OAuth2 with POP3 on O365: invalid_client

Moderator: crythias

Post Reply
glorang
Znuny newbie
Posts: 8
Joined: 09 Jun 2016, 11:39
Znuny Version: 6.4.1
Real Name: Geert Lorang

OAuth2 with POP3 on O365: invalid_client

Post by glorang »

Upgraded our test instance to Znuny 6.4.1, trying to configure OAuth2 against O365 for polling POP3. Running on up-to-date Debian 10.

ScriptAlias: otrs/
FQDN: tt-test.domain.com
HttpType: https

App created in Azure, Redirect URL set to https://tt-test.domain.com/otrs/get-oau ... on-code.pl

YAML downloaded and replaced "organizations" with our tenant UUID in token & authorize URLs and reuploaded in Znuny.

When trying to get a new token in the OAuth2 secion in the admin interface it fails with "invalid_client", e.g.

Code: Select all

Backend ERROR: OTRS-CGI-20 Perl: 5.28.1 OS: linux Time: Tue Aug 30 11:36:37 2022

 Message: Error requesting token for token config ID 8 with authorization code '<long token here>': invalid_client.

 RemoteAddress: A.B.C.D
 RequestURI: /otrs/get-oauth2-token-by-authorization-code.pl?code=<long token here>&state=TokenConfigID8&session_state=<random UUID here>
BUT, when trying to POP the mailbox it actually seems to work:

Code: Select all

otrs@tt-test:~$ ./bin/otrs.Console.pl Maint::PostMaster::MailAccountFetch --debug

POP3S: Connection to outlook.office365.com closed.

Net::POP3::_SSL=GLOB(0x55cc11dea3f8)<<< +OK The Microsoft Exchange POP3 service is ready. [RgBSADAAUAAyADgAMQBDAEEAMAAxADAAOAAuAEQARQBVAFAAMgA4ADEALgBQAFIATwBEAC4ATwBVAFQATABPAE8ASwAuAEMATwBNAA==]
Net::POP3::_SSL=GLOB(0x55cc11dea3f8)>>> AUTH XOAUTH2
Net::POP3::_SSL=GLOB(0x55cc11dea3f8)<<< +
Net::POP3::_SSL=GLOB(0x55cc11dea3f8)>>> <long token here>
Net::POP3::_SSL=GLOB(0x55cc11dea3f8)<<< +OK User successfully authenticated.
Net::POP3::_SSL=GLOB(0x55cc11dea3f8)>>> STAT
Net::POP3::_SSL=GLOB(0x55cc11dea3f8)<<< +OK 0 0
Net::POP3::_SSL=GLOB(0x55cc11dea3f8)>>> LIST
Net::POP3::_SSL=GLOB(0x55cc11dea3f8)<<< +OK 0 0
Net::POP3::_SSL=GLOB(0x55cc11dea3f8)>>> QUIT
Net::POP3::_SSL=GLOB(0x55cc11dea3f8)<<< +OK Microsoft Exchange Server POP3 server signing off.
Done.
Could someone perhaps share an (anonymized) Azure AD App manifest ?

Any help or hints appreciated!
glorang
Znuny newbie
Posts: 8
Joined: 09 Jun 2016, 11:39
Znuny Version: 6.4.1
Real Name: Geert Lorang

Re: OAuth2 with POP3 on O365: invalid_client

Post by glorang »

After removing the existing OAuth token config and re-adding it via an incognito browser window and signing in to Microsoft with the target mailbox credentials everything started working.

I'm pretty sure this has something to do with my current user / current browser session being singed in to our tenant (e.g. in Outlook, Teams etc), but my user doesn't have access to the mailbox / the azure AD app (it also shouldn't have) so this will create a failure in Znuny the first time you try to request a new token after which Znuny seems to be in a state it cannot recover from. E.g. we tried many times re-logging in with the mailbox account after we setup the OAuth token setup from our own browser session but it never worked.

Anyway, glad it all works now. Hopefully this is useful for someone else!
Sudzzz
Znuny newbie
Posts: 3
Joined: 08 Jul 2015, 14:10
Znuny Version: 3.3.11

Re: OAuth2 with POP3 on O365: invalid_client

Post by Sudzzz »

Hi,

Thank you for the tips, it worked for me as well in private mode.
Your assumption is correct, it has to do with the user signed in browser when requesting the token.

Cheers :D
Post Reply