Outlook
A family of Microsoft email and calendar products.
3,427 questions
Problem with connecting to Outlook via IMAP using OAuth2 authentication
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 45%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESB%3C/text%3E%3C/svg%3E)
Serhii Bezkostnyi
5
Reputation points
We are building a solution where we connect to email mailboxes via IMAP, fetch and store some relevant emails, so that later we can display them in the web UI. Later on we plan to add support for replying to the relevant emails directly from web UI.
We have implemented OAuth2 for authenticating an IMAP connection to Outlook mailboxes via OAuth2 identity platform using authorization code flow. It was working during the initial testing using personal Outlook mailboxes (the ones from outlook.live.com) back in ~January/February 2024, but it doesn't work anymore. We also need it to work with enterprise Outlook mailboxes, but we didn't test if it worked back in ~January/February 2024.
Nowadays it fails when trying to authenticate IMAP connection to Outlook mailbox, even the personal one. The authorization code flow itself works fine and we are able to get access tokens without any problems, but these access tokens not working as expected.
Error we are getting:
DEBUG IMAP: AUTHENTICATE XOAUTH2 command result: A1 NO AUTHENTICATE failed.
Some technical details about our solution:
- It's written in Java and we are using Java Mail library to establish IMAP connection, fetch and store some relevant emails
- We are using SASL XOAUTH2 authentication mechanism for IMAP
- We have an application registered in Microsoft Entra ID with the following settings:
- Supported account types: Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
- Configured permissions:
- Microsoft Graph (delegated)
- IMAP.AccessAsUser.All
- SMTP.Send
- User.Read
- offline_access
- Microsoft Graph (delegated)
During the OAuth2 authorization code flow we request IMAP.AccessAsUser.All, SMTP.Send, User.Read, offline_access scopes (without any prefixes), and use https://login.microsoftonline.com/common/oauth2/v2.0/authorize as authorization endpoint.
If we try to change scopes to be https://outlook.office.com/IMAP.AccessAsUser.All, SMTP.Send, User.Read, offline_access (as per documentation here), it expectedly fails during authorization code flow with invalid_scope error.
We have read documentation from here https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth, but it asks to use deprecated scopes that we cannot configure for our application anymore (they are not on the list), and later part of the document talks about using client credentials grant flow, which is not what we need (we want to access mailboxes on behalf of the user).
We would like to get help how to make it work. Thanks in advance!
EDIT:
We were able to make it work using the idea described in https://stackoverflow.com/a/48584417/25413714.
What we are doing now is the following:
- Acquire access & refresh tokens using Microsoft Graph scopes (
IMAP.AccessAsUser.All,SMTP.Send,User.Read,offline_access) - Immediately after that request a new access token using refresh token from the previous step, but this time with Outlook scopes (
https://outlook.office.com/IMAP.AccessAsUser.Allhttps://outlook.office.com/SMTP.Send)
This new access token works and allows an IMAP connection to Outlook. But this "solution" does not look like something intended and we are not sure how long it would continue to work.
{count} vote
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 96%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYH%3C/text%3E%3C/svg%3E)
Yakun Huang-MSFT 2,570 Reputation points Microsoft Vendor2024-06-05T08:15:24.73+00:00 Can you share with me the details of your access to the authorization endpoint error, so that we can better solve your problem.
-
Serhii Bezkostnyi 5 Reputation points
2024-06-06T12:24:49.49+00:00 Just to make it clear, we are not getting any error from the authorization endpoint during the OAuth token acquisition, but when trying to establish IMAP connection to Outlook.
This is a full debug log from Jakarta Mail library:
DEBUG: setDebug: Jakarta Mail version 2.1.2 DEBUG: getProvider() returning jakarta.mail.Provider[STORE,imap,org.eclipse.angus.mail.imap.IMAPStore,Oracle] DEBUG IMAP: mail.imap.fetchsize: 16384 DEBUG IMAP: mail.imap.ignorebodystructuresize: false DEBUG IMAP: mail.imap.statuscachetimeout: 1000 DEBUG IMAP: mail.imap.appendbuffersize: -1 DEBUG IMAP: mail.imap.minidletime: 10 DEBUG IMAP: peek DEBUG IMAP: closeFoldersOnStoreFailure DEBUG IMAP: trying to connect to host "outlook.office365.com", port 993, isSSL true * OK The Microsoft Exchange IMAP4 service is ready. [VgBJADEAUAAxADkANQBDAEEAMAAwADgAMQAuAEUAVQBSAFAAMQA5ADUALgBQAFIATwBEAC4ATwBVAFQATABPAE8ASwAuAEMATwBNAA==] C0 CAPABILITY * CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+ C0 OK CAPABILITY completed. DEBUG IMAP: AUTH: PLAIN DEBUG IMAP: AUTH: XOAUTH2 DEBUG IMAP: protocolConnect login, host=outlook.office365.com, user=<email here>, password=<non-null> DEBUG IMAP: AUTHENTICATE XOAUTH2 command trace suppressed DEBUG IMAP: AUTHENTICATE XOAUTH2 command result: C1 NO AUTHENTICATE failed.Also, please see my edit to the question with the workaround we have found.
Thanks for you help in advance!
Sign in to comment