I'm trying to send an email via smtp.live.com using an OAuth token generated via https://login.microsoftonline.com/common/oauth2/v2.0/… but I'm receiving the following error:
535 5.7.3 Authentication unsuccessful
I can make it work by obtaining an auth token via https://login.live.com/oauth20_authorize.srf (a legacy API) but that only works for free Microsoft accounts (I need to support business/Outlook365 accounts too).
The fact I can make it work using that legacy endpoint seems to validate that:
The server supports XOAUTH2 (which I also validated via Telnet EHLO)
That the encoding is correct (I'm using this process)
That I'm meant to pass the full access token via XOAUTH2 and not something odd like pass it in via LOGIN, or decode the JWT and pass in some component etc.
The access token seems valid (it works for other calls, including sending an email via the Graph API).
I've requested the following scopes:
[
'offline_access', 'User.Read', 'MailboxSettings.ReadWrite',
'Mail.Send', 'Mail.ReadWrite', 'Mail.Read', 'Mail.ReadBasic', 'Contacts.ReadWrite',
'Mail.Read.Shared', 'Mail.ReadWrite.Shared', 'Mail.Send.Shared', 'MailboxSettings.Read',
'profile', 'openid', 'email', 'Calendars.ReadWrite',
'EAS.AccessAsUser.All', 'EWS.AccessAsUser.All',
];
For the legacy token (the one which works), the scopes are different:
[
'wl.emails', 'wl.offline_access', 'wl.imap'
];
(I've tried including these scopes when requesting the v2 token too, but it's invalid).
Other things I've tried:
Using smtp.office365.com instead of smtp.live.com
Obtaining fresh access tokens
Ensuring app settings/permissions are configured correctly, as per this article
Enable Exchange SMTP Auth
Office 365 SMTP servers do not support OAuth authentication as of this time.
Office 365 SMTP servers is supporting OAuth authentication only through Code Authorization Flow not with the other mechanisms like Client Credentials flow e.t.c
Related
We have been trying to use Office365 SMTP OAUTH2 authentication with client credentials flow without success.
The documentation claims that SMTP should work
https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth
but also states the following:
<<Note As per the current test with SMTP Oath 2.0 client credential flow with non-interactive sign in is not supported.">>
We can generate a token using the code interactive flow and with the delegation dynamic scope
https://outlook.office.com/SMTP.Send
The resulting token has scope "SMTP.Send" which can be used in JavaMail to successfully send emails from a specific user.
We are building a non-interactive application, the above does not work for us.
When we try to generate a token with the client credential flow, the only scope format supported is {resource}/.default
HTTP POST https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/token
client_id=...
client_secret=...
grant_type=client_credentials
scope=https://outlook.office365.com/.default
There are no application's permissions for SMTP we can set under the Microsoft Office API.
Authentication always returns "535 5.7.3 Authentication unsuccessful"
This should work like IMAP does.
The only option we have found is to disable Security Defaults under
Azure Active Directory
-> Properties
-> Manage Security Defaults
Which enables PLAIN TEXT authentication.
You also need make sure that your emailbox does not have Smtp Client Authentication disabled with the following powershell command
Set-CASMailbox -Identity -SmtpClientAuthenticationDisabled $false
after these two changes JavaMail can authenticate using user/pwd and can send emails.
Per https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth:
Note As per the current test with SMTP Oauth 2.0 client credential flow with non-interactive sign in is not supported.
I just discovered this myself.
The Microsoft Graph API is an alternative option and I have confirmed it does work with the Client Credentials flow, but it has other limitations related to volume and file attachments to be considered.
The Paypal API doesn't recognize my Client ID and Secret I got from https://developer.paypal.com/developer/applications/
I wanted to include a server side checkout according to this tutorial https://developer.paypal.com/docs/archive/checkout/how-to/server-integration/
When I do the request to https://api-m.paypal.com/v1/payments/payment I always get a 401 Error with the message "Authentication failed due to invalid authentication credentials or a missing Authorization header.".
I checked multiple times if my credentials were correctly included into the request. I also tested the endpoint in my server environment and as well via Postman.
