mail
mail copied to clipboard
nextcloud
Does not handle Microsoft OAuth error
Steps to reproduce
- Set up app registration in Azure AD as described in the manual
- Instead of setting the supported account types to multi-tentant + personal accounts, select single tentant
- Configure the client ID and secret in the Groupware settings
- Try to connect a new mail account that uses this Microsoft 365 app
- Fill in the correct credentials in the OAuth pop-up and allow the app access
Expected behavior
After logging in the error should be handled that the app is misconfigured instead of creating a non-functional account.
Actual behavior
Account setup fails. The error logs contain the error message
OC\\Security\\Crypto::decrypt(): Argument #1 ($authenticatedCiphertext) must be of type string, null given, called in /var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php on line 112 in file '/var/www/html/lib/private/Security/Crypto.php' line 113
So, the account was created without valid credentials.
Mail app version
3.5.7
Mailserver or service
Microsoft 365
Operating system
Debian GNU/Linux 12 (bookworm)
PHP engine version
PHP 8.2
Web server
Apache (supported)
Database
PostgreSQL
Additional info
When the OAuth flow redirects after going through the pop-up, the returned error (information) is not handled, thus account creation is not blocked/cancelled. The redirect URL is as follows:
W.X.Y.Z - - [09/Apr/2024:11:44:40 +0200] "GET /apps/mail/integration/microsoft-auth?error=invalid_request&error_description=AADSTS50194%3a+Application+%27[...]+is+not+configured+as+a+multi-tenant+application.+Usage+of+the+%2fcommon+endpoint+is+not+supported+for+such+applications+created+after+%2710%2f15%2f2018%27.+Use+a+tenant-specific+endpoint+or+configure+the+application+to+be+multi-tenant.[...]
Nextcloud log entries of the error
{
"reqId": "2obomk7psF2hURvNwOc1",
"level": 3,
"time": "2024-04-09T08:55:56+00:00",
"remoteAddr": "[...]",
"user": "[...]",
"app": "mail",
"method": "GET",
"url": "/apps/mail/api/mailboxes?accountId=3",
"message": "OC\\Security\\Crypto::decrypt(): Argument #1 ($authenticatedCiphertext) must be of type string, null given, called in /var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php on line 112 in file '/var/www/html/lib/private/Security/Crypto.php' line 113",
"userAgent": "[...]",
"version": "28.0.4.1",
"exception": {
"Exception": "Exception",
"Message": "OC\\Security\\Crypto::decrypt(): Argument #1 ($authenticatedCiphertext) must be of type string, null given, called in /var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php on line 112 in file '/var/www/html/lib/private/Security/Crypto.php' line 113",
"Code": 0,
"Trace": [
{
"file": "/var/www/html/lib/private/AppFramework/App.php",
"line": 184,
"function": "dispatch",
"class": "OC\\AppFramework\\Http\\Dispatcher",
"type": "->",
"args": [
[
"OCA\\Mail\\Controller\\MailboxesController"
],
"index"
]
},
{
"file": "/var/www/html/lib/private/Route/Router.php",
"line": 315,
"function": "main",
"class": "OC\\AppFramework\\App",
"type": "::",
"args": [
"OCA\\Mail\\Controller\\MailboxesController",
"index",
[
"OC\\AppFramework\\DependencyInjection\\DIContainer"
],
[
"mail.mailboxes.index"
]
]
},
{
"file": "/var/www/html/lib/base.php",
"line": 1069,
"function": "match",
"class": "OC\\Route\\Router",
"type": "->",
"args": [
"/apps/mail/api/mailboxes"
]
},
{
"file": "/var/www/html/index.php",
"line": 39,
"function": "handleRequest",
"class": "OC",
"type": "::",
"args": []
}
],
"File": "/var/www/html/lib/private/AppFramework/Http/Dispatcher.php",
"Line": 169,
"Previous": {
"Exception": "TypeError",
"Message": "OC\\Security\\Crypto::decrypt(): Argument #1 ($authenticatedCiphertext) must be of type string, null given, called in /var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php on line 112",
"Code": 0,
"Trace": [
{
"file": "/var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php",
"line": 112,
"function": "decrypt",
"class": "OC\\Security\\Crypto",
"type": "->",
"args": [
"*** sensitive parameters replaced ***"
]
},
{
"file": "/var/www/html/custom_apps/:",
"line": 39,
"function": "handleRequest",
"class": "OC",
"type": "::",
"args": []
}
],
"File": "/var/www/html/apps/text/lib/Service/DocumentService.php",
"Line": 501,
"message": "No permission to access this file",
"exception": {},
"CustomMessage": "No permission to access this file"
}
}
}
{
"reqId": "JWjfvreE1UDOj7eqnc8E",
"level": 3,
"time": "2024-04-09T08:59:11+00:00",
"remoteAddr": "[...]",
"user": "[...]",
"app": "mail",
"method": "GET",
"url": "/apps/mail/",
