Authentication failed after retrieving token from Graph client cred flow using token with javax mail api to connect to outlook from webapp

Kaustav Pakira 21 Reputation points
2022-09-15T07:16:17.443+00:00

I am trying to connect to outlook mailbox using Javaxmail API from my web app. After retrieving access token from the graph while using that with connect method of javax mail it is throwing authentication failed.

My application permissions in AzureAd:

241307-image.png

I am getting below log :

------------------------------

Client ID : b002cff1-db45-4bea-8a00-8c39eba36436
Client Secret : srF8Q~bEXf9sFvrqvkyvUEcoHHEMgGEHjVzPCc0d
Auth Server: https://login.microsoftonline.com/consumers/oauth2/v2.0/token
Scope: https://outlook.office365.com/.default
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
Access Token : eyJ0eXAiOiJKV1QiLCJub25jZSI6ImxXbjdaTjh0Tk5SMGRvczdwNDduaTRINExUNzZmRGl3a2lET2JuRGV2N3MiLCJhbGciOiJSUzI1NiIsIng1dCI6IjJaUXBKM1VwYmpBWVhZR2FYRUpsOGxWMFRPSSIsImtpZCI6IjJaUXBKM1VwYmpBWVhZR2FYRUpsOGxWMFRPSSJ9.eyJhdWQiOiJodHRwczovL291dGxvb2sub2ZmaWNlMzY1LmNvbSIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzkxODgwNDBkLTZjNjctNGM1Yi1iMTEyLTM2YTMwNGI2NmRhZC8iLCJpYXQiOjE2NjMyMjQ5NjAsIm5iZiI6MTY2MzIyNDk2MCwiZXhwIjoxNjYzMjI4ODYwLCJhaW8iOiJFMlpnWUVoTjl6cXo2T2lUOUwwaXMzYS9uOFBlQ2dBPSIsImFwcF9kaXNwbGF5bmFtZSI6IlRlc3RBcHBLUCIsImFwcGlkIjoiYjAwMmNmZjEtZGI0NS00YmVhLThhMDAtOGMzOWViYTM2NDM2IiwiYXBwaWRhY3IiOiIxIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvOTE4ODA0MGQtNmM2Ny00YzViLWIxMTItMzZhMzA0YjY2ZGFkLyIsIm9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDA0MGM4MDY0NCIsInJoIjoiMC5BU2NDRFFTSWtXZHNXMHl4RWphakJMWnRyUUlBQUFBQUFQRVB6Z0FBQUFBQUFBQXpBQUEuIiwic2lkIjoiNDk0NWZkMzItMGY2ZS00YmVjLWIxMjItZDcwMDY3MWVhMGI5Iiwic3ViIjoiMDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDQwYzgwNjQ0IiwidGlkIjoiOTE4ODA0MGQtNmM2Ny00YzViLWIxMTItMzZhMzA0YjY2ZGFkIiwidXRpIjoiZkxLSHdxUnZqVUNPU2xVa1dzcmdBQSIsInZlciI6IjEuMCIsIndpZHMiOlsiMDk5N2ExZDAtMGQxZC00YWNiLWI0MDgtZDVjYTczMTIxZTkwIl19.cuPgJz0PlKqzIDVis_yGLdQwsk6PP3pH4-TLEc1ftlY7G1yVYIrbDT6uin7NWvsIOXF0bmpKiQsbTtHbPX0Wk5lTgUVVGWA6WOM5hFKmRPnyQZgyy8yYidk6Lyi8YB5U98x4iGFrqQI4tbXh5jPFVTajXnVQmlY1STAm8pCcjiHsKfsE_zvB_9cSlZRYPlO05NAEAH3O-69lX4cT244gZicaPXGq1AFwueru3MkGpSP_TnVPfTIK0sD-HYjpcxrUgF3lVRXxt9KOOknvhIq5z54USArm4YVKQe5R8McfXvsqda3FYbr4aMVr8ifFDdSO-eUig2YfcV2IL0MHrcThDw
DEBUG: JavaMail version 1.6.2
DEBUG: successfully loaded resource: /META-INF/javamail.default.address.map
DEBUG: setDebug: JavaMail version 1.6.2
DEBUG: getProvider() returning javax.mail.Provider[STORE,imaps,com.sun.mail.imap.IMAPSSLStore,Oracle]
DEBUG IMAPS: mail.imap.fetchsize: 16384
DEBUG IMAPS: mail.imap.ignorebodystructuresize: false
