How to connect to office 365 with IMAP protocol on behalf of a user keeping offline access

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

so this example aim to solve this problem i have an application that needs to monitor one or more imap office 365 folder the application is a web interface to configure that it's used to configure the application a user or more than one users must be able to specify one or more email to monitor and they should be able to give access to the application and the application must be capable to access imap folder even when the user is not connected so this is the scenario without the need to use lauth this scenario can be solved for giving to the application the email and the password associated to the email but with oauth and with the new requirement from microsoft to use the oauth we need to change this method of access so each user should be able to specify one email and then press a button and give the application access to that folder with imap and i would we should be able to use mimekit or other imap code because we already use that and we don't want to use directly microsoft graph api so this application is made to dissect all the steps you need to obtain to solve this scenario it's a simple web application test if you start the web application test it start and it gives you a sweeger page where you look at three methods that will solve this scenario one of the most important is the get token because the get token is the api is the method that will be used to access and to get the token from the application so first step we need to create the application i am now in azure portal this is the azure account that that the backup office 365 account this is a test account i'm starting go to the azure type directory app registration and i start with a new registration i call the application test1 this is not important it is fine for me that this uh um this application can be used only by accounting this organizational directory and i want to access with the web platform and i need to specify the url that will be used to get the token so it's my localhost seven zero four four and then if you look at swagger it's allowed to get token so it's the out to get token so don't be uh don't be worried you can change this later and i'm registering the application this gives immediately uh an application id that i can copy go to the example and copy into the client id in the upsetting json and then i can also copy the directory the tenant id and i used to create the url to access the server and finally i can come back and open certificate and secret create a new certificate a new secret give it a name and you can add the secret and now you can simply copy the value remember you need to copy right now because if you navigate away from this page the secret will disappear and i include the secret there and i save the file now everything is ready but i still need to give some permission to the api so first of all i need to add the permission microsoft graph delegated permission and i'm looking for an imap permission and this is the permission that allow to access as user so this permission allow me to read and write access to mailbox using a token of the user so this is the permission i need to be delegated to access an amp folder and then here you can do the first mistake because you need also to add another permission that is called offline access because if you want to be able to still access to the i'm a folder even when the user is now logged in in your application you need to use this claim because this is the claim that allowed the application to maintain access to data that the user had given access to if you don't use this scope you need the user to be logged in and perform the login each time you want to access the mail so this is a possible mistake in configuration and that's all for the configuration of the app to create the application everything you really need is this docs by microsoft but the main problem is this documentation that is quite complete has no working code so i've done several uh tentatives and i've got um in that end so first of all you need to read this article uh really uh with with a lot of attention and i've show you how i can register your application and that's the first part and then you can use the get access token section where microsoft suggests to use microsoft touches library client library i had problem with the library but primarily because i want to be able to specify the scope and i want to be able to to have the full control over the oauth process so the article specified that you can use all the flow of o out and it's really important that you check this scope that you need to use because i found example in the internet where um the example use of wrong scope so in my example we have i i've created a simple class to do the whole out process it's not complex it's allowed to client it's simple uh user to create the request for for out to login and the first part i want to show you is the trigger login this is the method that will generate the url to log in the user and it's the first part for obtaining the access token and this is the very uh the very important thing it's the point where you can do mistakes you need to start you need to use code flow this is my example a code flow with the open id offline access is important because the application should be able to keep access to the imap folder after the user granted content and this is the very very important claim that is the same claim the microsoft article is specifying and if you don't specify this claim it's not going to work now when the application is running i can go to this trigger login page and in the real situation in a real application this is link and this link automatically will redirect you to the login page to start the aloud procedure the code flow in this example i want to show uh every step so i want to generate the link and let the user look at the link and this is the important part the scope is open a d offline access and the scope for access user so that's important this allow me to verify that the link it's okay all the other parts are standard for out login now i'm going to sign in my application i'm already signed in in my application and if this if this is the first part uh the first time you are logged into this application it will give you a consent but i've already tested the application