I also tried the route https://api-m.sandbox.paypal.com/v1/oauth2/token to exchange my credentials with an access token and got the same problem.
I also tried to create multiple Sandbox and Live Accounts and always got the same error.
Has anyone an idea what the problem could be?
There are two separate issues here.
You first need to use /v1/oauth2/token to obtain an access token, and then use that access token to call any of the other actual APIs.
The credentials you obtain from PayPal Developer will be for either "Sandbox", or "Live". Make sure you choose the correct tab (sandbox, for development). Sandbox credentials will only work for api-m.sandbox.paypal.com , and Live credentials will only work for api-m.paypal.com . The two environments are completely separate.
If you still have issues, post the SANDBOX client ID and secret you are using, and the full request and response to the api-m.sandbox.paypal.com endpoint. There should be a PayPal-Debug-Id in any error response, in the headers if nowhere else.
I am trying to email EML files via Gmail SMTP server using MailKit. I followed example provided by jstedfast to build MimeMesage and send via Gmail SMTP server. I am able to send email using both the simple authentication using (user account, user password) and using OAUTH2. I followed example how to Setting up OAuth2 for use with Google Mail and all works fine, except that it seems that I have to configure access Scopes to include "https://mail.google.com/"
var accessScopes = new[]
{
"https://mail.google.com/",
"https://www.googleapis.com/auth/gmail.send"
};
otherwise sending fails with the following error:
535: 5.7.8 Username and Password not accepted. Learn more at
5.7.8 https://support.google.com/mail/?p=BadCredentials c5sm231676iod.25 - gsmtp
I assumed that I need to configure access scope with the gmail.send only but it doesn't seem to work.
"https://www.googleapis.com/auth/gmail.send"
I don't want to configure "https://mail.google.com/" which implies full access to the gmail account. When the consent screen is presented to users, users may hesitate to accept all access scopes which seems to be required otherwise sending of mails fails.
I tried to configure some of the read only scopes instead of "https://mail.google.com/" but it doesn't seem to work.
What I am missing?
Thank you
The "https://mail.google.com/" scope is the only scope that works with SMTP, POP3 and/or IMAP.
All of the other scopes are only available to use with the Google REST APIs.
I have a query about how keycloak is supposed to be working with client without GUI access.
Basically I have:
A keycloak server configured with a realm, clients(Access type confidential) and Users
A server application with a GUI that also provide API, secure with keycloak (client, user, blablabla)
This is kind of working already as I am able to log on the GUI, have the redirect, etc..
Even accessing the APIs works well, when I have access to a GUI: I log on my UI, follow the redirect and get my UI to display the token. The the human (to differentiate the user from an application), can use the token in any API client.
In this context the user never sees the client secret, which is instinctively the right way. (note that I am very opened to people telling me my instinct is wrong!)
What I am NOT able to do so far is to find the way a server application (without GUI) can get a valid token?
The authorization_endpoint, as far as I understand it, requires both the client id and the client secret) to get a token, which I would rather avoid: I don't think giving my client secret to all my "customers" is the proper way to do it.
Alternatively I could create an API on my client that woudl ask for user credential and ask for the token in its behalf, but that would expose the clients credentials to my application, which is against the whole concept!
I tried setting my client Access type as public, but when I use the API call below I also get a error:
POST /auth/realms/realmname/protocol/openid-connect/tokenAPI
'grant_type=client_credentials'
'client_id=client_id'
'username=username'
'password=password'
{
"error": "unauthorized_client",
"error_description": "Public client not allowed to retrieve service account"
}
Would anyone know how this is supposed to be done ?
Thanks in advance.
Max
(...) A server application (without GUI) can get a valid token... typically using the Client Credentials flow.
But we would define in this case a dedicated Client for your server (client?) application to authenticate against. The returned token (not bound to a specific user) will serve for authorizations on allowed applications (i.e. your classic GUI or API clients).
