RIP M$ basic auth support 💀
──────────────────────────────────────────────────────────────────────
Microsoft must hate their users.

I've seen the news come up a few time, thinking that would be nothing
but a joke. But here we are: Basic authentication for microsoft exchange
is dead 💀.

This means that the only way to authenticate to your office 365 mail
box is using the XOAuth2 mechanism. And hear me out, it's a pain!

However, I'm not writing this post as yet another rant against
microsoft. It is a brain dump of what I did to get it working again,
because I'll need it sooner of later (and you'll probably need that
too!).

# Process

This will let you retrieve/send email with isync/msmtp respectively. At
the end of the day, you'll still use a username/password, it's just that
getting that "password" (XOAUTH2 token) is a pain in the neck.

0. Get a stress ball, put it somewhere close to you
1. Login to https://portal.azure.com with your email account
2. Navigate to the "App Registration" page (use the searchbar)
3. Register a new "app"
       3.0 Name it "blebleble" (this is important)
       3.1 Select "Single tenant" access
4. Authentication
       4.0 Add platform: Mobile + Desktop
       4.1 Set redirect URI: http://localhost
       4.2 Advanced settings Allow public client flow: YES
5. API Permissions
       5.0 Microsoft Graph: (allow them all, really…)
               - email
               - offline_access
               - IMAP.AccessAsUser.All
               - POP.AccessAsUser.All
               - SMTP.Send
               - User.Read
6. Overview: copy "client" and "tenant" ID
7. Download xoauth2.py[0] (modified by me, thank you sir Perlis!)
8. Replace TENANT_ID and CLIENT_ID in the source with your own
       8.1 (Optional) edit ENCRYPTION_PIPE/DECRYPTION_PIPE
           This currently use cat(1). Use a decent crypto tool if you
           care, like cream[1] or age
9. xoauth2 ~/.cache/o365.token -a
       9.0 OAuth2 registration: microsoft
       9.1 OAuth2 flow: localhostauthcode
       9.2 Account email address: [email protected]
       9.3 Navigate the link
       9.4 Accept permissions

VOILÀ! 😫🔫

You should now be authorized to read your emails.

Use the command `xoauth2 ~/.cache/o365.token` to get your current access
token, and use it as your password. Here is my own ~/.mbsyncrc for
reference:

       IMAPAccount o365
               Host outlook.office365.com
               Port 993
               User [email protected]
               PassCmd "xoauth2 ~/.cache/o365.token"
               SSLType IMAPS
               SSLVersions TLSv1.2 TLSv1.3
               AuthMech XOAUTH2

Notes: For mbsync, you'll need to install the Cyrus sasl2-xoauth2 module

       The xoauth2 token is stored unencrypted on disk. Look for
       ENCRYPTION_PIPE and DECRYPTION_PIPE in xoauth2.py to handle
       encryption is you care (current encryption tool: cat(1)).
--
~wgs

[0]: gopher://z3bra.org/0/notes/xoauth2.py
[1]: gopher://z3bra.org/0/projects/cream.txt

20221025.1859

You are viewing proxied material from phlog.z3bra.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.