How to authenticate a backend Java IMAP Application using OAuth 2.0

Question

How to authenticate a backend Java IMAP Application using OAuth 2.0

Ahrshia Rezai 21

Hi,

I have a backend application that polls my outlook email and then depending on the email found does a job for them. This application currently uses basic authentication.

It has been brought to my attention that Microsoft intends to deprecate basic authentication this coming October 2022 per the following article.
https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online

The documents points out that instead of using basic authentication we should be using OAuth 2.0 authentication instead as it is more secure. I have found documentation on getting IMAP to work with OAuth 2.0 from the following article:
https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth#get-an-access-token

From looking at the documentation on using OAuth 2.0 in IMAP there is a distinct problem with using these two in a backend application. Per the above documentation "client credentials grant flow" which is the flow that should be used for backend daemon application to get the OAuth 2.0 token is not allowed to be used on IMAP and the article goes on to say we should use the Graph API instead.

I just want to confirm that after basic authentication is removed in October 2022 there will be no way a backend application (an application that requires no human input) that uses IMAP can connect to a window's mailbox? Any application that uses IMAP will now always require a user to authenticate it via a front end URL? All application that need no human input will need to rewritten to use the Graph API instead?

Biji 26 Reputation points

2022-12-16T23:40:37.67+00:00

Hi @Ahrshia Rezai Could you please confirm whether you were able to implement the OAUth2 solution for your application?

We are working on a similar need for my project and stuck with same Authentication error. Wanted to connect with you if possible to see what setup worked in your case.

Thanks !

Accepted answer

0 additional answers

Your answer

Biji 26 Reputation points

2022-12-16T23:40:37.67+00:00

Hi @Ahrshia Rezai Could you please confirm whether you were able to implement the OAUth2 solution for your application?

We are working on a similar need for my project and stuck with same Authentication error. Wanted to connect with you if possible to see what setup worked in your case.

Thanks !

Answer 1

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,521 Moderator

Hello @Ahrshia Rezai , users will need to acquire a token interactively to get access tokens for IMAP, POP and SMTP Auth. You can use Sign-in frequency, Stay signed in and refresh tokens to minimize the need to re-authenticate. For a pure server to server scenario the only option is trough MS Graph which is a more robust and secure solution than using legacy protocols. That being said, provided a careful approach to security is kept, nothing prevents you from building a daemon application that stores user credentials (Managed Identities and Key Vault can be used to secure their management) which in tandem with the ROPC can be used to acquire user access tokens that allow the aforementioned legacy protocols to be used.

Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it so that others in the community with similar questions can more easily find a solution.

Ahrshia Rezai 21 Reputation points

2022-06-13T20:54:23.67+00:00

Hi @Alfredo Revilla - Upwork Top Talent | IAM SWE SWA ,

Thank you for the response and sorry for taking so long to reply. Using ROPC does work but I have a question about the request, the documentation page had tenant ID as being a required param in this grant, however when using the postman web app on the same site to run the request it does not require or even mention this param. It looks organization in the URL can be replaced by tenant ID and give a valid token. Just wondering if you have any thoughts on this? Should tenant ID be used all the time or is using "organizations" in the url path fine?

One more thing, in terms of the token, is it fine to keep request a new token every time my application runs? Or should i try to save the token somewhere and reuse until it expires? The app at times can run at 5 minute increments and turns off when complete so just wondering if there was any penalty for repeatedly asking for a new token instead of saving the key and reusing it.

Thanks
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,521 Reputation points Moderator

2022-06-14T02:18:47.617+00:00

Hello @Ahrshia Rezai , you can use organizations which will enable multi-tenant authentication. To keep access limited to a single tenant you must use a tenant Id in the token request. Token caching is recommended to reduce number of requests and increase application speed. You can use the Microsoft authentication library for Java which includes token caching out of the box. There's no documented penalty but in case you send an un-healthy number of requests they may get throttled.
Biji 26 Reputation points

2022-12-23T16:59:22.33+00:00
Hi @Alfredo Revilla - Upwork Top Talent | IAM SWE SWA We have a Java Spring application having a scheduled job that read mails from outlook inbox and complete the process based on the content of mail. Currently application uses IMAP basic authentication. Since IMAP basic authentication is getting deprecated we are working on a solution to implement IMPA OAuth2 protocol.

As a first step, we completed the application registration in AzureAD.We have done necessary configuration in Microsoft365. Below is the API Permission scope we setup

Microsoft Graph
IMAP.AccessAsUser.All
mail.ReadWrite
User.Read
Office365 Exchange online
full_access_as_app
IMAP.AccessAsApp
mail.Read
mail.ReadWrite
mail.send

We have verified office 365 and Azure AD settings with PowerShell command and its working fine and able to get the token created successfully. We have verified the token with jwt.ms . We had connect with Microsoft support team verified all configurations from their side as well.

But we are not able to connect to the IMAP store and getting the below error at this line (store.connect(host,userEmailId, oauth2AccessToken);) We have the Administrator of the office365 account running a PowerShell script on the Exchange as per the suggestion provided in one of the forum , but still the issue persist.

javax.mail.AuthenticationFailedException: AUTHENTICATE failed.

Please advice any specific configuration or setup is required to connect to IMAP store and read the mail.
James Sconfitto 20 Reputation points

2023-03-23T20:20:38.7533333+00:00

Is this answer still accurate? I'm hoping to avoid ROPC or storing user credentials: https://learn.microsoft.com/en-us/answers/questions/1192646/how-to-enable-imap-access-via-oauth-for-applicatio.

MS Graph doesn't allow access to mailboxes without interactive sign-ins (e.g. I get errors when requesting emails through the "/me" route saying that non-interactive flows aren't allowed).
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,521 Reputation points Moderator

2023-03-24T01:12:11.3666667+00:00

Biji sorry for the late response. Do you still need help with this? Can you share your code?
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,521 Reputation points Moderator

2023-03-24T01:13:39.74+00:00

James, you can do interactive (non ROPC) authentication or client credentials (app AuthN).

Share via

How to authenticate a backend Java IMAP Application using OAuth 2.0

0 additional answers

Your answer