Outlook 5.7.3 Authentication unsuccessful #297
Comments
|
Thanks for the detailed report. Unfortunately I don't have capacity to troubleshoot Azure/Entra setups, but there are plenty of other guides to help you navigate the confusing process required - this was the first result for me just now, for example. Re: proxy setup, you should stick with what is in the example configuration file (i.e., not the Graph scopes). |
|
Thanks for your reply, I tried the method in the article you mentioned, but it doesn't work. In fact, I have tried many articles on configuring Azure/Entra and none of them work. The following is some additional information.
As a personal account, there are actually no Office 365 permissions, and only Graph permissions are related to emails.
I have tried turning off all the security configurations I can find, but it doesn't work.
I have also tried turning off two-step authentication, or turning on two-step authentication and using app passwords, but neither works. I struggled for a long time here, but couldn't make the authentication successful. If there is still no solution, I can only give up my Outlook account and use other email providers... |
|
Ah, that's an important detail - if you're using a free Outlook account you'll need to reuse an OAuth client ID that has been approved by Microsoft as you're not able to approve your own (you're not the administrator). There are links in the proxy's readme to various options here. |
|
Thanks for the information, it helped me finally find the cause. Since you mentioned that I need to use a Microsoft approved client id, it made me curious to find out what client id Thunderbird uses. After some time of debugging using the Thunderbird Developer Tool, I found it all at OAuth2Providers.sys.mjs. The Thunderbird client id can also be found in this blog. Outlook personal accounts may not require complex Azure/Entra configurations, as Thunderbird client id can be used (interestingly, we don't need to provide client_secret when using Thunderbird client id). But when I use the Thunderbird client id, the same error appears again.
This makes me suspect that this is not the problem.
I compared the authentication process of Thunderbird with email-oauth2-proxy which is exactly the same but with different results.
Eventually I debugged Thunderbird with breakpoints and I discovered that the OAuthToken sent by Thunderbird was very different from the one sent by email-oauth2-proxy. The OAuthToken length sent by Thunderbird is 1585, but the length sent by email-oauth2-proxy is 3401. After I base64 decoded it, only the very beginning user=[email protected]=Bearer is the same, while the rest is very different.
I tried to modify the code in SMTPOAuth2ServerConnection and replace OAuth2Helper.encode_oauth2_string(result) with the OAuthToken I got in Thunderbird. I finally saw the long-awaited 250 OK and the email was sent successfully!
I am not an email expert, but can confirm that there should be bugs in OAuth2Helper.get_oauth2_credentials or OAuth2Helper.encode_oauth2_string. Hopefully this information provided above can help you fix it. Many thanks! |
|
Have you tried |
|
@qianbinbin Thanks for letting me know! After I changed the SMTP server to smtp-mail.outlook.com, emails can be sent normally. I no longer need to set up the OAuthToken myself. The following is the summary for others who want to use email-oauth2-proxy to send emails from their Outlook personal account: TL;DR Use Thunderbird Client ID and use smtp-mail.outlook.com as the SMTP server. |
|
Cheers! For others who want a quick setup for personal Outlook on macOS (in Chinese): https://qianbinbin.github.io/posts/oauth-2.0-proxy-for-email-client/ |
|
I have a similar problem as you betacatgo, but I don't want to send e-mails, just read the email folder's. So I guess I am stuck to IMAP instead of SMTP. Is there a way to apply a similar solution as yours, but with IMAP servers? My current config: permission_url = https://login.microsoftonline.com/common/oauth2/v2.0/authorize |
|
I managed to get it to work! After almost a month! Thank you very much qianbinbin for your tutorial. My final config file is [[email protected]]
permission_url = https://login.microsoftonline.com/common/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/common/oauth2/v2.0/token
oauth2_scope = https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send offline_access
client_id = 9e5f94bc-e8a4-4e73-b8be-63364c29d753
redirect_uri = https://localhost:7598 |
|
Congratulations! @filipe3x Yes, most tutorials tell us to create Azure app, but that makes everything complicated and doesn't work. Actually we just need to simply use the Thunderbird Client ID and then everything works fine. |
|
I'm glad you got things working – thanks for following up. As I mentioned above in my second response, the fact that a personal (i.e., free) account is the one you were trying to use here is a crucial factor. Unlike Gmail, where any client can be configured to access the account, Microsoft's process requires administrator approval, and since you are not the administrator of Outlook.com you cannot add new Azure/Entra clients, so must adopt the ID from an existing client. Thunderbird is the most obvious option here. In the rest of the discussion in this issue there are a lot of other misconceptions or incorrect assumptions. I'll try to clear a few of them up here. First and foremost – all of the attempts to try different scopes, servers or other parameters in the proxy's configuration file are often the source of the problem in the first place. The default configuration is rarely at fault, and trying random values here will just create another problem that stops the proxy working. Edit: In 31eac06 I've updated the example configuration file and readme to explicitly mention free Outlook.com (and Hotmail) accounts. Turning to the other points:
I think you're making this assumption because Thunderbird's token is a different length to the one obtained by the proxy? That's an incorrect assumption, and not the cause of your issue.