"message": "Could not load account mailboxes: OC\\Security\\Crypto::decrypt(): Argument #1 ($authenticatedCiphertext) must be of type string, null given, called in /var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php on line 112",
"userAgent": "[...]",
"version": "28.0.4.1",
"exception": {
"Exception": "TypeError",
"Message": "OC\\Security\\Crypto::decrypt(): Argument #1 ($authenticatedCiphertext) must be of type string, null given, called in /var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php on line 112",
"Code": 0,
"Trace": [
{
"file": "/var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php",
"line": 112,
"function": "decrypt",
"class": "OC\\Security\\Crypto",
"type": "->",
"args": [
"*** sensitive parameters replaced ***"
]
},
{
"file": "/var/www/html/custom_apps/mail/lib/IMAP/MailboxSync.php",
"line": 103,
"function": "getClient",
"class": "OCA\\Mail\\IMAP\\IMAPClientFactory",
"type": "->",
"args": [
"*** sensitive parameters replaced ***"
]
},
{
"file": "/var/www/html/custom_apps/mail/lib/Service/MailManager.php",
"line": 148,
"function": "sync",
"class": "OCA\\Mail\\IMAP\\MailboxSync",
"type": "->",
"args": [
"*** sensitive parameters replaced ***"
]
},
{
"file": "/var/www/html/custom_apps/mail/lib/Controller/PageController.php",
"line": 160,
"function": "getMailboxes",
"class": "OCA\\Mail\\Service\\MailManager",
"type": "->",
"args": [
"*** sensitive parameters replaced ***"
]
},
{
"file": "/var/www/html/lib/private/AppFramework/Http/Dispatcher.php",
"line": 230,
"function": "index",
"class": "OCA\\Mail\\Controller\\PageController",
"type": "->",
"args": []
},
{
"file": "/var/www/html/lib/private/AppFramework/Http/Dispatcher.php",
"line": 137,
"function": "executeController",
"class": "OC\\AppFramework\\Http\\Dispatcher",
"type": "->",
"args": [
[
"OCA\\Mail\\Controller\\PageController"
],
"index"
]
},
{
"file": "/var/www/html/lib/private/AppFramework/App.php",
"line": 184,
"function": "dispatch",
"class": "OC\\AppFramework\\Http\\Dispatcher",
"type": "->",
"args": [
[
"OCA\\Mail\\Controller\\PageController"
],
"index"
]
},
{
"file": "/var/www/html/lib/private/Route/Router.php",
"line": 315,
"function": "main",
"class": "OC\\AppFramework\\App",
"type": "::",
"args": [
"OCA\\Mail\\Controller\\PageController",
"index",
[
"OC\\AppFramework\\DependencyInjection\\DIContainer"
],
[
"mail.page.index"
]
]
},
{
"file": "/var/www/html/lib/base.php",
"line": 1069,
"function": "match",
"class": "OC\\Route\\Router",
"type": "->",
"args": [
"/apps/mail/"
]
},
{
"file": "/var/www/html/index.php",
"line": 39,
"function": "handleRequest",
"class": "OC",
"type": "::",
"args": []
}
],
"File": "/var/www/html/lib/private/Security/Crypto.php",
"Line": 113,
"message": "Could not load account mailboxes: OC\\Security\\Crypto::decrypt(): Argument #1 ($authenticatedCiphertext) must be of type string, null given, called in /var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php on line 112",
"exception": {},
"CustomMessage": "Could not load account mailboxes: OC\\Security\\Crypto::decrypt(): Argument #1 ($authenticatedCiphertext) must be of type string, null given, called in /var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php on line 112"
}
}
I was planning to, but I forgot. I have amended it at the end of the original issue description.
The error also feels not very relevant because in my opinion one should not be able to get this far, i.e. to the mail app with the account created.
You have posted the access log entry. Please find the entry in nextcloud.log that says "Argument #1 ($authenticatedCiphertext) must be of type string, null given".
I guess, I forgot to press the "Update" button? Now it has been appended for real. Sorry!
The account is created without an access token, then the decryption fails on a null value. The initial access token is assigned in \OCA\Mail\Integration\MicrosoftIntegration::finishConnect. I see that a possible error is just logged but not handled otherwise. Check your log for "Could not link Microsoft account" too please.
There is only one error before it. I have prepended it above. There is nothing about "Could not link Microsoft account" or something similar.
There is just a few warnings/errors during the autoconfiguration, like:
{
"reqId": "V2TIdZFafbfp3A24Cu7T",
"level": 3,
"time": "2024-04-09T08:53:33+00:00",
"remoteAddr": "[...]",
"user": "[...]",
"app": "PHP",
"method": "GET",
"url": "/apps/mail/api/autoconfig/ispdb/[...]/[...]",
"message": "dns_get_record(): A temporary server error occurred. at /var/www/html/lib/private/Http/Client/DnsPinMiddleware.php#111",
"userAgent": "[...]",
"version": "28.0.4.1",
"data": {
"app": "PHP"
}
}
and then what is in the OP.