Category Archives: web

Getting UW Outlook 365 OAUTH2 to work with emacs, mu4e, mbsync, and msmtp

* Editing on 11/28/2022 to update some items and make some corrections.

I prefer reading email in Emacs with mu4e. My password authentication recently stopped working for sending and receiving email. After several hours of trial and error and putting together different web search results, I have it working again.

The crux of the matter is that Outlook 365 no longer accepted username and password to log in and now requires an OAUTH2 token or key or phrase. There are explanations on the web about how and why this change, but I haven’t read them.

Here’s an outline of what I did:

  1.  started with installing oauth2ms
    1. needed to install it on my Debian unstable system
    2. rather than install via python packages via pip, I installed the following packages via the Debian package manager: python3-pyxdg, python3-msal, python3-gnupg. Note you also need working gnupg.
    3. to test, I ran the pip command and the messages confirmed the packages were already present
    4. then you copy oauth2ms to a directory in your $PATH
  2. oauthms needs a persistent environment variable pointing to the $XDG config directory. On my machine, that is $HOME/.config. I put XDG_CONFIG_HOME=$HOME/.config in my .profile and then my .xsessionrc, but it did not show up as defined in my xterm. So I finally put it in .bashrc and it does. I read the Debian documentation about where to put it, but clearly I’m missing something because my understanding is that .profile is where it belongs.
  3. Next, I created and “Azure Active Directory App” for mbsync (and msmtp, but turns out I don’t need it yet). For this, I followed instructions, as I am completely unfamiliar with Azure and other MS software and platforms.
    1. The instructions I followed were:
    2. A challenge for me in doing this was that I am unfamiliar with much of the language in the MS docs.
    3. A catch occurred during the Azure App registrations. You create an Authentication procedure. Therein, you specify what kind of app you need to authenticate. I thought it was a desktop app, because I’m working on a desktop. However, it turned out to need to be a Web app, as someone in Stack Exchange discovered.
    4. When you create a secret key for your app, you need to save the value of the key immediately. The documents say you will never be able to see it again.
    5. Also, the redirect URI should not end in a backslash. Following the instructions on the oauth2ms steps.org file, I used https://localhost:portnumber/getToken. One does include the final backslash in the config.json file needed next.
    6. The steps.org document also lists permissions to add, which I did.
    7. I saw references on the web to using another, already available authentication app, like Thunderbird’s, but I didnt’ try to figure that out (yet).
  4. While creating the Azure app, I also filled in the skeleton of the oauth2ms config.json file.
    1. The CLIENT_ID and TENANT_ID values are available on the Overview for the Azure app you created.
    2. The CLIENT_SECRET is the value of the secret key you created and saved.
    3. Because this is theoretically important, I changed the file mode of config.json to be owner-only readable and writeable (chmod go-r). However, it is stored in clear-text. Perhaps down the road, I’ll find a way to used gnupg to encrypt and decrypt the file, so it is stored securely. This is done in the mutt instructions for Outlook and OAUTH2, so I assume it is readily done here too.
  5. I believe at this point, running oauth2ms at the command prompt should work. I got errors several times, leading to the above list of reading and steps, but eventually, I got a very long string of characters with no error messages.
  6. For mbsync to work, one needs a/the SASL OAUTH2 authentication plugin. The steps.org file points to it. ADDED 11/28: There is a Debian package (at least unstable) with an OAUTH2 mechanism. It is called libsasl2-modules-kdexoauth2.
    1. You do have to build this from source, using autogen, configure, and make.
    2. The problem in this step is that on Debian SASL plugins are stored in /usr/lib/x86_64-linux-gnu, whereas the source code puts it in /usr/lib. This didn’t work and OAUTH2 was not an available authentication method.
    3. As pointed out in this Stack Exchange post, I had to edit the Makefile to install to the right place. I tried using ./configure -libdir=/usr/lib/x86_64-linux-gnu/ , but it didn’t work, so I am missing something. Specifically, it was the pkglibdir line in the Makefile.
    4. Once the OAUTH2 plugin was put in the right place, it worked.
    5. To verify, I installed the Debian package sasl2-bin, which includes saslpluginviewer. Before it was properly installed, XOAUTH2 did not show up. Once it was properly installed, it did.
  7. The last step I did, was to change the authentication code in my .mbsync file, as shown in the steps.org document:
...
PassCmd oauth2ms
AuthMechs XOAUTH2
...

Then I tried it and mbsync worked! There was much rejoicing.

I did not need to edit my .msmtprc file for MS SMTP, because I was directed to a local UW SMTP server to use instead. However, upon making this change, I had to change a variable for mu4e. When using MS SMTP, sent mail were automatically saved to “Sent Items”, so I told mu4e to delete them:

(setq mu4e-sent-messages-behavior 'delete)

however, using a local SMTP server, I had to save them myself:

(setq mu4e-sent-messages-behavior 'sent)

where 'sent is defined as mu4e-sent-folder "/mailbox/Sent Items". Your toplevel account directory may not be called mailbox.

I wrote this quickly to try to remember it. Comments, edits, corrections or clarifications welcome. If you need to do this, I hope you find it helpful.

Moving from Catalyst to various tools

As UW-IT removes the old Catalyst tools, I’m moving stuff to new places, as well as updated all the pointers to that material. This blog site is my replacement for what was my Catalyst Commonview faculty webpage. I’ll be learning WordPress, as well as moving and adding information here over the coming months.