So, basically you should (in very short):
define a specific confidential Client in your Keycloak
add the desired applications (or other Clients) to the Client Scope(s). Those you want to authorize transitively from this Client.
authenticate against this Client with Client Credentials flow (given the token endpoint, client id, credentials, scope)
ensure that you are authenticating through TLS and that parameters are included in request body (and not in headers - for enhanced privacy)
further harden security of your Client(s)
When you do not want anymore this particular server (client?) application to access your applications, you can change the corresponding "authentication" Client's secret/credentials or simply delete it.
"I don't think giving my client secret to all my "customers" is the proper way to do it."
You are right and the proposed method above strictly avoids that. Each customer would have its own credentials.
EDIT
(adding more details)
By performing as above, you would end up with the following scheme:
Flow Keycloak Server
C/S app. or Customer X <--- Client Creds ---> Auth. Client X
--- Access Token ---> Appl. Client <--> Appl. Server
C/S app. or Customer Y <--- Client Creds ---> Auth. Client Y
--- Access Token ---> Appl. Client <--> Appl. Server
Browser users <--- Standard ------> Appl. Client <--> Appl. Server
Note: this is not a detailed flow chart. Arrows mostly show relationships here.
Finally, please note that the terminology may differ a little here, but the proposed method is basically the same that Google uses. So you may aswell take some inpiration from there:
https://developers.google.com/identity/protocols/oauth2
I just had the same problem some weeks ago
In my case, I have a backend API and a frontend application that the users can use.
Eventually, I can't share the client_secret to the frontend application.
So here is my solution:
On keycloak, create a client (ex front_end_client) with grant type public
This client is going to be used by the frontend application to authenticate users using implicit flow (with PKCE will be more secure)
On keycloak, create a second client (On the same REALM as the first client) with grant type confidential, this client is going to be used by the backend API
Now, this is how it works:
Frontend app authenticate users and get the access token (Using the font_end_client)
The frontend app sends this token for every request to the backend
Backend app verify this token, and can retrieve permissions from it
I am trying to write an WPF client which uses ADAL to authenticate against ADFS on a Windows Server 2012 R2. I have successfully implemented this using "Forms Authentication" where the user is prompted for the domain username and password. However, I want to take advantage of SSO and use the currently logged on domain user to authenticate against the ADFS.
Unfortunately, I'm only getting an error message saying:
This method overload is not supported by '< ADFS servername>'
I have done a lot of searching, but find some of the information contradictive:
This SO post about a Windows Store App (any differences to WPF?) where Vittorio Bertocci links to a blog on how to achieve it:
ADAL for Windows Store SSO
This SO post where Vittorio Bertocci claims that silent authentication is only possible with Windows Server 2016:
Authenticate with ADFS inside Console App silently
Is it a fact that Windows Server 2016 is required to perform SSO in conjunction with ADAL?
Is there any other way to do it?
EDIT:
After upgrading to the latest alpha of ADAL (3.9.302111717-alpha) I'm getting the more detailed error message
MSIS9611: The authorization server does not support the requested 'grant_type'. The authorization server only supports 'authorization_code' or 'refresh_token' as the grant type.
The code I'm executing is this:
string authority = "https://myServer.com/adfs";
string resourceURI = "http://myApp/";
string clientId = "XXXX-XXX-XXXX-XXXX-XXXXX";
string clientReturnUri = "http://anarbitraryreturnuri/";
var ac = new AuthenticationContext(authority, false);
var token = await ac.AcquireTokenAsync(resourceURI, clientId,new UserCredential());
I was able to implement a working solution using WS-Trust, so I am confident that the machine I'm running on has the privacy settings to enable the app to find the currently logged on user.
The Oauth2 endpoint looks as follows:
Also, my global authentication policy is set up like this:
Windows Server 2016 is only required for the password grant - in which you provide raw username and password. Your question seems to suggest you want to sign on with the currently signed in user, which would leverage Kerberos instead.
Kerberos based authentication should work with ADFS "3" and ADFS 2016 indifferently - as long as your client is connected to the domain network, the local machine does not have privacy settings that prevent your app from finding out the domain user currently logged in and the correct endpoints are enabled on the ADFS instance.