Re: [S-mailx] OAuth, and Microsoft, and this little MUA
On Mon, 17 Apr 2023, Steffen Nurpmeso steffen-at-sdaoden.eu |s-nail| wrote: I fixed that, and for me the Microsoft stuff works again completely. (They however strip "offline_access" from it, and we faithfully take what they give us iirc.) I am only a lonely user and what do i know of your setup. For info again: I don't know whether you thought this change might enable me to authorize with your client id. It doesn't. (But, as we keep saying, I don't need to.) Stephen Isard
Re: [S-mailx] OAuth, and Microsoft, and this little MUA
Hello John, (you are subscribed with your bigpond.com address, but i have set this one free to post) jwadod...@gmail.com wrote in <13ae2e249b4e8934ef720f31fc451ce5800048b1.ca...@gmail.com>: |Not sure if this is relevant, but I recently had trouble with the gnome |google auth & found that, | | /usr/libexec/goa-daemon --replace | |fixed the immediate problem. I for myself hope i never have to use a full desktop environment (again). And can stay without systemd. I really love to live on the command line. goa-daemon i do not know yet, does not exist on CRUX Linux .. oh, it does exist on AlpineLinux, but if i look at its dependencies i am a bit troubled i must say. Not for me. The thing with that email OAuth is that Microsoft produced that RFC in 2012, but sometime after October last year they changed their own implementation to be well why not say incompatible; i had to read the entire 76 pages again to be very sure, however. Google and Yandex worked just fine in October, and in March. But for me personally this is only very occasional email usage, you know. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: [S-mailx] OAuth, and Microsoft, and this little MUA
Not sure if this is relevant, but I recently had trouble with the gnome google auth & found that, /usr/libexec/goa-daemon --replace fixed the immediate problem. Cheers John On Sun, 2023-04-16 at 19:24 -0400, Stephen Isard wrote: > On Sun, 16 Apr 2023, Steffen Nurpmeso steffen-at-sdaoden.eu |s-nail| wrote: > > > > Stephen Isard wrote in > > <10085-1681666242-947...@sneakemail.com>: > > > I still get a message saying I need admin approval when I try to > > > authorize with your client id. I think it must be a decision by the > > > > With the new script, aka after replacing the tenant=ID with > > tenant=common in the configuration, and refreshing it? > > With the new script and starting with an empty resourcefile > > ... > > Hmmm, Alpine has a client_secret, whereas we have not; we only > > have an application/client ID, and Object ID, and > > a Directory/tenant ID, but which must not be used for real. > > I have not set a client secret, likely because that has a maximum > > lifetime, as i see (again). > > Well, alpine has asked me to reauthorize a couple of times since it has > started using oauth. I can't recall the intervals exactly, but several > months at least. > > Stephen Isard
Re: [S-mailx] OAuth, and Microsoft, and this little MUA
Stephen Isard wrote in <21561-1681760808-258...@sneakemail.com>: |On Mon, 17 Apr 2023, Steffen Nurpmeso steffen-at-sdaoden.eu |s-nail| wrote: |> But client_secret is definetely not freely inventable by users, |> but if available is linked to the application. |> Alpine .. seems to have added an Outlook client_secret on |> 2020-07-09 with 0f89ad88df81df9d2ca7eafa276fecf8206fb598, and did |> not have one before. Maybe with paying or something you can |> choose a longer validity than 30 months? It passed the 30 months |> by now, that much is plain. | |The interval between alpine reauthorizations has definitely been less |than 30 months. More like 6, although I haven't tried to keep track. |It's infrequent enough, and easy enough to do, that it isn't a problem. | |> you are the only person i know who sits |> "in some special department" that causes additional access checks |> to kick in. And lucky that your own configuration works. | |Yes, I'm ok and not asking you to do anything for my sake at this point. |I only replied to your message "for information". Thank you Stephen. Please wait ... Ok, so i tried with Microsoft, and why oauth-helper.py looses the refresh_token, but not the access_token. It turns out that Microsoft change their policy, and, even though totally out-of-standard RFC 6749, they now require the "scope" to be passed around always. I fixed that, and for me the Microsoft stuff works again completely. (They however strip "offline_access" from it, and we faithfully take what they give us iirc.) I am only a lonely user and what do i know of your setup. On the other hand bandwidth is now totally borked, and with 64kbit none of the giants work today, so OAuth login is almost impossible. I hope it works. Ciao. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: [S-mailx] OAuth, and Microsoft, and this little MUA
