Can't connect to Microsoft Exchange Server oAuth IMAP: NO AUTHENTICATE failed

[freescout-helpdesk]

This is similar to #81

We are having troubles authenticating to Microsoft Exchange Server. Scope is https://outlook.office.com/IMAP.AccessAsUser.All

>> TAG1 AUTHENTICATE XOAUTH2 dXNlcj1...
<< NO AUTHENTICATE failed.

got failure response: NO AUTHENTICATE failed.

>> TAG2 LOGOUT
<< BYE Microsoft Exchange Server IMAP4 server signing off.

<< OK LOGOUT completed.

What can be wrong?

[freescout-helpdesk]

The Microsoft Exchange user has Mail license.

IMAP config:

	'host'          => 'outlook.office365.com',
	'port'          => '993',
	'encryption'    => 'ssl',
	'validate_cert' => true,
	'username'      => '[email protected]',
	'password'      => 'AccessToken',
	'protocol'      => 'imap',
	'authentication' => 'oauth',

"openssl s_client -crlf -connect outlook.office365.com:993" shows same error:

NO AUTHENTICATE failed.
TAG2 LOGOUT
BYE Microsoft Exchange Server IMAP4 server signing
OK LOGOUT completed.

[HelloSebastian]

I am not currently using Microsoft Exchange, however perhaps this could help:

According to Microsoft's documentation, the URL must be

https://outlook.office.com/IMAP.AccessAsUser.All

see here

In the authenticate($user, $token) method in ImapProtocol the authorization parameters are formed like this:

$authenticateParams = ['XOAUTH2', base64_encode("user=$user\1auth=Bearer $token\1\1")];

What do the \1 mean?
According to the documentation, these are not given, but ^A

base64("user=" + userName + "^Aauth=Bearer " + accessToken + "^A^A")

see here

[Webklex]

Hi @freescout-helpdesk ,
thanks for this question; please take a look at the documentation https://www.php-imap.com/examples/oauth @EthraZa has provided.

I hope this helps :)

P.s.: I've sent you an email a few month ago and never heard back - the offer still stands :)

Best regards,
Webklex

[freescout-helpdesk]

Apparently the problem is with URL we are using to get Access Token. This one https://login.microsoftonline.com/common/oauth2/v2.0/authorize from documentation does not work:

unauthorized_client: The client does not exist or is not enabled for consumer

While https://login.windows.net/common/oauth2/authorize works fine but received Access Token results in NO AUTHENTICATE failed. response from IMAP.

[freescout-helpdesk]

We were using common endpoint and this was the error message:

Application 'redacted' is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant

Going in the app settings in Azure to "Authentication >> Supported account types" and selecting "Accounts in any organizational directory (Any Azure AD directory - Multitenant)" fixed the issue.

[Webklex]

Hi @freescout-helpdesk ,
if you don't want to use a multi tenant app, you can use the AD-app id as tenant instead of common.

Best regards,