-26 18:47:04.339921+1000 0x10999b   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54652-{[::1]:1993}-outlook.office365.com:993) <-- b'1 OK CAPABILITY completed.\r\n'
2025-08-26 18:47:04.445066+1000 0x10999b   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54652-{[::1]:1993}-outlook.office365.com:993) --> b'2 AUTHENTICATE PLAIN [[ Credentials removed from proxy log ]]\r\n'
2025-08-26 18:47:05.034853+1000 0x10999b   Info        0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] Retrying login due to exception while decrypting OAuth 2.0 credentials for account ggm@apnic.net (invalid password): InvalidToken()
2025-08-26 18:47:05.384229+1000 0x10722b   Info        0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] Authorisation request received for ggm@apnic.net (interactive mode)
2025-08-26 18:47:24.453862+1000 0x107234   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] New incoming connection to IMAP server at localhost:1993 (unsecured) proxying outlook.office365.com:993 (SSL/TLS)
2025-08-26 18:47:24.454132+1000 0x107234   Info        0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] Accepting new connection from [::1]:54654 to IMAP server at localhost:1993 (unsecured) proxying outlook.office365.com:993 (SSL/TLS)
2025-08-26 18:47:24.530466+1000 0x109ba4   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54654-{[::1]:1993}-outlook.office365.com:993) --> [ Client connected ]
2025-08-26 18:47:24.530531+1000 0x109ba4   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54654-{[::1]:1993}-outlook.office365.com:993) <-> [ Starting TLS handshake ]
2025-08-26 18:47:24.570457+1000 0x109ba4   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54654-{[::1]:1993}-outlook.office365.com:993) <-> [ TLSv1.2 handshake complete ]
2025-08-26 18:47:24.578217+1000 0x109ba4   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54654-{[::1]:1993}-outlook.office365.com:993)     <-- b'* OK The Microsoft Exchange IMAP4 service is ready. [UwBZADUAUAAzADAAMABDAEEAMAAwADgANAAuAEEAVQBTAFAAMwAwADAALgBQAFIATwBEAC4ATwBVAFQATABPAE8ASwAuAEMATwBNAA==]\r\n'
2025-08-26 18:47:24.578284+1000 0x109ba4   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54654-{[::1]:1993}-outlook.office365.com:993) <-- b'* OK The Microsoft Exchange IMAP4 service is ready. [UwBZADUAUAAzADAAMABDAEEAMAAwADgANAAuAEEAVQBTAFAAMwAwADAALgBQAFIATwBEAC4ATwBVAFQATABPAE8ASwAuAEMATwBNAA==]\r\n'
2025-08-26 18:47:24.578591+1000 0x109ba4   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54654-{[::1]:1993}-outlook.office365.com:993) --> b'1 CAPABILITY\r\n'
2025-08-26 18:47:24.578647+1000 0x109ba4   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54654-{[::1]:1993}-outlook.office365.com:993)     --> b'1 CAPABILITY\r\n'
2025-08-26 18:47:24.594376+1000 0x109ba4   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54654-{[::1]:1993}-outlook.office365.com:993)     <-- b'* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+\r\n'
2025-08-26 18:47:24.594457+1000 0x109ba4   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54654-{[::1]:1993}-outlook.office365.com:993) <-- b'* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN SASL-IR UIDPLUS ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+\r\n'
2025-08-26 18:47:24.594510+1000 0x109ba4   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54654-{[::1]:1993}-outlook.office365.com:993)     <-- b'1 OK CAPABILITY completed.\r\n'
2025-08-26 18:47:24.594535+1000 0x109ba4   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54654-{[::1]:1993}-outlook.office365.com:993) <-- b'1 OK CAPABILITY completed.\r\n'
2025-08-26 18:47:24.680433+1000 0x109ba4   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54654-{[::1]:1993}-outlook.office365.com:993) --> b'2 AUTHENTICATE PLAIN [[ Credentials removed from proxy log ]]\r\n'
2025-08-26 18:47:25.028669+1000 0x10722b   Info        0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] Authorisation request received for ggm@apnic.net (interactive mode)
2025-08-26 18:47:44.689603+1000 0x107234   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] New incoming connection to IMAP server at localhost:1993 (unsecured) proxying outlook.office365.com:993 (SSL/TLS)
2025-08-26 18:47:44.689893+1000 0x107234   Info        0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] Accepting new connection from [::1]:54657 to IMAP server at localhost:1993 (unsecured) proxying outlook.office365.com:993 (SSL/TLS)
2025-08-26 18:47:44.771871+1000 0x109da4   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54657-{[::1]:1993}-outlook.office365.com:993) --> [ Client connected ]
2025-08-26 18:47:44.772000+1000 0x109da4   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54657-{[::1]:1993}-outlook.office365.com:993) <-> [ Starting TLS handshake ]
2025-08-26 18:47:44.819611+1000 0x109da4   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54657-{[::1]:1993}-outlook.office365.com:993) <-> [ TLSv1.2 handshake complete ]
2025-08-26 18:47:44.836706+1000 0x109da4   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54657-{[::1]:1993}-outlook.office365.com:993)     <-- b'* OK The Microsoft Exchange IMAP4 service is ready. [UwBZAEIAUABSADAAMQBDAEEAMAAxADQANQAuAGEAdQBzAHAAcgBkADAAMQAuAHAAcgBvAGQALgBvAHUAdABsAG8AbwBrAC4AYwBvAG0A]\r\n'
2025-08-26 18:47:44.836788+1000 0x109da4   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54657-{[::1]:1993}-outlook.office365.com:993) <-- b'* OK The Microsoft Exchange IMAP4 service is ready. [UwBZAEIAUABSADAAMQBDAEEAMAAxADQANQAuAGEAdQBzAHAAcgBkADAAMQAuAHAAcgBvAGQALgBvAHUAdABsAG8AbwBrAC4AYwBvAG0A]\r\n'
2025-08-26 18:47:44.837035+1000 0x109da4   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54657-{[::1]:1993}-outlook.office365.com:993) --> b'1 CAPABILITY\r\n'
2025-08-26 18:47:44.837076+1000 0x109da4   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54657-{[::1]:1993}-outlook.office365.com:993)     --> b'1 CAPABILITY\r\n'
2025-08-26 18:47:44.854133+1000 0x109da4   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54657-{[::1]:1993}-outlook.office365.com:993)     <-- b'* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+\r\n'
2025-08-26 18:47:44.854202+1000 0x109da4   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54657-{[::1]:1993}-outlook.office365.com:993) <-- b'* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN SASL-IR UIDPLUS ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+\r\n'
2025-08-26 18:47:44.854253+1000 0x109da4   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54657-{[::1]:1993}-outlook.office365.com:993)     <-- b'1 OK CAPABILITY completed.\r\n'
2025-08-26 18:47:44.854288+1000 0x109da4   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54657-{[::1]:1993}-outlook.office365.com:993) <-- b'1 OK CAPABILITY completed.\r\n'
2025-08-26 18:47:44.943437+1000 0x109da4   Debug       0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] IMAP ([::1]:54657-{[::1]:1993}-outlook.office365.com:993) --> b'2 AUTHENTICATE PLAIN [[ Credentials removed from proxy log ]]\r\n'
2025-08-26 18:47:45.290596+1000 0x10722b   Info        0x0                  26536  0    Python: (_pyoslog.cpython-313-darwin.so) [ac.robinson.email-oauth2-proxy:default] Authorisation request received for ggm@apnic.net (interactive mode)