On Mon, 17 Apr 2023, Steffen Nurpmeso steffen-at-sdaoden.eu |s-nail| wrote: But client_secret is definetely not freely inventable by users, but if available is linked to the application. Alpine .. seems to have added an Outlook client_secret on 2020-07-09 with 0f89ad88df81df9d2ca7eafa276fecf8206fb598, and did not have one before. Maybe with paying or something you can choose a longer validity than 30 months? It passed the 30 months by now, that much is plain. The interval between alpine reauthorizations has definitely been less than 30 months. More like 6, although I haven't tried to keep track. It's infrequent enough, and easy enough to do, that it isn't a problem. you are the only person i know who sits "in some special department" that causes additional access checks to kick in. And lucky that your own configuration works. Yes, I'm ok and not asking you to do anything for my sake at this point. I only replied to your message "for information". Stephen Isard
Re: [S-mailx] OAuth, and Microsoft, and this little MUA
Hello Stephen. Stephen Isard wrote in <12083-1681687472-968...@sneakemail.com>: |On Sun, 16 Apr 2023, Steffen Nurpmeso steffen-at-sdaoden.eu |s-nail| wrote: |> Stephen Isard wrote in |> <10085-1681666242-947...@sneakemail.com>: |>|I still get a message saying I need admin approval when I try to |>|authorize with your client id. I think it must be a decision by the |> |> With the new script, aka after replacing the tenant=ID with |> tenant=common in the configuration, and refreshing it? | |With the new script and starting with an empty resourcefile Ok. |... |> Hmmm, Alpine has a client_secret, whereas we have not; we only |> have an application/client ID, and Object ID, and |> a Directory/tenant ID, but which must not be used for real. |> I have not set a client secret, likely because that has a maximum |> lifetime, as i see (again). | |Well, alpine has asked me to reauthorize a couple of times since it has |started using oauth. I can't recall the intervals exactly, but several |months at least. They all do what they want about that --action=authorize. But client_secret is definetely not freely inventable by users, but if available is linked to the application. Alpine .. seems to have added an Outlook client_secret on 2020-07-09 with 0f89ad88df81df9d2ca7eafa276fecf8206fb598, and did not have one before. Maybe with paying or something you can choose a longer validity than 30 months? It passed the 30 months by now, that much is plain. Well like i said, i am over my bandwidth limit until the 28th, and then i had to ask you *again* to do testing when we have a client secret, because it seems there is fine-grained access differentiation going on, the rules of which are surely documented somewhere, but you are the only person i know who sits "in some special department" that causes additional access checks to kick in. And lucky that your own configuration works. (Mysterious that i think the Mozilla ID then does not require "administrator handwaving", even though it has tenant=common and no client_secret (that i know of).) --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: [S-mailx] OAuth, and Microsoft, and this little MUA
On Sun, 16 Apr 2023, Steffen Nurpmeso steffen-at-sdaoden.eu |s-nail| wrote: Stephen Isard wrote in <10085-1681666242-947...@sneakemail.com>: |I still get a message saying I need admin approval when I try to |authorize with your client id. I think it must be a decision by the With the new script, aka after replacing the tenant=ID with tenant=common in the configuration, and refreshing it? With the new script and starting with an empty resourcefile ... Hmmm, Alpine has a client_secret, whereas we have not; we only have an application/client ID, and Object ID, and a Directory/tenant ID, but which must not be used for real. I have not set a client secret, likely because that has a maximum lifetime, as i see (again). Well, alpine has asked me to reauthorize a couple of times since it has started using oauth. I can't recall the intervals exactly, but several months at least. Stephen Isard
Re: [S-mailx] OAuth, and Microsoft, and this little MUA
