-
-
Notifications
You must be signed in to change notification settings - Fork 822
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OAuth2 With Exchange "Authentication failed." #1811
Comments
Okay I got it working, using a hint from #1624 (comment) In my case changing the scope to https://outlook.office365.com/.default even for IMAP made it suddenly work, I think maybe the docs need to be updated to remove the https://ps.outlook.com/.default scope (maybe its required for POP3 only?) |
That's interesting. Microsoft's docs still say to use ps.outlook.com, though: https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth I wonder if it's because you've enabled IMAP and SMTP? |
@jstedfast quite possibly, I think the most reliable solution is to just always request both scopes - I can confirm that asking for both works with all 3 protocols |
Good to know, thanks for experimenting a bit and letting me know! |
Hey everyone, I’m encountering the same error and wanted to check with you—could the "Authentication Failed" issue be due to insufficient permissions? I’ve added the required permissions for IMAP in Azure for my application, but when I generate the bearer token and convert it to JWT, it doesn’t show the roles as @catmanjan mentioned above. Any ideas why I don't see them here:
|
What scopes are you requesting in your code?
Did you also run the PowerShell commands that give the service principal
permission to access the mailbox?
…On Sat, 21 Sept 2024, 3:26 am ItsoDimitrov, ***@***.***> wrote:
Hey everyone, I’m encountering the same error and wanted to check with
you—could the "Authentication Failed" issue be due to insufficient
permissions? I’ve added the required permissions for IMAP in Azure for my
application, but when I generate the bearer token and convert it to JWT, it
doesn’t show the roles as @catmanjan <https://github.com/catmanjan>
mentioned above. Any ideas why I don't see them here:
{ "aud": "https://outlook.office365.com", "iss": "
https://sts.windows.net/4365e71d-3efd-4155-b4ab-121260c95ad6/", "iat":
1726852725, "nbf": 1726852725, "exp": 1726856625, "aio":
"E2dgYFDa8/p70JMorjLBGUtPORgdBgA=", "app_displayname": "snip", "appid":
"snip", "appidacr": "1", "idp": "
https://sts.windows.net/4365e71d-3efd-4155-b4ab-121260c95ad6/", "idtyp":
"app", "oid": "32b38117-78f1-45f5-b958-8db508f7cd21", "rh":
"0.ATsAHedlQ_0-VUG0qxISYMla1gIAAAAAAPEPzgAAAAAAAAA7AAA.", "sid":
"6068822f-3a54-42f5-ac70-98447ed52653", "sub":
"32b38117-78f1-45f5-b958-8db508f7cd21", "tid":
"4365e71d-3efd-4155-b4ab-121260c95ad6", "uti": "CD1oHbI2EEaM1rEqC0Q-AA",
"ver": "1.0", "wids": [ "0997a1d0-0d1d-4acb-b408-d5ca73121e90" ],
"xms_idrel": "7 28" }
—
Reply to this email directly, view it on GitHub
<#1811 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABBRBV6RFRQPO5E2X45ETLZXRLC3AVCNFSM6AAAAABN3MPKIGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNRUGE4DKMZWG4>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
One more thing, in Azure did you grant administrator consent on the API
page?
On Sat, 21 Sept 2024, 7:53 am Jan Martin, ***@***.***>
wrote:
… What scopes are you requesting in your code?
Did you also run the PowerShell commands that give the service principal
permission to access the mailbox?
On Sat, 21 Sept 2024, 3:26 am ItsoDimitrov, ***@***.***>
wrote:
> Hey everyone, I’m encountering the same error and wanted to check with
> you—could the "Authentication Failed" issue be due to insufficient
> permissions? I’ve added the required permissions for IMAP in Azure for my
> application, but when I generate the bearer token and convert it to JWT, it
> doesn’t show the roles as @catmanjan <https://github.com/catmanjan>
> mentioned above. Any ideas why I don't see them here:
>
> { "aud": "https://outlook.office365.com", "iss": "
> https://sts.windows.net/4365e71d-3efd-4155-b4ab-121260c95ad6/", "iat":
> 1726852725, "nbf": 1726852725, "exp": 1726856625, "aio":
> "E2dgYFDa8/p70JMorjLBGUtPORgdBgA=", "app_displayname": "snip", "appid":
> "snip", "appidacr": "1", "idp": "
> https://sts.windows.net/4365e71d-3efd-4155-b4ab-121260c95ad6/", "idtyp":
> "app", "oid": "32b38117-78f1-45f5-b958-8db508f7cd21", "rh":
> "0.ATsAHedlQ_0-VUG0qxISYMla1gIAAAAAAPEPzgAAAAAAAAA7AAA.", "sid":
> "6068822f-3a54-42f5-ac70-98447ed52653", "sub":
> "32b38117-78f1-45f5-b958-8db508f7cd21", "tid":
> "4365e71d-3efd-4155-b4ab-121260c95ad6", "uti": "CD1oHbI2EEaM1rEqC0Q-AA",
> "ver": "1.0", "wids": [ "0997a1d0-0d1d-4acb-b408-d5ca73121e90" ],
> "xms_idrel": "7 28" }
>
> —
> Reply to this email directly, view it on GitHub
> <#1811 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AABBRBV6RFRQPO5E2X45ETLZXRLC3AVCNFSM6AAAAABN3MPKIGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNRUGE4DKMZWG4>
> .
> You are receiving this because you were mentioned.Message ID:
> ***@***.***>
>
|
The scope I'm using is: Regarding the service principal, I'm not able to execute 'New-ServicePrincipal'. |
Are you running this in the interactive terminal in Azure portal or on your
local machine?
If it's your local machine it's likely that you have an old version of the
PowerShell dependency that you have to import - I think it's easiest to do
it via the portal...