DEBUG IMAPS: mail.imap.statuscachetimeout: 1000
DEBUG IMAPS: mail.imap.appendbuffersize: -1
DEBUG IMAPS: mail.imap.minidletime: 10
DEBUG IMAPS: enable STARTTLS
DEBUG IMAPS: enable SASL
DEBUG IMAPS: SASL mechanisms allowed: XOAUTH2
DEBUG IMAPS: closeFoldersOnStoreFailure
OAUTH2 IMAP trying to connect with system properties to Host:outlook.office365.com, Port: 993, userEmailId: Kaustav.Pakira@adventureconsultancysolutions.com, AccessToken: eyJ0eXAiOiJKV1QiLCJub25jZSI6ImxXbjdaTjh0Tk5SMGRvczdwNDduaTRINExUNzZmRGl3a2lET2JuRGV2N3MiLCJhbGciOiJSUzI1NiIsIng1dCI6IjJaUXBKM1VwYmpBWVhZR2FYRUpsOGxWMFRPSSIsImtpZCI6IjJaUXBKM1VwYmpBWVhZR2FYRUpsOGxWMFRPSSJ9.eyJhdWQiOiJodHRwczovL291dGxvb2sub2ZmaWNlMzY1LmNvbSIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzkxODgwNDBkLTZjNjctNGM1Yi1iMTEyLTM2YTMwNGI2NmRhZC8iLCJpYXQiOjE2NjMyMjQ5NjAsIm5iZiI6MTY2MzIyNDk2MCwiZXhwIjoxNjYzMjI4ODYwLCJhaW8iOiJFMlpnWUVoTjl6cXo2T2lUOUwwaXMzYS9uOFBlQ2dBPSIsImFwcF9kaXNwbGF5bmFtZSI6IlRlc3RBcHBLUCIsImFwcGlkIjoiYjAwMmNmZjEtZGI0NS00YmVhLThhMDAtOGMzOWViYTM2NDM2IiwiYXBwaWRhY3IiOiIxIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvOTE4ODA0MGQtNmM2Ny00YzViLWIxMTItMzZhMzA0YjY2ZGFkLyIsIm9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDA0MGM4MDY0NCIsInJoIjoiMC5BU2NDRFFTSWtXZHNXMHl4RWphakJMWnRyUUlBQUFBQUFQRVB6Z0FBQUFBQUFBQXpBQUEuIiwic2lkIjoiNDk0NWZkMzItMGY2ZS00YmVjLWIxMjItZDcwMDY3MWVhMGI5Iiwic3ViIjoiMDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDQwYzgwNjQ0IiwidGlkIjoiOTE4ODA0MGQtNmM2Ny00YzViLWIxMTItMzZhMzA0YjY2ZGFkIiwidXRpIjoiZkxLSHdxUnZqVUNPU2xVa1dzcmdBQSIsInZlciI6IjEuMCIsIndpZHMiOlsiMDk5N2ExZDAtMGQxZC00YWNiLWI0MDgtZDVjYTczMTIxZTkwIl19.cuPgJz0PlKqzIDVis_yGLdQwsk6PP3pH4-TLEc1ftlY7G1yVYIrbDT6uin7NWvsIOXF0bmpKiQsbTtHbPX0Wk5lTgUVVGWA6WOM5hFKmRPnyQZgyy8yYidk6Lyi8YB5U98x4iGFrqQI4tbXh5jPFVTajXnVQmlY1STAm8pCcjiHsKfsE_zvB_9cSlZRYPlO05NAEAH3O-69lX4cT244gZicaPXGq1AFwueru3MkGpSP_TnVPfTIK0sD-HYjpcxrUgF3lVRXxt9KOOknvhIq5z54USArm4YVKQe5R8McfXvsqda3FYbr4aMVr8ifFDdSO-eUig2YfcV2IL0MHrcThDw
DEBUG IMAPS: trying to connect to host "imap-mail.outlook.com", port 993, isSSL true
OK The Microsoft Exchange IMAP4 service is ready. [UABOADMAUABSADAAMQBDAEEAMAAwADEAMQAuAEkATgBEAFAAUgBEADAAMQAuAFAAUgBPAEQALgBPAFUAVABMAE8ATwBLAC4AQwBPAE0A]
A0 CAPABILITY CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+
A0 OK CAPABILITY completed.
DEBUG IMAPS: AUTH: PLAIN
DEBUG IMAPS: AUTH: XOAUTH2
DEBUG IMAPS: protocolConnect login, host=imap-mail.outlook.com, user=Kaustav.Pakira@adventureconsultancysolutions.com, password=<non-null>
DEBUG IMAPS: SASL Mechanisms:
DEBUG IMAPS: XOAUTH2
DEBUG IMAPS:
DEBUG IMAPS: SASL client XOAUTH2
DEBUG IMAPS: SASL callback length: 2
DEBUG IMAPS: SASL callback 0: javax.security.auth.callback.NameCallback@ba4d54
DEBUG IMAPS: SASL callback 1: javax.security.auth.callback.PasswordCallback@12bc6874
A1 AUTHENTICATE XOAUTH2 dXNlcj1LYXVzdGF2LlBha2lyYUBhZHZlbnR1cmVjb25zdWx0YW5jeXNvbHV0aW9ucy5jb20BYXV0aD1CZWFyZXIgZXlKMGVYQWlPaUpLVjFRaUxDSnViMjVqWlNJNklteFhiamRhVGpoMFRrNVNNR1J2Y3pkd05EZHVhVFJJTkV4VU56Wm1SR2wzYTJsRVQySnVSR1YyTjNNaUxDSmhiR2NpT2lKU1V6STFOaUlzSW5nMWRDSTZJakphVVhCS00xVndZbXBCV1ZoWlIyRllSVXBzT0d4V01GUlBTU0lzSW10cFpDSTZJakphVVhCS00xVndZbXBCV1ZoWlIyRllSVXBzT0d4V01GUlBTU0o5LmV5SmhkV1FpT2lKb2RIUndjem92TDI5MWRHeHZiMnN1YjJabWFXTmxNelkxTG1OdmJTSXNJbWx6Y3lJNkltaDBkSEJ6T2k4dmMzUnpMbmRwYm1SdmQzTXVibVYwTHpreE9EZ3dOREJrTFRaak5qY3ROR00xWWkxaU1URXlMVE0yWVRNd05HSTJObVJoWkM4aUxDSnBZWFFpT2pFMk5qTXlNalE1TmpBc0ltNWlaaUk2TVRZMk16SXlORGsyTUN3aVpYaHdJam94TmpZek1qSTRPRFl3TENKaGFXOGlPaUpGTWxwbldVVm9Uamw2Y1hvMlQybFVPVXd3YVhNellTOXVPRkJsUTJkQlBTSXNJbUZ3Y0Y5a2FYTndiR0Y1Ym1GdFpTSTZJbFJsYzNSQmNIQkxVQ0lzSW1Gd2NHbGtJam9pWWpBd01tTm1aakV0WkdJME5TMDBZbVZoTFRoaE1EQXRPR016T1dWaVlUTTJORE0ySWl3aVlYQndhV1JoWTNJaU9pSXhJaXdpYVdSd0lqb2lhSFIwY0hNNkx5OXpkSE11ZDJsdVpHOTNjeTV1WlhRdk9URTRPREEwTUdRdE5tTTJOeTAwWXpWaUxXSXhNVEl0TXpaaE16QTBZalkyWkdGa0x5SXNJbTlwWkNJNklqQXdNREF3TURBd0xUQXdNREF0TURBd01DMHdNREF3TFRBd01EQTBNR000TURZME5DSXNJbkpvSWpvaU1DNUJVMk5EUkZGVFNXdFhaSE5YTUhsNFJXcGhha0pNV25SeVVVbEJRVUZCUVVGUVJWQjZaMEZCUVVGQlFVRkJRWHBCUVVFdUlpd2ljMmxrSWpvaU5EazBOV1prTXpJdE1HWTJaUzAwWW1WakxXSXhNakl0WkRjd01EWTNNV1ZoTUdJNUlpd2ljM1ZpSWpvaU1EQXdNREF3TURBdE1EQXdNQzB3TURBd0xUQXdNREF0TURBd01EUXdZemd3TmpRMElpd2lkR2xrSWpvaU9URTRPREEwTUdRdE5tTTJOeTAwWXpWaUxXSXhNVEl0TXpaaE16QTBZalkyWkdGa0lpd2lkWFJwSWpvaVpreExTSGR4VW5acVZVTlBVMnhWYTFkemNtZEJRU0lzSW5abGNpSTZJakV1TUNJc0luZHBaSE1pT2xzaU1EazVOMkV4WkRBdE1HUXhaQzAwWVdOaUxXSTBNRGd0WkRWallUY3pNVEl4WlRrd0lsMTkuY3VQZ0p6MFBsS3F6SURWaXNfeUdMZFF3c2s2UFAzcEg0LVRMRWMxZnRsWTdHMXlWWUlyYkRUNnVpbjdOV3ZzSU9YRjBibXBLaVFzYlR0SGJQWDBXazVsVGdVVlZHV0E2V09NNWhGS21SUG55UVpneXk4eVlpZGs2THlpOFlCNVU5OHg0aUdGcnFRSTR0YlhoNWpQRlZUYWpYblZRbWxZMVNUQW04cENjamlIc0tmc0VfenZCXzljU2xaUllQbE8wNU5BRUFIM08tNjlsWDRjVDI0NGdaaWNhUFhHcTFBRnd1ZXJ1M01rR3BTUF9UblZQZlRJSzBzRC1IWWpwY3hyVWdGM2xWUlh4dDlLT09rbnZoSXE1ejU0VVNBcm00WVZLUWU1UjhNY2ZYdnNxZGEzRllicjRhTVZyOGlmRkRkU08tZVVpZzJZZmNWMklMME1IcmNUaER3AQE=
A1 NO AUTHENTICATE failed.
Store.Connect failed with the errror: AUTHENTICATE failed.
javax.mail.AuthenticationFailedException: AUTHENTICATE failed.
at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:732)
at javax.mail.Service.connect(Service.java:366)
at javax.mail.Service.connect(Service.java:246)
at graphtutorial.App3ClientCredFlow.connect(App3ClientCredFlow.java:150)
at graphtutorial.App3ClientCredFlow.main(App3ClientCredFlow.java:37)

------------------------------

The code I am using:

---------------------------

package graphtutorial;

import java.io.PrintWriter;
import java.io.StringWriter;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Properties;
import java.util.concurrent.CompletableFuture;

import javax.mail.Session;
import javax.mail.Store;

import com.azure.identity.ClientSecretCredential;
import com.azure.identity.ClientSecretCredentialBuilder;
import com.microsoft.aad.msal4j.ClientCredentialFactory;
import com.microsoft.aad.msal4j.ClientCredentialParameters;
import com.microsoft.aad.msal4j.ConfidentialClientApplication;
import com.microsoft.aad.msal4j.IAuthenticationResult;
import com.microsoft.graph.authentication.TokenCredentialAuthProvider;
import com.microsoft.graph.models.User;
import com.microsoft.graph.requests.GraphServiceClient;

public class App3ClientCredFlow { 

public static void main(String[] args) throws Exception{  
	// TODO Auto-generated method stub  
	  
	App3ClientCredFlow app3 = new App3ClientCredFlow();  
    Store store = null;  
      
   String accessToken = app3.getAccessTokenByClientCredentialGrant();  
    //String accessToken="E2ZgYPAsVCqwmy1Ty6L2pDf7cLYlAA==";  
    String emailId = "Kaustav.Pakira@adventureconsultancysolutions.com";  

    try {  
        store = app3.connect(emailId, accessToken );  
    } catch (Exception ex) {  
        System.out.println("Exception in connecting to email " + ex.getMessage());  
        ex.printStackTrace();  
          
    }  


}  

public String getAccessTokenByClientCredentialGrant()  {  
      
    String accessToken = null;  
    String clientId = "b002cff1-db45-4bea-8a00-8c39eba36436";  
    String secret = "srF8Q\~bEXf9sFvrqvkyvUEcoHHEMgGEHjVzPCc0d";  
    String authority = "https://login.microsoftonline.com/consumers/oauth2/v2.0/token";  
    String scope = "https://outlook.office365.com/.default";  
    System.out.println("Client ID : "+clientId);  
    System.out.println("Client Secret : "+secret);  
    System.out.println("Auth Server: "+authority);  
    System.out.println("Scope: "+scope);  
      
    try {  
          
      
        ConfidentialClientApplication app = ConfidentialClientApplication.builder(  
                clientId,  
                ClientCredentialFactory.createFromSecret(secret))  
                .authority(authority)  
                .build();     
          
        // With client credentials flows the scope is ALWAYS of the shape "resource/.default", as the  
        // application permissions need to be set statically (in the portal), and then granted by a tenant administrator  
        ClientCredentialParameters clientCredentialParam = ClientCredentialParameters.builder(  
                Collections.singleton(scope))  
                .build();  
          
        CompletableFuture<IAuthenticationResult> future = app.acquireToken(clientCredentialParam);  
        IAuthenticationResult result = future.get();  
        accessToken = result.accessToken();  
          
    } catch(Exception e) {  
    	System.out.println("Exception in acquiring token: "+e.getMessage());  
        e.printStackTrace();  
    }  
    System.out.println("Access Token : "+accessToken);  
    return accessToken;  
}  

//This method connects to store using the access token  
public Store connect(String userEmailId, String oauth2AccessToken) throws Exception {  

    String host = "outlook.office365.com";  
    String port = "993";  
    Store store = null;  
      
      
    String SSL_FACTORY = "javax.net.ssl.SSLSocketFactory";  
    Properties props= new Properties();  

    props.put("mail.imaps.ssl.enable", "true");  
    props.put("mail.imaps.sasl.enable", "true");  
    props.put("mail.imaps.port", port);  

    props.put("mail.imaps.auth.mechanisms", "XOAUTH2");  
    props.put("mail.imaps.sasl.mechanisms", "XOAUTH2");  
      
    props.put("mail.imaps.auth.login.disable", "true");  
    props.put("mail.imaps.auth.plain.disable", "true");  

    props.setProperty("mail.imaps.socketFactory.class", SSL_FACTORY);  
    props.setProperty("mail.imaps.socketFactory.fallback", "false");  
    props.setProperty("mail.imaps.socketFactory.port", port);  
    props.setProperty("mail.imaps.starttls.enable", "true");  

    props.put("mail.debug", "true");  
    props.put("mail.debug.auth", "true");  

    Session session = Session.getInstance(props);  
    session.setDebug(true);  
      
    store = session.getStore("imaps");  
      
    System.out.println("OAUTH2 IMAP trying to connect with system properties to Host:" + host + ", Port: "+ port  
            + ", userEmailId: " + userEmailId+ ", AccessToken: " + oauth2AccessToken);  
    try {  
      
        store.connect(host, userEmailId, oauth2AccessToken);  
        System.out.println("IMAP connected with system properties to Host:" + host + ", Port: "+ port  
            + ", userEmailId: " + userEmailId+ ", AccessToken: " + oauth2AccessToken);  
        if(store.isConnected()){  
        	System.out.println("Connection Established using imap protocol successfully !");        
        }  
    } catch (Exception e) {  
    	System.out.println("Store.Connect failed with the errror: "+e.getMessage());  
        StringWriter sw = new StringWriter();  
        e.printStackTrace(new PrintWriter(sw));  
        String exceptionAsString = sw.toString();  
        System.out.println(exceptionAsString);  
          
    }  

    return store;  

}

}

---------------------------

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,714 questions
0 comments
Accepted answer
  1. Sheena-MSFT 1,731 Reputation points
    2022-09-29T14:23:39.677+00:00

    Hi@Kaustav Pakira ,

    There are two types of grant flows : Client credential and Authorization flow. Since in your code you have used clientcredential flow we have to configure the application permission in the azure app to get the roles in the access token.

    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Kaustav Pakira 21 Reputation points
    2022-09-15T09:45:54.01+00:00

    @Shweta Mathur will you be able to help out Please

  2. Kaustav Pakira 21 Reputation points
    2022-11-09T04:15:32.47+00:00

    Hi, @Tony Vo I have been able to resolve this following the link here from MSDOCS for Imap auth-

    https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth#use-client-credentials-grant-flow-to-authenticate-imap-and-pop-connections

    You need the permissions as posted by me in the screenshot of the azure app at the top make sure all the permissions are admin granted whichever needs one.

    I am able to successfully authenticate to IMAP account in outlook.