Hello Stephen. Ha-ha on a Sunday .. but only shortly.. Stephen Isard wrote in <10085-1681666242-947...@sneakemail.com>: |I still get a message saying I need admin approval when I try to |authorize with your client id. I think it must be a decision by the With the new script, aka after replacing the tenant=ID with tenant=common in the configuration, and refreshing it? |organization that outsourced me to Microsoft, rather than Microsoft |itself. Microsoft sends me to log in to my organization account and it |is only after logging in that I get that message. | |As I've said, I am ok if I use the client id for s-nail that I created |for myself while logged in on Microsoft Azure with my organization |credentials. | |This all sounds like standard irritating organizational behaviour. The |only puzzle is why I don't have similar problems authorizing alpine, |another non-Microsoft mua. That is the thing that i do not understand then, too. Hmmm, Alpine has a client_secret, whereas we have not; we only have an application/client ID, and Object ID, and a Directory/tenant ID, but which must not be used for real. I have not set a client secret, likely because that has a maximum lifetime, as i see (again). I am totally out of bandwidth so playing around with browsers is risky until the 28th, and i want to release a new s-postgray on the 19th.. Great you have a working ID and still use this MUA sometimes!! Ciao from Germany!! --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: [S-mailx] OAuth, and Microsoft, and this little MUA
Hello Steffen, I still get a message saying I need admin approval when I try to authorize with your client id. I think it must be a decision by the organization that outsourced me to Microsoft, rather than Microsoft itself. Microsoft sends me to log in to my organization account and it is only after logging in that I get that message. As I've said, I am ok if I use the client id for s-nail that I created for myself while logged in on Microsoft Azure with my organization credentials. This all sounds like standard irritating organizational behaviour. The only puzzle is why I don't have similar problems authorizing alpine, another non-Microsoft mua. Stephen Isard On Sun, 16 Apr 2023, Steffen Nurpmeso steffen-at-sdaoden.eu |s-nail| wrote: Hello list, hello Stephen. A follow-up to this. As some may remember, the S-nail/s-mailx application stopped working via OAuth, that is, IMAP was possible, but sending via SMTP caused only failed authentications. It magically works again: i took part in a thread on mutt-dev@, and it was Ian Collier of Oxford University who dropped the word about "common instead of tenant ID". Now, whereas our oauth-helper.py script itself uses "tenant=common" for Microsoft, the registered S-nail (s-mailx) application instead uses the generated tenant ID, and it worked like that back in last October. Interestingly refresh_token is now totally missing, outlook.com only manages access_token .. currently. But hey -- it works! So i updated the manual in the script, and the S-nail/s-mailx config itself, to be downloaded at will from [1]. Ciao from Germany, and a nice rest-Sunday! [1] https://git.sdaoden.eu/browse/s-toolbox.git/plain/oauth-helper.py Note: user "moon", password "mars", as in: $ curl -u moon:mars --basic -O https://git.sdaoden.eu/browse/s-toolbox.git/plain/oauth-helper.py --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: [S-mailx] OAuth, and Microsoft, and this little MUA
Hello list, hello Stephen. A follow-up to this. As some may remember, the S-nail/s-mailx application stopped working via OAuth, that is, IMAP was possible, but sending via SMTP caused only failed authentications. It magically works again: i took part in a thread on mutt-dev@, and it was Ian Collier of Oxford University who dropped the word about "common instead of tenant ID". Now, whereas our oauth-helper.py script itself uses "tenant=common" for Microsoft, the registered S-nail (s-mailx) application instead uses the generated tenant ID, and it worked like that back in last October. Interestingly refresh_token is now totally missing, outlook.com only manages access_token .. currently. But hey -- it works! So i updated the manual in the script, and the S-nail/s-mailx config itself, to be downloaded at will from [1]. Ciao from Germany, and a nice rest-Sunday! [1] https://git.sdaoden.eu/browse/s-toolbox.git/plain/oauth-helper.py Note: user "moon", password "mars", as in: $ curl -u moon:mars --basic -O https://git.sdaoden.eu/browse/s-toolbox.git/plain/oauth-helper.py --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: [S-mailx] OAuth, and Microsoft, and this little MUA
On Thu, 16 Mar 2023, Steffen Nurpmeso steffen-at-sdaoden.eu |s-nail| wrote: |On the remote machine that I am testing with, I have to set 'from' to my |login name at the organization. If I set it to my email address at the |organization, which is different, I get an error message. Could that be |the same problem that you are having? No. IMAP is ok Sorry, I wasn't being clear. IMAP was ok for me as well. I only got the error message when trying to use SMTP with the "wrong" from setting. Stephen Isard
Re: [S-mailx] OAuth, and Microsoft, and this little MUA
