Package: evolution-ews Version: 3.30.5-1 Severity: important Tags: patch Dear Maintainer,
The OAuth2 module of evolution-ews sends an optional "scope" parameter in its HTTP request that causes Office365 AD to reject the authentication request with an error like: error:invalid_request description:AADSTS65002: Consent between first party applications and resources must be configured via preauthorization. The "scope" parameter is listed as ignored on the upstream documentation, and it has been confirmed by multiple users that removing it from the request does not cause any issue, and fixes this problem. A very simple fix has been merged in the upstream branch and has also been backported to the 3.32 branch: https://gitlab.gnome.org/GNOME/evolution-ews/commit/8dafe925c30e2a2bc53578076eb5710b18eedd42 I have opened a merge request on Salsa with a backport: https://salsa.debian.org/gnome-team/evolution-ews/merge_requests/1 It would be really great if an exception for Buster could be asked, and a 3.30.5-2 could be allowed, as it's impossible to use evolution with O365 as things stand. I'm very happy to do the legwork and the paperwork if necessary. The attached patch applies and builds cleanly on 3.30.5-1. Thank you! -- Kind regards, Luca Boccassi
From 354baf8117ffb8dff80ce336e6acc265a4f544d8 Mon Sep 17 00:00:00 2001 From: Luca Boccassi <[email protected]> Date: Tue, 2 Apr 2019 17:36:42 +0100 Subject: [PATCH] Backport patch to fix Office365 with OAuth2 --- ...s-scope-parameter-in-OAuth2-requests.patch | 48 +++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 49 insertions(+) create mode 100644 debian/patches/0001-Do-not-pass-scope-parameter-in-OAuth2-requests.patch create mode 100644 debian/patches/series diff --git a/debian/patches/0001-Do-not-pass-scope-parameter-in-OAuth2-requests.patch b/debian/patches/0001-Do-not-pass-scope-parameter-in-OAuth2-requests.patch new file mode 100644 index 00000000..f321bbe2 --- /dev/null +++ b/debian/patches/0001-Do-not-pass-scope-parameter-in-OAuth2-requests.patch @@ -0,0 +1,48 @@ +Author: Luca Boccassi <[email protected]> +Description: do not pass 'scope' parameter in OAuth2 requests on outlook.office365.com server + It is optional and can cause errors like: + error:invalid_request description:AADSTS65002: + Consent between first party applications and resources must be + configured via preauthorization. +Origin: https://gitlab.gnome.org/GNOME/evolution-ews/merge_requests/1 +Applied-upstream: https://gitlab.gnome.org/GNOME/evolution-ews/commit/8dafe925c30e2a2bc53578076eb5710b18eedd42 +--- a/src/server/e-oauth2-service-office365.c ++++ b/src/server/e-oauth2-service-office365.c +@@ -30,21 +30,6 @@ + + #define OFFICE365_RESOURCE "https://outlook.office.com"; + +-#define OFFICE365_SCOPE "openid offline_access profile " \ +- "Mail.ReadWrite " \ +- "Mail.ReadWrite.Shared " \ +- "Mail.Send " \ +- "Mail.Send.Shared " \ +- "Calendars.ReadWrite " \ +- "Calendars.ReadWrite.Shared " \ +- "Contacts.ReadWrite " \ +- "Contacts.ReadWrite.Shared " \ +- "Tasks.ReadWrite " \ +- "Tasks.ReadWrite.Shared " \ +- "MailboxSettings.ReadWrite " \ +- "People.Read " \ +- "User.ReadBasic.All" +- + struct _EOAuth2ServiceOffice365Private + { + GMutex string_cache_lock; +@@ -253,7 +238,6 @@ + + e_oauth2_service_util_set_to_form (uri_query, "response_mode", "query"); + e_oauth2_service_util_set_to_form (uri_query, "prompt", "login"); +- e_oauth2_service_util_set_to_form (uri_query, "scope", OFFICE365_SCOPE); + e_oauth2_service_util_set_to_form (uri_query, "resource", OFFICE365_RESOURCE); + } + +@@ -321,7 +305,6 @@ + { + g_return_if_fail (form != NULL); + +- e_oauth2_service_util_set_to_form (form, "scope", OFFICE365_SCOPE); + e_oauth2_service_util_set_to_form (form, "resource", OFFICE365_RESOURCE); + e_oauth2_service_util_set_to_form (form, "redirect_uri", e_oauth2_service_get_redirect_uri (service, source)); + } diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 00000000..54d9cbd7 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +0001-Do-not-pass-scope-parameter-in-OAuth2-requests.patch -- 2.20.1
signature.asc
Description: This is a digitally signed message part
