RIP M$ basic auth support π
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Microsoft must hate their users.
I've seen the news come up a few time, thinking that would be nothing
but a joke. But here we are: Basic authentication for microsoft exchange
is dead π.
This means that the only way to authenticate to your office 365 mail
box is using the XOAuth2 mechanism. And hear me out, it's a pain!
However, I'm not writing this post as yet another rant against
microsoft. It is a brain dump of what I did to get it working again,
because I'll need it sooner of later (and you'll probably need that
too!).
# Process
This will let you retrieve/send email with isync/msmtp respectively. At
the end of the day, you'll still use a username/password, it's just that
getting that "password" (XOAUTH2 token) is a pain in the neck.
0. Get a stress ball, put it somewhere close to you
1. Login to https://portal.azure.com with your email account
2. Navigate to the "App Registration" page (use the searchbar)
3. Register a new "app"
3.0 Name it "blebleble" (this is important)
3.1 Select "Single tenant" access
4. Authentication
4.0 Add platform: Mobile + Desktop
4.1 Set redirect URI: http://localhost
4.2 Advanced settings Allow public client flow: YES
5. API Permissions
5.0 Microsoft Graph: (allow them all, reallyβ¦)
- email
- offline_access
- IMAP.AccessAsUser.All
- POP.AccessAsUser.All
- SMTP.Send
- User.Read
6. Overview: copy "client" and "tenant" ID
7. Download xoauth2.py[0] (modified by me, thank you sir Perlis!)
8. Replace TENANT_ID and CLIENT_ID in the source with your own
8.1 (Optional) edit ENCRYPTION_PIPE/DECRYPTION_PIPE
This currently use cat(1). Use a decent crypto tool if you
care, like cream[1] or age
9. xoauth2 ~/.cache/o365.token -a
9.0 OAuth2 registration: microsoft
9.1 OAuth2 flow: localhostauthcode
9.2 Account email address: you@coolstory.bro
9.3 Navigate the link
9.4 Accept permissions
VOILΓ! π«π«
You should now be authorized to read your emails.
Use the command `xoauth2 ~/.cache/o365.token` to get your current access
token, and use it as your password. Here is my own ~/.mbsyncrc for
reference:
IMAPAccount o365
Host outlook.office365.com
Port 993
User me@coolstory.bro
PassCmd "xoauth2 ~/.cache/o365.token"
SSLType IMAPS
SSLVersions TLSv1.2 TLSv1.3
AuthMech XOAUTH2
Notes: For mbsync, you'll need to install the Cyrus sasl2-xoauth2 module
The xoauth2 token is stored unencrypted on disk. Look for
ENCRYPTION_PIPE and DECRYPTION_PIPE in xoauth2.py to handle
encryption is you care (current encryption tool: cat(1)).
--
~wgs
[0]: gopher://z3bra.org/0/notes/xoauth2.py
[1]: gopher://z3bra.org/0/projects/cream.txt
20221025.1859