Hello Stephen. Stephen Isard wrote in <14350-1678979414-364...@sneakemail.com>: |On Thu, 16 Mar 2023, Steffen Nurpmeso steffen-at-sdaoden.eu |s-nail| wrote: |> (The instructions are included in oauth-helper.py via action=manual |> provider=Microsoft. And oh i see -- this should not be enabled by |> default, maybe someone misused that ID for bad things, and now |> Microsoft has disabled? But .. i can login via IMAP, POP3 |> protocols does not exist anyhow, and SMTP is rejected with |> unauthorized.) | |On the remote machine that I am testing with, I have to set 'from' to my |login name at the organization. If I set it to my email address at the |organization, which is different, I get an error message. Could that be |the same problem that you are having? No. IMAP is ok s-nail: >>> SERVER: T2 OK AUTHENTICATE completed. POP3 is non-existent s-nail: >>> SERVER: -ERR Protocol error. Connection is closed. 10 SMTP cannot be used s-nail: >>> SERVER: 535 5.7.3 Authentication unsuccessful [FR2P281CA0126.DEUP281.PROD.OUTLOOK.COM 2023-03-16T21:53:47.593Z 08DB25FCA979DAD0] regardless of with smtp-from (development branch), hostname, or not. from is n...@outlook.com, that is needed of course for From: header? From: fozzi-b...@outlook.com s-nail: >>> MAIL FROM: BODY=7BIT smtp-from came in so that it is not @outlook@outlook.com. Well i mean i just retried once more with Yandex (IMAP, SMTP) and Gmail (IMAP, POP3, SMTP), and all that works just fine. And i really have changed nothing since September when it worked flawlessly. And refreshing the token updates the scope= like scope=https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send (we save it 1:1 just as we get it back from Microsoft). So if oauth-helper.py works for you (i just pushed a fix for the new --automatic ;() then i presume it is the tenant=. By the way the portal.azure.com "API permissions" screen shows "No" for "Admin consent required" for all permissions of s-mailx? Such a mess! I cannot help it -- if it works for you, then .. maybe i should recreate the application? But then again, i am sick of it. May Microsoft mess in peace for now. Thanks, Stephen. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: [S-mailx] OAuth, and Microsoft, and this little MUA
On Thu, 16 Mar 2023, Steffen Nurpmeso steffen-at-sdaoden.eu |s-nail| wrote: (The instructions are included in oauth-helper.py via action=manual provider=Microsoft. And oh i see -- this should not be enabled by default, maybe someone misused that ID for bad things, and now Microsoft has disabled? But .. i can login via IMAP, POP3 protocols does not exist anyhow, and SMTP is rejected with unauthorized.) On the remote machine that I am testing with, I have to set 'from' to my login name at the organization. If I set it to my email address at the organization, which is different, I get an error message. Could that be the same problem that you are having? Stephen Isard
Re: [S-mailx] OAuth, and Microsoft, and this little MUA
Hello Stephen. Stephen Isard wrote in <6916-1678924548-25...@sneakemail.com>: |On Wed, 15 Mar 2023, Steffen Nurpmeso steffen-at-sdaoden.eu |s-nail| wrote: |> So i would assume you are using that "department tenant" and |> client ID like you did last September, and not the "s-mailx" |> "application"? | |I am using the client id that I set up for myself, following the |instructions that you pointed me at. I think that they were from the |mutt website. I believe that you were able to connect using that client |id as well. I have just tried |/s-nail-oauth-helper.py -a authorize -p Microsoft -R resourcefile |where resourcefile came from running |s-nail-oauth-helper.py -p Microsoft -a template -R resourcefile | |This was on a machine that I was logged in on remotely via ssh, so I |changed flow from redirect to devicecode. Everything went ok until I |was asked to log in to my organization's website. When I did that, I |was told that s-nail was not trusted and I would need permission from |some higher authority. I don't get that if I use my own client id |instead of the one that s-nail-oauth-helper.py puts into the |resourcefile. Thanks for checking this. (The instructions are included in oauth-helper.py via action=manual provider=Microsoft. And oh i see -- this should not be enabled by default, maybe someone misused that ID for bad things, and now Microsoft has disabled? But .. i can login via IMAP, POP3 protocols does not exist anyhow, and SMTP is rejected with unauthorized.) Well maybe i have to re-setup that app. I put some more time. Ciao, and good night! --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: [S-mailx] OAuth, and Microsoft, and this little MUA
On Wed, 15 Mar 2023, Steffen Nurpmeso steffen-at-sdaoden.eu |s-nail| wrote: So i would assume you are using that "department tenant" and client ID like you did last September, and not the "s-mailx" "application"? I am using the client id that I set up for myself, following the instructions that you pointed me at. I think that they were from the mutt website. I believe that you were able to connect using that client id as well. I have just tried /s-nail-oauth-helper.py -a authorize -p Microsoft -R resourcefile where resourcefile came from running s-nail-oauth-helper.py -p Microsoft -a template -R resourcefile This was on a machine that I was logged in on remotely via ssh, so I changed flow from redirect to devicecode. Everything went ok until I was asked to log in to my organization's website. When I did that, I was told that s-nail was not trusted and I would need permission from some higher authority. I don't get that if I use my own client id instead of the one that s-nail-oauth-helper.py puts into the resourcefile. Stephen Isard
Re: [S-mailx] OAuth, and Microsoft, and this little MUA
Hello Stephen. Stephen Isard wrote in <27742-1678839459-662...@sneakemail.com>: |On Tue, 14 Mar 2023, Steffen Nurpmeso steffen-at-sdaoden.eu |s-nail| wrote: |> Is anybody using the oauth-helper.py with Microsoft? | |Sorry for the delay in responding. I'm using oauth with Microsoft, but All on my side. Thanks for answering. |after you taught me enough to make it work with the mutt oauth script |mutt_oauth2.py, I never converted to your (much superior) script, |because I had a working setup and didn't want to disturb it. Like the ballad of John and Yoko, another Apple Records production. Sigh. |My account definition includes the lines |set mta=submission://smtp.office365.com |set smtp-auth=oauthbearer |and I can send mail. So i would assume you are using that "department tenant" and client ID like you did last September, and not the "s-mailx" "application"? I would then conclude that during some work they "did something" on all those dumb / gratis / few users / petty Azure applications like "s-mailx" without even notifying their owners. IMAP login and anything works, SMTP does not. Thanks. And Ciao! --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: [S-mailx] OAuth, and Microsoft, and this little MUA
Hello. Steffen Nurpmeso wrote in <20230314223059.awkol%stef...@sdaoden.eu>: |Steffen Nurpmeso wrote in | <20230314213206.paznm%stef...@sdaoden.eu>: ||Is anybody using the oauth-helper.py with Microsoft? | ... ||I am in the process of extending oauth-helper.py so that this can ||be automatized a bit (currently it fails hard because that | ... | |Now on [1]: instead of hard-failing for the no longer supported |access token refresh (i cannot believe this is really true), we |will now restart ourselfs to authorize. |Also a new configuration option "refresh_needs_authorize=y" (any |non-empty value) will forcefully skip over the useless try to |refresh the token. To make this really work i have also added the -A / --automatic option, so that we forcefully fail if interactivity would be required. (Also the --help output now fits in 25 lines.) | [1] https://git.sdaoden.eu/browse/s-toolbox.git/plain/oauth-helper.py | | Note: user "moon", password "mars", as in: | | $ curl -u moon:mars --basic -O https://git.sdaoden.eu/browse/s-toolbo\ | x.git/plain/oauth-helper.py --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: [S-mailx] OAuth, and Microsoft, and this little MUA
On Tue, 14 Mar 2023, Steffen Nurpmeso steffen-at-sdaoden.eu |s-nail| wrote: Is anybody using the oauth-helper.py with Microsoft? Hello Steffen, Sorry for the delay in responding. I'm using oauth with Microsoft, but after you taught me enough to make it work with the mutt oauth script mutt_oauth2.py, I never converted to your (much superior) script, because I had a working setup and didn't want to disturb it. My account definition includes the lines set mta=submission://smtp.office365.com set smtp-auth=oauthbearer and I can send mail. Stephen Isard
Re: [S-mailx] OAuth, and Microsoft, and this little MUA
Steffen Nurpmeso wrote in <20230314213206.paznm%stef...@sdaoden.eu>: |Hello list. | |Is anybody using the oauth-helper.py with Microsoft? ... |I am in the process of extending oauth-helper.py so that this can |be automatized a bit (currently it fails hard because that ... Now on [1]: instead of hard-failing for the no longer supported access token refresh (i cannot believe this is really true), we will now restart ourselfs to authorize. Also a new configuration option "refresh_needs_authorize=y" (any non-empty value) will forcefully skip over the useless try to refresh the token. [1] https://git.sdaoden.eu/browse/s-toolbox.git/plain/oauth-helper.py Note: user "moon", password "mars", as in: $ curl -u moon:mars --basic -O https://git.sdaoden.eu/browse/s-toolbox.git/plain/oauth-helper.py I would be happy if someone could tell me how to re-enable SMTP, or point out what i am doing wrong. Ciao. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
