* Editing on 11/28/2022 to update some items and make some corrections.
I prefer reading email in Emacs with mu4e. My password authentication recently stopped working for sending and receiving email. After several hours of trial and error and putting together different web search results, I have it working again.
The crux of the matter is that Outlook 365 no longer accepted username and password to log in and now requires an OAUTH2 token or key or phrase. There are explanations on the web about how and why this change, but I haven’t read them.
Here’s an outline of what I did:
- started with installing oauth2ms
- needed to install it on my Debian unstable system
- rather than install via python packages via pip, I installed the following packages via the Debian package manager: python3-pyxdg, python3-msal, python3-gnupg. Note you also need working gnupg.
- to test, I ran the pip command and the messages confirmed the packages were already present
- then you copy oauth2ms to a directory in your $PATH
- oauthms needs a persistent environment variable pointing to the $XDG config directory. On my machine, that is
$HOME/.config
. I putXDG_CONFIG_HOME=$HOME/.config
in my .profile and then my .xsessionrc, but it did not show up as defined in my xterm. So I finally put it in .bashrc and it does. I read the Debian documentation about where to put it, but clearly I’m missing something because my understanding is that .profile is where it belongs. - Next, I created and “Azure Active Directory App” for mbsync (and msmtp, but turns out I don’t need it yet). For this, I followed instructions, as I am completely unfamiliar with Azure and other MS software and platforms.
- The instructions I followed were:
- https://github.com/harishkrupo/oauth2ms/blob/main/steps.org
- https://docs.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth
- https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
- https://docs.microsoft.com/en-us/azure/active-directory/develop/reply-url
- https://docs.microsoft.com/en-us/azure/active-directory/develop/identity-platform-integration-checklist#security
- A challenge for me in doing this was that I am unfamiliar with much of the language in the MS docs.
- A catch occurred during the Azure App registrations. You create an Authentication procedure. Therein, you specify what kind of app you need to authenticate. I thought it was a desktop app, because I’m working on a desktop. However, it turned out to need to be a Web app, as someone in Stack Exchange discovered.
- When you create a secret key for your app, you need to save the value of the key immediately. The documents say you will never be able to see it again.
- Also, the redirect URI should not end in a backslash. Following the instructions on the oauth2ms steps.org file, I used https://localhost:portnumber/getToken. One does include the final backslash in the config.json file needed next.
- The steps.org document also lists permissions to add, which I did.
- I saw references on the web to using another, already available authentication app, like Thunderbird’s, but I didnt’ try to figure that out (yet).
- The instructions I followed were:
- While creating the Azure app, I also filled in the skeleton of the oauth2ms config.json file.
- The CLIENT_ID and TENANT_ID values are available on the Overview for the Azure app you created.
- The CLIENT_SECRET is the value of the secret key you created and saved.
- Because this is theoretically important, I changed the file mode of config.json to be owner-only readable and writeable (
chmod go-r
). However, it is stored in clear-text. Perhaps down the road, I’ll find a way to used gnupg to encrypt and decrypt the file, so it is stored securely. This is done in the mutt instructions for Outlook and OAUTH2, so I assume it is readily done here too.
- I believe at this point, running oauth2ms at the command prompt should work. I got errors several times, leading to the above list of reading and steps, but eventually, I got a very long string of characters with no error messages.
- For mbsync to work, one needs a/the SASL OAUTH2 authentication plugin. The steps.org file points to it. ADDED 11/28: There is a Debian package (at least unstable) with an OAUTH2 mechanism. It is called libsasl2-modules-kdexoauth2.
- You do have to build this from source, using autogen, configure, and make.
- The problem in this step is that on Debian SASL plugins are stored in /usr/lib/x86_64-linux-gnu, whereas the source code puts it in /usr/lib. This didn’t work and OAUTH2 was not an available authentication method.
- As pointed out in this Stack Exchange post, I had to edit the Makefile to install to the right place. I tried using
./configure -libdir=/usr/lib/x86_64-linux-gnu/
, but it didn’t work, so I am missing something. Specifically, it was the pkglibdir line in the Makefile. - Once the OAUTH2 plugin was put in the right place, it worked.
- To verify, I installed the Debian package sasl2-bin, which includes saslpluginviewer. Before it was properly installed, XOAUTH2 did not show up. Once it was properly installed, it did.
- The last step I did, was to change the authentication code in my .mbsync file, as shown in the steps.org document:
... PassCmd oauth2ms AuthMechs XOAUTH2 ...
Then I tried it and mbsync worked! There was much rejoicing.
I did not need to edit my .msmtprc file for MS SMTP, because I was directed to a local UW SMTP server to use instead. However, upon making this change, I had to change a variable for mu4e. When using MS SMTP, sent mail were automatically saved to “Sent Items”, so I told mu4e to delete them:
(setq mu4e-sent-messages-behavior 'delete)
however, using a local SMTP server, I had to save them myself:
(setq mu4e-sent-messages-behavior 'sent)
where 'sent
is defined as mu4e-sent-folder "/mailbox/Sent Items"
. Your toplevel account directory may not be called mailbox.
I wrote this quickly to try to remember it. Comments, edits, corrections or clarifications welcome. If you need to do this, I hope you find it helpful.
Thank you for this!
Thank you for this write-up! I’m facing the same problem, also in a university setting.
For me, the big stumbling block is the creation of the “Azure Active Directory App.” Could you simply do this on portal.azure.com → Azure Active Directory, etc.? I get the message:
You do not have any Azure subscriptions in the Université de Lausanne (unils.onmicrosoft.com) directory. Click here to switch to another directory.
The “Azure Active Directory” thing is “not available,” so I can’t create an app there.
You are welcome! I’m sorry I never got a notification of your comment. I hope you’ve been able to solve it, but if not, on my Microsoft Azure portal through my university, there is a menu item on the left called “App registrations”. I am almost positive that is where I created it. In fact, I had to re-do it a couple months ago because the security credential expired, so I had to refresh it.
Thank you for this post.
You say:
> on my Microsoft Azure portal through my university
Do I get it right that this Azure cloud should be related to the company that issued me outlook account? Or I can sign up and create my own Azure account and register my app?
Hello,
I apologize for not seeing this sooner. My Microsoft Azure access is provided by my employer’s use of Microsoft email product/system. I do not know if one can create your own.
Take care!
To avoid such problems and gain a better understanding, I would recommend taking this course, AZ-104.
With this knowledge, you will quickly gain the necessary skills to effectively manage your Azure environment and deepen your knowledge as an Azure administrator.