Office 365 - MailKit - OAuth2 + SMTP/IMAP Authentication

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi welcome to this new video about authenticating with um all out in IMAP and in SMTP against office 365. I've got a request to make an example with SMTP and not only with IMAP but I can assure you that the the flow is always the same just to make everything a little bit clearer I've created a small application that can explain everything in really really clear way let's start with the simplest credential flow it's the client credential flow and it's a simple simple way to authenticate against an identity provider in this case Microsoft Office 365 or any Microsoft account using only a client ID of your application and a secret so I have already created an application in my Azure account bound to an Office 365 account and I've got authentication and an authentication I've put all the redirect or URL I have created the API permission and these are all the API permission you need IMAP accesses user offline access to keep access open ID SMTP send and this is important if you want to send email as a user IMAP access S app to will perform the client credential authentication and being able to impersonate a user as you saw in a previous video and the mail send so I have my application up and running and I can test simply creating uh testing authentication with IMAP with client credential flow I am already logged in in this browser with an account on a test um on a test tenant and I can generate IMAP client credential flowing and what happened it I am already authenticated and everything is okay if you look at the console application in asp.net core I indeed have authentication and that's exactly how I've done in the previous example but in this new example I've made uh more useful example because I've tested and so result of accessing IMAP with so out for this address it's IMAP plugin it's okay and then I've done the request for token so what happened behind the scene is I've called this URL with a post and these are the parameter I've specified in the post so um a client secret that is hidden and client ID those two parameters are the only two parameter needed for authenticating the user and these are the scope I want only the outlook.office365.com.default and that is describe it in the in my blog and that's described in the office official Microsoft link that document the whole process and the grant type is client credential meaning that it's a single request and the server answer with the token I have no refresh token I have no Ed token I have only my access token and with the access token I've created the so out through token to authenticate with IMAP and everything is okay sadly enough I cannot use the very very same code to use to access SMTP so as an example I'm trying to do the very same thing on SMTP and I am logged in I'm simply requesting a token and I'm trying to authenticate with SMTP against my Office 365 as you can see it needed more time and I will end with an error and the error happens because if you read the documentation it exactly tells you as per current test with SMTP or out 2.0 client credential flow with non-interactive sign is not supported so the problem is it is not supposed to work and that is because there is no need to have this kind of flow because you know basic authentication will not be deprecated s for IMAP so you can continue to use SMTP with basic out so there is no need to support client authentication so you cannot use this kind of or outflow so you you can use the client credentials flow only for IMAP as you saw in the previous video but you can use the code flow to use IMAP and SMTP and which is the advantage the advantage is you can generate a link okay and that's the link I've made in this page uh debug login link it's the very very same link you saw up there but I've dissected with all the parameters so this is a response type code this is code challenge flow in which I ask for a lot of scope open ID email offline access and this is important because it will allow me to refresh the token for a long time one or two years I don't remember exactly access type offline and that's important and state code Challenge and this is standard or outflow so this is the dissection of this login link so every user can click this login and since I'm already logged with a user what happened is my identity provider so Office 365 answer redirecting to this URL and this URL contains a code I can use this URL to finally made a request in the token endpoint with the current type authorization code specifying the original code that the IDP sent me my code verify is a PC proof of key exchange protection client in the client secret and in this time I got an access token I got an ID token and I got a refresh token and it's important because these are pretty much valid JWT token that identify a user so you can generate this link in your application and each user can click this link and give to your application the the right to access their email so now that I've generated a token and I have it in memory I can test IMAP in a press test IMAP I have a breakpoint but the the result is okay result of accessing IMAP with so out show for alcamper blah blah blah blah it's okay so the software uses uses the ID token to understand which is the email of the user the generated token and then uses this email as well as the access token to generate Excel out token to access the IMAP folder so this is important because I have an example in production and application where each user can click this link and give to my application the right to access their email so I can store securely all these access token and refresh token and so I can continue accessing the email of the user and if the user wants they can simply revoke the authorization to my application and now my application cannot access anymore the email so that's the advantage of using or out now for the interesting part um accessing SMTP with cl with code flow so I want to be able to let user send email with my program so you generate a code flow link as for the previous example and this is the link that the user will click and the user will click the user is already logged and the difference from the previous examples is now I've used the JWT token and their helper class that helps me to Parts the ID token finding the email claim and understanding automatically from the token which is the email this token is connected to so now I have a valid token for that user so I can use that access token as well for refresh token if I need to refresh the token if the token is expired to send email now I can test everything telling to my code to send mail with SMTP and the actual token I have in memory if I press the button I simply grab the model and it's in in-memory token I've not stored in any database if you need you need to store securely in some database and now I have a try send test email it is it's a very very simple routine because the routine is absolutely equal to the IMAP you create an sasl mechanism of outro with the from address and the from address is taking is taken if the directory from the ID token and the access token now I create an instance of the mail kit SMTP client and then I can connect against the smtp.office365.com import 586 S7 with the SQL socket option also okay and now I can authenticate the sync and if everything is okay the code continue and so I can create my message and send the message so I can just press continue and it tell me okay it tells me okay mail sent I can go to my email address and here is the email so to recap even with SMTP you can use the very very same technique you use with IMAP and I show you again you generate a link and this is how the link is generated it's a standard link to authenticate with all out2 and code flow when the user click the link it got redirected to the real identity provider if the user is already logged it automatically return with an authentication with a code that your software should use for doing another post request server to server against the token endpoint to grab a token and once you have a token you can create a simple so out through token that can be used to Simply send the email so at the end of the example you can generate this link for a lot of users so your program can securely store a lot of token and can use those token to send email on behalf of the user or with the very same token you can use the token to read the IMAP folder of those user the important thing you need to keep in mind is always use write scope this is the scope for SMTP outlook.office.com MTP send and this is the Outlook IMAP accesses user.all it's for IMAP and remember you need to have these two permission to be in to be set on your API permission of your application in your Azure portal and now everything works like a charm I hope this video was useful to you as the previous one

Info

Channel: CodeWrecks

Views: 27,705

Rating: undefined out of 5

Keywords: Office365, OAUTH2

Id: hOgvTDKKgnY

Channel Id: undefined

Length: 12min 14sec (734 seconds)

Published: Thu Sep 08 2022