so it uh it does not ask me the content and now i'm redirected in the get token where the code is simply using the code and the state returned with query string to create the request that will be made to the out token endpoint to obtain a valid authentication token and now i'm saving this token in memory it's simply saved in memory and i'm returning it to the user and this gives me the ability to look at the token returned so first of all the token is it has a short expire it's one hour and a half a couple of hour maximum so this token will expire soon but since i use the offline access scope i also obtained a refresh token that would last for i don't remember exactly but one or two years so this means that after one hour and a half this token is not valid anymore but the application can use the refresh token to obtain a new token and continue to have access to your imap folder so the requirement that the user should be able to authorize my application and this is what i've done now but then the application is able to continue using using the token even if the user is not logged in it's satisfied now the last part i need to verify that the access token is indeed valid to access my map folder so i have another endpoint where i'm use mime kit to try and access my folders so i copy this address okay so this is the address used to call my application and specifying the email i want to access okay uh that's okay so the the first part this is very important that you check the expiration so if the expiration token is about to expire or this expired because it's it's not valid anymore we need to refresh the token and refreshing token it's really simple because i have my application that generate another request where i simply called um the token endpoint specify my refresh token my last token and ask for a new token so in this example the token is still valid because i've generated few minutes ago and in the real client this is needed because when the token is expired you need to refresh so for now this code it's not called but this is very important this is another part where you can get it wrong because you know you can get a token that you can last for one hour and a half and after that time you're not able to access your i'm a folder anymore so you wonder how can i have an access that is going to last for years and that's the reason you need to specify the offline access and implement the refresh token now i simply use the sasl mechanism and this is the class in mime kit that allows me to specify an email address and access with the access token the email address is necessary because the access token identified a user in office 365 but this user can access more than one email there can be shared email so it's important that you specify the email address and now i have the new client and it's the new i'm up client and i can connect a sync and the important part is the authenticator sync and if this call is gonna fail it has a problem if it's called if this call is gonna have success it will give you access to the to your um your folder okay the call passed i was able to authenticate my user with my access token so i now try a simple code to query a folder and try to find all the uid all the message id that are not read so i'm indeed getting data and for a final example if um you come back to the um to the documentation about microsoft is specify how you can create the sas to token to access your imap folder and you need to compose a string and then you encoding base64 and it's very very important uh that you understand that this uh piece of this piece of the string the card a this kind of symbol followed by a in reality it's byte with a value one so i've reimplemented this in code it's really simple i use a memory stream a binary writer then it's important that you use ascii encoding i encode the user equal part then the email address part then the byte one then the out border and the space then the my access token and a couple of one byte byte byte with one content and i'm returning everything to the users uh this is the row byte the sequence of byte of the out and this is the the base64 encoder string why am i returning this uh because you can use this string to understand if you're able to connect not only with the mime kit if you if you can connect directly with another imap or or with direct connection so i want to be able to use this token and i'm copying this token in a direct connection so i need uh linux machine and open ssl so here we are i create i opened a wcsl2 terminal so i'm now in a debian linux machine where i have open ssl configured and i can use openssl in client mode to connect to the imap this is the i'm a port of outlook.office365.com this is similar to telnet it it start a connection but thanks to openssl it will handle all the tls and shaking so i i've i can use like a telnet and the application is answering me is indeed okay the microsoft exchange i'm up for service is ready so i can start issuing a comment in imap a comment is uh start with the id of a comment it can be a number and then the command and a kappa probability is usually the first comment it asks the server which are the capability of the server and the server indeed confirm me that the out sellout show is uh supported so i issue the second command and is the authenticate and ask so out to and follow it by my token i press return and okay authenticate completed this verify that the token that i've generated it's able to access my imap folder now to complete the example you can simply wait a couple of hours go away come back to your computer and try to get this url again and verify that the second time you will have an expired token so you will go into this part of the code the token is refreshed you obtain a new token and you are still able to access your imap folder so my original requirement were met i have the application that can use the imap to monitor office 365 folder this application has a web interface to configure i can generate that link to let the user give access to the application and then with the offline access scope i'm able to let the application access my email even if the user is not logged anymore and that completes the example

Info

Channel: CodeWrecks

Views: 18,874

Rating: undefined out of 5

Keywords: OAuth, IMAP, Office365

Id: Q660AYVZM0Y

Channel Id: undefined

Length: 16min 39sec (999 seconds)

Published: Thu Aug 04 2022