This will work, but not for long. Unlike a standard username/password login, OAuth 2.0 is based on a token that is periodically refreshed. So, once the token you've copied from Thunderbird expires, the proxy will stop working for you again.
This is the standard configuration as found in the example configuration file. Don't change it!
Thanks for adding documentation in Chinese. The "its documentation is not really written for humans" bit made me laugh! Just a few minor points: while what you've written about sent emails being duplicated is correct, this can often be disabled in the email client itself (e.g., in Thunderbird, turn off 'Place a copy in "Sent" Folder' in the Copies & Folders tab of the account's settings). If you can't do this, the plugin-enabled version of the proxy has a helper for this. Similarly, while the autostart configuration you've listed will work, if you use the GUI version of the proxy this can be managed automatically for you. Finally, another issue not mentioned here, but previously raised in connection to free Outlook.com accounts: the errror |
|
Thank you @simonrob for your brilliant work. I mean the documentation is a little bit confusing. Microsoft uses different servers for Office 365 and personal users, and the domains are just misleading. However, many sections of the document describe the configuration of Office 365 accounts, but only provide the SMTP configuration for free accounts. And in the It would be more convenient if there're some typical templates, e.g. The plugin-enabled version looks awesome. It would be great if we could install it by |
|
Thanks for the feedback – this is useful. I'll try to clarify about O365 vs. free/personal accounts. Re: SMTP configuration – this is the same for both paid and free accounts. And re: accounts, there's currently an example for both O365 and personal accounts. I could perhaps make this clearer by linking directly to examples from the readme. The plugins version is currently only available by installing manually I'm afraid. This is because the architecture of the proxy makes it quite difficult (perhaps not possible) to achieve in the flexible manner that it currently works. But I'm happy to look at this again if there's significant interest in this version. If you've already got the proxy installed via |
|
910c393 adds more references to Outlook to hopefully make it clearer that the O365 section is meant to cover this too. I've also added an explicit note in the servers to clarify that these are for both O365 and Outlook/Hotmail. |
Since Microsoft no longer allows basic authentication after September 16th, 2024 (app passwords don't work either), I could no longer use git-send-email to send patches through my Outlook personal account, and then I found this project.
5.7.3 Authentication unsuccessful [LO4P123CA0207.GBRP123.PROD.OUTLOOK.COM 2024-10-10T21:50:33.251Z 08DCE9686F3D146F]After a long time of struggling with the configuration, I am still stuck on this error and I think I need some help.
Above is the failed debug information that frustrates me.
Above is my gitconfig.
Above is my emailproxy.config
I can already get the token_salt, access_token, refresh_token, but the authentication is still unsuccessful.
Above are all my configurations in Azure.
I have completed the permission acceptance and can show OAuth 2.0 proxy successfully.
I am sure that SMTP is not disabled in my Outlook as I can use Thunderbird to send emails successfully.
I have tried changing smtp.office365.com to smtp-mail.outlook.com, https://outlook.office.com/SMTP.Send to https://graph.microsoft.com/SMTP.Send, offline_access to https://graph.microsoft.com/offline_access and Web application to SPA application, but none of them work.
I have tried everything I can think of.
If anyone can help me I would be very grateful.
This is important to me.
Many thanks!
The text was updated successfully, but these errors were encountered: