Re: [Evolution] Failing to connect to Office365 account with MFA



On Thu, 2021-09-02 at 18:19 +0200, Milan Crha via evolution-list wrote:
On Thu, 2021-09-02 at 18:01 +0200, Vincent Hennebert via evolution-list
wrote:
It looks like Evo is ignoring the content returned by
the last SSO URL, but of course I may be wrong.

        Hi,
evo reads the returned auth code from the redirect URI and then asks
the server (by other channel) for the token. Just like DavMail or any
other. The token is received from the "/oauth2/token", which is the
place the office365.com rejects the data on your side. 

After that I see a connection to
https://login.microsoftonline.com/common/oauth2/nativeclient

That's the application's redirect URI. The evo-ews uses it too, as its
default. You've got past this place, it's done before the
"/oauth2/token".

If you can see what DavMail sends to the "/oauth2/token", then compare
it with what evo-ews sends. Maybe they use special scopes or something.
Do you see in the DavMail logs also the "/oauth2/authorize" call?

I do see an authorize call, but before the OAuth is triggered (split
over multiple lines for readability):
https://login.microsoftonline.com/<the_tenant_id>/oauth2/authorize?clie
nt_id=<the_client_id> \
&response_type=code \
&redirect_uri=https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2
%2Fnativeclient \
&response_mode=query \
&login_hint=<email_address> \
&resource=https%3A%2F%2Foutlook.office365.com


That gets a 302 response that redirects to an SSO URL and the
authentication dance begins.

I do not see any ‘/oauth2/token’ call.

The form that posts to https://login.microsoftonline.com/login.srf
contains 3 inputs:
  wa="wsignin1;0"
  wresult="<some XML with <wst:RequestSecurityTokenResponse
xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust";> as a root
element>"
  wctx="estsredirect=2&estsrequest=<a long alphanumeric string>"

When POST’ed, that form returns a redirect URL to
https://login.microsoftonline.com/common/oauth2/nativeclient?code=<long
alphanum string>&session_state=<shorter alphanum string>

And that call seems to return the token. Then I see a socket creation
to outlook.office365.com, presumably using that token, and DavMail
starts listing my email directories.



Would EWS_DEBUG=2 and OAUTH_DEBUG=1 show all the connections Evo is
making, or could we get more (the 2 seems to indicate a log level and
not just an on/off switch)?

Vincent



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]