OAuth2 scopes for Outlook.com need urgent updating
Categories
(MailNews Core :: Backend, defect)
Tracking
(Not tracked)
People
(Reporter: dev-mozilla.org_6183c9754aa36d894748ad30, Unassigned)
References
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Steps to reproduce:
Tried setting up an outlook.com account on TB102 using OAuth2.
Actual results:
The OAuth login on https://login.microsoftonline.com/common/oauth2/v2.0/authorize?.. pops up, login fails as only work or school accounts are permitted
Expected results:
Login page should have redirected to https://login.live.com/oauth20_authorize.srf?.. to complete the login.
My assumption is that this is due to Microsoft having changed permission scope namings.
As per https://searchfox.org/comm-central/source/mailnews/base/src/OAuth2Providers.jsm Thunderbird uses i.e. for IMAP the scope "https://outlook.office365.com/IMAP.AccessAsUser.All".
In a document released less than a week ago (July 12, 2022), the new permission scope strings are now only "office.com" rather than "office365.com". See https://docs.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth for details.
Issue is hitting the user base, there are already some support cases on the TB support forum related to issue receiving or sending mails with outlook.com accounts.
Comment 1•2 years ago
|
||
The scopes Thunderbird is using (still) works at least for O365 accounts. I'm not sure they ever worked for outlook.com accounts
One of the prerequisites to work with outlook.com accounts is already met: TB uses https://login.microsoftonline.com/common/oauth2/.. at present which is the universal API endpoint that accepts both work or school accounts as well as personal accounts.
So to expand the functionality to outlook.com accounts the question is if only switching scopes from i.e. "https://outlook.office365.com/IMAP.AccessAsUser.All to "https://outlook.office.com/IMAP.AccessAsUser.All (and similarly for POP and SMTP) will do the trick, if (additional) scopes are needed for personal accounts to work and/or if the app permissions for Thunderbirds App-ID 08162f7c-0fd2-4200-a84a-f25a4db0b584 are not set to work also for outlook.com.
I unfortunately cannot test myself as the build environment is not set up on the notebook I am traveling with at present.
Re additional scopes: I can confirm that i.e. FairEmail on Android works flawlessly with outlook.com addresses using OAuth2 (kudos to Marcel Bokhorst (M66B)), next to the office.com scopes it additionally applies the scopes "profile", "openid" and "email" (see also https://github.com/M66B/FairEmail/blob/c10abc0db0bdcefb919eb4e805c68d2d853fd308/app/src/main/res/xml/providers.xml)
Re registration in Azure AD / MSFT Identity platform: Is anyone following who owns the Azure AD account under which the App-ID is managed or knows who does and could validate what has been authorized for 08162f7c-0fd2-4200-a84a-f25a4db0b584?
Comment 3•2 years ago
|
||
Yes, we're looking at it in bug 1685414.
(In reply to Magnus Melin [:mkmelin] from comment #1)
The scopes Thunderbird is using (still) works at least for O365 accounts. I'm not sure they ever worked for outlook.com accounts
No, it never worked for outlook.com Magnus, but recent events with the lack of o365 in .ch domains makes me wonder if scopes are not a larger looming issue that it as first appears as others authentication methods are apparently being actively deprecated at Microsoft.
Updated•2 years ago
|
Description
•