[simonrob]

There's nothing unusual in the proxy log here. First there's an InvalidToken error due to the expired credentials you started with. Next, there's an interactive authorisation request, but no attempt to respond to this and actually authorise the account. The proxy waits for you to respond to authorisation requests either via the GUI or (if in --no-gui mode) via another method (see the readme for options you can specify here). This is the hang you observed.

I'm not sure I quite follow your explanation around how you handle secrets. Are you talking about the password your client uses to authenticate using IMAP, or (when you mention validly bootstrapped auth and renew token state and a long TTL written back into the proxy config), are you injecting these into the proxy's configuration file externally?

[geeohgeegeeoh]

Mbsync uses a .mbsyncrc configuration file. PassCmd is a setting in .mbsyncrc which specifies an external command to be executed by a shell pipe, stdin/stdout binding. In my case, it's a call to gpg -d on the crypted file, which invokes a gui to decode, and then passes the secret string to the IMAP channel.

With no substantive change to the configuration files, this previously worked as a path for mbsync to call via localhost 1993 and .. do oauth via the proxy.

The "waits for you to respond" was previously satisfied by this.

So now, I changed mbsync to configure using mutt_oauth2.py and specified direct connect to microsoft, and have the same PassCmd and .. it works. That's all that's changed, and it works. The mutt_oauth2.py provides the wrapped exchange to satisfy XOAUTH2 to o365.

[simonrob]

Mutt's OAuth code is fundamentally the same as that of the proxy – at some point you are going to have to get tokens from your email provider (i.e., Microsoft). The waiting for a response part refers to this interactive authentication and authorisation in a browser. Unless you're manually loading a pre-encrypted OAuth 2.0 refresh token into the proxy's configuration file, there's no way around this with the standard authorisation code flow. This is equivalent to here where the Mutt script cannot proceed without running authorisation at least one. Just respond to the prompt in the proxy's GUI and it will start working again.

[geeohgeegeeoh]

Aha. In --no-gui mode that text activity is almost identical to the gpg one I do get from mbsync. The thing is, that prompt from the proxy hasn't been appearing. I forgot to say that. So maybe my problem isn't the dialogue between proxy and client, it's the lack of prompting for the oauth phase by the proxy.

Maybe that's a side effect of uv run. I will try a forced native pip dependency chain and see if I get the prompt back.

[geeohgeegeeoh]

Looks like it was uv. I did uv pip add -r requirements-gui.txt and then uv run emailproxy.py --debug and this time, I get the OKTA auth sequence, and things worked fine. Why the requirements-core.txt didn't invoke this OKTA phase isn't clear to me.

Sorry for noise. I'd close this. There's probably nothing for you to do here. Thanks for the guidance!

[simonrob]

Interesting - thanks for following up. There shouldn't be any difference when installing via uv, so I will leave this open and investigate a bit further just in case.

[simonrob]

Just to follow up: I tested uv run emailproxy.py --no-gui --external-auth and uv run emailproxy.py --no-gui --local-server-auth and was not able to replicate the lack of authorisation prompt. Perhaps some issue with your configuration; either way, since it can't be reproduced, I'll close this issue.

[abreuferr]

@geeohgeegeeoh

I'm reading the forum history and I noticed that you had a problem with email-oauth2proxy and OKTA. Is this statement correct? If so, was it enough to run the command "uv pip add -r requirements-gui.txt" to solve the problem?