Re: [Evolution] Failing to connect to Office365 account with MFA

[Vincent Hennebert <vhennebert+evolution gmail com>]

[Apologies if I’m breaking the thread, I don’t seem to have received

the version of this message that was sent to the list.]

On Thu, 2021-08-19 at 19:37 +0200, Vincent Hennebert wrote:

Hi there,

Evolution 3.40.3 on Fedora 34 (flatpak version, but same issue occurs

with version from repository).

My organisation uses Office365 with multi-factor authentication for

email and calendar. I have custom Application and Tenant IDs. The first

time I set up my account, I went through the authentication and it all

worked fine.

Until I had to change my password. Now the MFA window shows up, I enter

my credentials, acknowledge the login from the MFA app on my phone, and

get the following error:

Failed to obtain access token from address [...] Bad Request

({"error":"invalid_grant","error_description":"AADSTS9002313: Invalid

request. Request is malformed or invalid" [...] })

As a workaround I set up DavMail so that I can keep accessing my

account using imap and caldav, but it’s not working super well and I’d

prefer to stick to Evolution’s native EWS support.

In case that matters: before I had to change my password, the MFA

window would show up several times a day, but I found that I could just

ignore it (press Escape) and still be able to refresh my email and

calendar. DavMail displays the MFA window only at startup and never

after (or maybe just once a day, haven’t been observing its behaviour

for long enough yet).

Any ideas?

Thanks,

Vincent

Hoping to elicit an answer to this request, I followed the

troubleshooting instructions on the following page:

https://wiki.gnome.org/Apps/Evolution/EWS/OAuth2

I’m seeing OAuth2 messages that look OK. At some point I have

grant_type=authorization_code&code=<the_code>&redirect_uri=https%3A%2F%

2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fnativeclient&client_id=

<the_client_id>

Then this:

< HTTP/1.1 400 Bad Request

< Soup-Debug-Timestamp: 1629992911

< Soup-Debug: SoupMessage 1 (0x559af3719e80)

< Cache-Control: no-store, no-cache

< Pragma: no-cache

< Content-Type: application/json; charset=utf-8

< Expires: -1

< Strict-Transport-Security: max-age=31536000; includeSubDomains

< X-Content-Type-Options: nosniff

< P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"

< x-ms-request-id: dc8c48b0-c12e-40c1-ac8f-4742c8cece01

< x-ms-ests-server: 2.1.11935.14 - WUS2 ProdSlices

< Set-Cookie: fpc=<cookie>; expires=Sat, 25-Sep-2021 15:48:31 GMT;

path=/; secure; HttpOnly; SameSite=None

< Set-Cookie: x-ms-gateway-slice=estsfd; path=/; secure; httponly

< Set-Cookie: stsservicecookie=estsfd; path=/; secure; httponly

< Date: Thu, 26 Aug 2021 15:48:30 GMT

< Connection: close

< Content-Length: 485

<

< {"error":"invalid_grant","error_description":"AADSTS9002313: Invalid

request. Request is malformed or invalid.\r\nTrace ID: dc8c48b0-c12e-

40c1-ac8f-4742c8cece01\r\nCorrelation ID: 8a4456d1-91f2-451e-af96-

4f5e36d8d660\r\nTimestamp: 2021-08-26

15:48:31Z","error_codes":[9002313],"timestamp":"2021-08-26

15:48:31Z","trace_id":"dc8c48b0-c12e-40c1-ac8f-

4742c8cece01","correlation_id":"8a4456d1-91f2-451e-af96-

4f5e36d8d660","error_uri":"https://login.microsoftonline.com/error?code=9002313

"}

 

[OAuth2] 2021-08-26 17:48:31.215 - Loaded URI: 'none-local://'

[OAuth2] 2021-08-26 17:48:31.236 - Loaded URI: 'none-local://'

I obfuscated some data that I was not sure if it was sensitive. Happy

to share off-list if necessary.

Does that shed any light on what the issue might be?

I am able to successfully go through the MFA using DavMail with the

same account, so the problem seems to be on Evolution’s side. But I’m

having plenty of other issues with DavMail so I’d really rather get

back to EWS if I can.

Thanks,

Vincent