davmail icon indicating copy to clipboard operation
davmail copied to clipboard

Published 20 hours ago verified publisher icon mguessan

Outlook client ID

Open marco-brandizi opened this issue 1 year ago • 7 comments

#71 shows an authentication method that could be used with corporate MS accounts that are behind the (techno-fascist) InTune.

Until today, it was possible to tell DavMail the client ID and redirect URI that identify the Outlook Web App. This used to work as a means to bridge Thunderbird and corporate O365 accounts that are under this form of digital authoritarianism.

However, today the method stopped working, the login dialog that DavMail sends me ends with "your app is not approved". Is there a new clientID for this? Is there some other workaround?

Thanks in advance.

marco-brandizi avatar Feb 13 '24 00:02 marco-brandizi

Fwiw, using the Outlook client ID and redirect URI in Davmail is still working for me. Therefore I'd say that neither value has changed from what's quoted in #71 . I don't know if it makes a difference, but I use O365Interactive Exchange Protocol to connect to my corporate account.

s-p-turner avatar Feb 13 '24 08:02 s-p-turner

Thanks @s-p-turner . Some more investigation:

  • I suspect some b**@*x!*d has disabled all browsers except Safari (I'm on a Mac), when I Open the auth link from the DavMail Manual Authentication pop-up, Chrome replies that I should enroll my device into InTune, when I 'Copy' from the DavMail pop-up and paste in Safari, I can get on with the usual authentication dialogue.
  • However, even in Safari, at the end I get the usual window saying "Are you trying to sign in to Microsoft Office?", and when I click 'Continue', Safari replies with a pop-up saying: "Safari cannot open the page because the address is invalid".
  • When I could use Chrome, after 'Continue' at the same step, I got a stuck page, but with the Javascript console saying something like "Can't open the address urn:ietf:wg:oauth... because the scheme isn't supported". That URN reported by the log message was the one to be put back in the DavMail pop-up. My understanding is Safari isn't equally geek-friendly.

Any idea how to fix it?

marco-brandizi avatar Feb 13 '24 10:02 marco-brandizi

Any idea how to fix it?

Sorry - no idea. I'm only an end user of Davmail.

I suspect some b**@*x!*d has disabled all browsers except Safari (I'm on a Mac)

Fwiw I use Firefox on Windows.

s-p-turner avatar Feb 13 '24 11:02 s-p-turner

Thanks, it does the same as Safari with FF (guess that at least, they're allowing Firefox too).

marco-brandizi avatar Feb 13 '24 11:02 marco-brandizi

Bingo! Reporting my solution, possibly useful to other victims of this filthy techno-fascism:

  • In FF, open Tools -> Browser Tools -> Web Developer Tools, low bottom box opens, select the 'Network' tab
  • In DavMail Manual Authenticate, Copy the URL for the auth challenge in FF (pop-ups waiting for too long won't work, so make DavMail trigger the box from your email client)
  • In FF, proceed until the page "Are you trying to use MS Office" (MS Office, my a**e!), in the 'Network' log, you should see an entry about login.microsoftonline.com, select it and select the 'Headers' tab on the right box,
  • now you should see the 'Location' response header, containing something like urn:ietf:wg:oauth:2.0:oob?code=***, right-click on it and select 'Copy Value', paste it back to the DavMail Manual Authenticate box and click on 'Send'. Now your email client should work fine.

It's obscene that I have go through all this pain, just because a bunch of capitalist sharks think that it's secure to dictate what apps the users should use for their work, but that's it, hope it will be useful.

marco-brandizi avatar Feb 13 '24 11:02 marco-brandizi

@marco-brandizi it seems that dev tools are named web inspector in Safari, with similar feature as Firefox and Chrome

https://developer.apple.com/safari/tools/

mguessan avatar Feb 21 '24 16:02 mguessan

As an addition, in order to validate the code you obtain is correct you can do a test completely outside DavMail:

  • extract code from urn: url, make sure you don't include additional parameters after '&'

Call token endpoint with curl:

curl -d "grant_type=authorization_code&client_id=d3590ed6-52b3-4102-aeff-aad2292ab01c&redirect_uri=urn:ietf:wg:oauth:2.0:oob&code=0......." -H "Content-Type: application/x-www-form-urlencoded" -X POST https://login.microsoftonline.com/common/oauth2/token

mguessan avatar Feb 21 '24 16:02 mguessan

Closing this as we answered the initial question.

For windows users I implemented a powershell script based on WebView2 to obtain a token on Entra ID joined workstations, available at: https://github.com/mguessan/o365psauth Just fetch the source code zip, nothing to compile.

Script can work with interactive authentication or based on existing user session with -SSO option

mguessan avatar Mar 22 '24 09:03 mguessan