dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

Email integration should support OAuth2.0 authentication

Open ndbg2024 opened this issue 6 months ago • 2 comments

Current Behavior

Request: Our organization relies on Dependency-Track for automated notifications via email. Currently, Dependency-Track only supports basic SMTP authentication (username and password). Due to Microsoft’s announcement to deprecate Basic Authentication for SMTP in September 2025, we are required to migrate to more secure/documented mail authentication methods—specifically OAuth 2.0 (modern authentication). Questions: Is there any native or planned support for OAuth 2.0 SMTP authentication in Dependency-Track? If not, are there any recommended workarounds or community-vetted solutions for securely integrating Dependency-Track’s SMTP notifications with Microsoft 365 or other providers that enforce OAuth 2.0? Are there plans on the roadmap to implement native OAuth 2.0 support for SMTP in future releases?

Proposed Behavior

Dependency-Track should natively support SMTP authentication using OAuth 2.0 (modern authentication). This would enable secure integration with Microsoft 365/Exchange Online and other providers who require OAuth 2.0 for SMTP, ensuring continued email notification delivery after the deprecation of basic authentication. Ideally, administrators should be able to configure OAuth 2.0 credentials (client ID, client secret, token endpoint, etc.) directly within the Dependency-Track SMTP notification settings.

Checklist

ndbg2024 avatar May 26 '25 12:05 ndbg2024

Am trying to deploy dependency track as docker container.Is it possible to enable email and configure the SMTP details via Chef.Do we have the config environment variables. I don't see such documentation to enable email and configuration via environment variables of the docker container.

I found few variables as below

ALPINE_MAIL_ENABLED=TRUE

but using this never enabled the email in dependency track

Monishguru avatar Aug 13 '25 21:08 Monishguru

For reference, here's Microsoft's announcement: https://techcommunity.microsoft.com/blog/exchange/exchange-online-to-retire-basic-auth-for-client-submission-smtp-auth/4114750

And here the relevant documentation: https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth

The email client we use is Eclipse Angus. The documentation to use OAuth2 with it is here: https://eclipse-ee4j.github.io/angus-mail/OAuth2

The relevant code that needs adjustment is here:

  • https://github.com/stevespringett/Alpine/blob/0a52714eccf8ba31867bf10ea3f7586e781d0143/alpine-server/src/main/java/alpine/server/mail/SendMail.java
  • https://github.com/DependencyTrack/dependency-track/blob/07316d9b82e4c8e8fa68d2103540154665d2b820/src/main/java/org/dependencytrack/notification/publisher/SendMailPublisher.java

I really hope this can be implemented in a generic way, without special treatment for Microsoft. Also testing this will be interesting.

nscuro avatar Oct 29 '25 21:10 nscuro