Modern Authentication Access Token works for IMAP but doesn't for POP3

Baran ÇAMLI 0 Reputation points
2023-05-10T18:52:17.1933333+00:00

I've encountered problem with pop3s protocol, I want to authenticate using AccessToken I've got from Device Code flow from o365. Followed these steps as follows :

  1. Get Device Code with my organization client_id and scope :
    1. openid
    2. offline_access
    3. https://outlook.office.com/EWS.AccessAsUser.All
    4. https://outlook.office.com/Mail.Read
    5. https://outlook.office.com/IMAP.AccessAsUser.All
    6. https://outlook.office.com/SMTP.Send
    7. https://outlook.office.com/POP.AccessAsUser.All
  2. Login to microsoft.com/devicelogin and give necessary permissions 3.Get Access token from microsoft using same scope and device code from the step before

I want to authenticate using imap,curl and mapi. When I try this access code with IMAP :

curl -vvv --url "imaps://outlook.office365.com" --user "barancamli@outlook.com" --oauth2-bearer "<my_auth_token>"

I get successful Authentication Message

*   Trying 52.98.168.178:993...
* Connected to outlook.office365.com (52.98.168.178) port 993 (#0)
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*  subject: C=US; ST=Washington; L=Redmond; O=Microsoft Corporation; CN=outlook.com
*  start date: Jul 26 00:00:00 2022 GMT
*  expire date: Jul 25 23:59:59 2023 GMT
*  subjectAltName: host "outlook.office365.com" matched cert's "*.office365.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert Cloud Services CA-1
*  SSL certificate verify ok.
< * OK The Microsoft Exchange IMAP4 service is ready. [...]
> A001 CAPABILITY
< * CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+
< A001 OK CAPABILITY completed.
> A002 AUTHENTICATE XOAUTH2 <my_auth_token>
< A002 OK AUTHENTICATE completed.
> A003 LIST "" *
< * LIST (\HasNoChildren) "/" Archive
* LIST (\HasNoChildren) "/" Archive
< * LIST (\HasChildren \Trash) "/" Deleted
* LIST (\HasChildren \Trash) "/" Deleted
< * LIST (\HasNoChildren \Drafts) "/" Drafts
* LIST (\HasNoChildren \Drafts) "/" Drafts
< * LIST (\Marked \HasNoChildren) "/" Inbox
* LIST (\Marked \HasNoChildren) "/" Inbox
< * LIST (\HasNoChildren \Junk) "/" Junk
* LIST (\HasNoChildren \Junk) "/" Junk
< * LIST (\HasNoChildren) "/" Notes
* LIST (\HasNoChildren) "/" Notes
< * LIST (\HasNoChildren) "/" Outbox
* LIST (\HasNoChildren) "/" Outbox
< * LIST (\HasNoChildren \Sent) "/" Sent
* LIST (\HasNoChildren \Sent) "/" Sent
< A003 OK LIST completed.
* Connection #0 to host outlook.office365.com left intact

However, when I try with same token for pop3

curl -vvv --url "pop3s://outlook.office365.com" --user "barancamli@outlook.com" --oauth2-bearer "<my_auth_token>"

I get the following response :

*   Trying 52.98.246.50:995...
* Connected to outlook.office365.com (52.98.246.50) port 995 (#0)
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*  subject: C=US; ST=Washington; L=Redmond; O=Microsoft Corporation; CN=outlook.com
*  start date: Jul 26 00:00:00 2022 GMT
*  expire date: Jul 25 23:59:59 2023 GMT
*  subjectAltName: host "outlook.office365.com" matched cert's "*.office365.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert Cloud Services CA-1
*  SSL certificate verify ok.
< +OK The Microsoft Exchange POP3 service is ready. [...]
> CAPA
< +OK
< TOP
< UIDL
< SASL PLAIN XOAUTH2
< USER
< .
> AUTH XOAUTH2
< + 
> my_auth_code
< -ERR Authentication failure: unknown user name or bad password.
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
curl: (67) Login denied

Thank you for your time and help in advance !

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,102 questions
{count} votes