On Tue, 24 Sept 2024, 5:36 pm ItsoDimitrov, ***@***.***>
wrote:
… What scopes are you requesting in your code? Did you also run the
PowerShell commands that give the service principal permission to access
the mailbox?
… <#m_7634822951498837596_>
On Sat, 21 Sept 2024, 3:26 am ItsoDimitrov, *@*.*> wrote: Hey everyone,
I’m encountering the same error and wanted to check with you—could the
"Authentication Failed" issue be due to insufficient permissions? I’ve
added the required permissions for IMAP in Azure for my application, but
when I generate the bearer token and convert it to JWT, it doesn’t show the
roles as @catmanjan <https://github.com/catmanjan>
https://github.com/catmanjan <https://github.com/catmanjan> mentioned
above. Any ideas why I don't see them here: { "aud":
"https://outlook.office365.com <https://outlook.office365.com>", "iss": "
https://sts.windows.net/4365e71d-3efd-4155-b4ab-121260c95ad6/
<https://sts.windows.net/4365e71d-3efd-4155-b4ab-121260c95ad6/>", "iat":
1726852725, "nbf": 1726852725, "exp": 1726856625, "aio":
"E2dgYFDa8/p70JMorjLBGUtPORgdBgA=", "app_displayname": "snip", "appid":
"snip", "appidacr": "1", "idp": "
https://sts.windows.net/4365e71d-3efd-4155-b4ab-121260c95ad6/
<https://sts.windows.net/4365e71d-3efd-4155-b4ab-121260c95ad6/>", "idtyp":
"app", "oid": "32b38117-78f1-45f5-b958-8db508f7cd21", "rh":
"0.ATsAHedlQ_0-VUG0qxISYMla1gIAAAAAAPEPzgAAAAAAAAA7AAA.", "sid":
"6068822f-3a54-42f5-ac70-98447ed52653", "sub":
"32b38117-78f1-45f5-b958-8db508f7cd21", "tid":
"4365e71d-3efd-4155-b4ab-121260c95ad6", "uti": "CD1oHbI2EEaM1rEqC0Q-AA",
"ver": "1.0", "wids": [ "0997a1d0-0d1d-4acb-b408-d5ca73121e90" ],
"xms_idrel": "7 28" } — Reply to this email directly, view it on GitHub
<#1811 (comment)
<#1811 (comment)>>,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AABBRBV6RFRQPO5E2X45ETLZXRLC3AVCNFSM6AAAAABN3MPKIGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNRUGE4DKMZWG4
<https://github.com/notifications/unsubscribe-auth/AABBRBV6RFRQPO5E2X45ETLZXRLC3AVCNFSM6AAAAABN3MPKIGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNRUGE4DKMZWG4>
. You are receiving this because you were mentioned.Message ID: @.*>
The scope I'm using is:
string[] scopes = { "https://outlook.office365.com/.default" };
—
Reply to this email directly, view it on GitHub
<#1811 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABBRBQJEFFVACUJA2SUWL3ZYEI6NAVCNFSM6AAAAABN3MPKIGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNZQGQZDOOBWG4>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
After granting administrator consent on the API, I can now see the roles after transferring the generated bearer token to JWT. However, I still receive an "Authentication Failed" error. var confidentialClientApplication = ConfidentialClientApplicationBuilder.Create(clientId) string[] scopes = { "https://outlook.office365.com/.default" }; I haven't executed New-ServicePrincipal yet.. |
Yeah, you definitely need to create the service principal as that is how
your app registration is granted permission to access the mailbox
…On Tue, 24 Sept 2024, 9:45 pm ItsoDimitrov, ***@***.***> wrote:
After granting administrator consent on the API, I can now see the roles
after transferring the generated bearer token to JWT. However, I still
receive an "Authentication Failed" error.
image.png (view on web)
<https://github.com/user-attachments/assets/697b298c-4b4b-4f71-917c-4445869674d5>
var confidentialClientApplication =
ConfidentialClientApplicationBuilder.Create(clientId) .WithAuthority($"
https://login.microsoftonline.com/{tenantId}/v2.0")
.WithClientSecret(clientSecret) .Build(); string[] scopes = { "
https://outlook.office365.com/.default" }; var result = await
confidentialClientApplication.AcquireTokenForClient(scopes).ExecuteAsync(CancellationToken.None);
return result; var oauth2 = new SaslMechanismOAuth2(email,
token.AccessToken); await client.ConnectAsync(host, port,
SecureSocketOptions.SslOnConnect); await client.AuthenticateAsync(oauth2);
Is this New-ServicePrincipal required ?
—
Reply to this email directly, view it on GitHub
<#1811 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABBRBXEDAAEH3HULW44DL3ZYFGGPAVCNFSM6AAAAABN3MPKIGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNZRGAZTEMJUGY>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Hey again, @catmanjan, sorry for the delay, but unfortunately, I don’t have the necessary access to Azure and I'm waiting for my colleagues, which is why it’s taking so much time. Update: We managed to execute the New-Service Principal and the permission granting and this fixed the issue with the authentication |
Hello I've followed https://github.com/jstedfast/MailKit/blob/master/ExchangeOAuth2.md in particular "Authenticating a Web Service with OAuth2"
I've registed my app registration, given it the appropriate API permissions, I've created a service principal and added the mailbox permission to my user's mailbox, still no matter what I do I get a generic "Authentication failed." at the
client.AuthenticateAsync(oauth2);
line. Is there any way to diagnose further? The access token looks right to me:Here is my code, the main difference is I am using .WithClientSecret() instead of .WithCertificate()
The text was updated successfully, but these errors were encountered: