[英]Microsoft exchange - IMAP OAuth2 With client credentials
I am writing application that need to read mailbox using IMAP, but as daemon, without user interaction.我正在编写需要使用 IMAP 读取邮箱的应用程序,但作为守护进程,无需用户交互。 I need to use OAuth2 to get access.我需要使用 OAuth2 来获得访问权限。 Because I need it without user interaction, I need to use client credentials flow.因为我需要它而不需要用户交互,所以我需要使用客户端凭据流。 This was added this June.这是今年六月添加的。
I have done everything from official documentation .我已经完成了官方文档中的所有内容。 Registered application, added permissions, added mailbox permission using PowerShell.使用 PowerShell 注册应用程序,添加权限,添加邮箱权限。
When I get request access token with scope https://outlook.office365.com/.default
, the one that I receive has role IMAP.AccessAsApp
, so I believe that is correct.当我使用 scope https://outlook.office365.com/.default
获得请求访问令牌时,我认为我收到的那个角色是正确的IMAP.AccessAsApp
,所以我认为是正确的。 I used https://jwt.ms/ to parse JWT.我使用https://jwt.ms/来解析 JWT。
The problem is when I try to authenticate using this access token in Java, for example问题是当我尝试在 Java 中使用此访问令牌进行身份验证时,例如
Properties props = new Properties();
props.put("mail.imap.ssl.enable", "true");
props.put("mail.imap.auth.mechanisms", "XOAUTH2");
props.put("mail.debug", "true");
Session session = Session.getInstance(props);
Store store = session.getStore("imap");
store.connect("outlook.office365.com", 993, "testing@mydomain.com", "accessToken");
I receive AUTHENTICATE failed
.我收到AUTHENTICATE failed
。 I tried same code with access token received using authorization code flow, which requires user interaction.我尝试了与使用授权代码流接收的访问令牌相同的代码,这需要用户交互。 Using that access code I was able to connect to mailbox.使用该访问代码,我能够连接到邮箱。 So the code is correct.所以代码是正确的。
I even tried using client id and service id instead of email address as username, but without success.我什至尝试使用客户端 ID 和服务 ID 而不是 email 地址作为用户名,但没有成功。
I am not sure where I made the mistake and if I am using correct username.我不确定我在哪里犯了错误,以及我是否使用了正确的用户名。 Any help is appreciated.任何帮助表示赞赏。
I wrote same answer here , so I am coping it here.我在这里写了同样的答案,所以我在这里应对。
I think I made some progress.我想我取得了一些进展。
I read documentation few times, tried few times from the start with same error.我读了几次文档,从一开始就尝试了几次同样的错误。 I even have tried using client and object ids instead of email as username, in lack of better ideas.我什至尝试使用客户端和 object id 而不是 email 作为用户名,但缺乏更好的想法。
So this is where I think I have made mistake previous times.所以这就是我认为我以前犯过错误的地方。
On the part where it is needed to register service principal, I needed to execute在需要注册服务主体的部分,我需要执行
New-ServicePrincipal -AppId <APPLICATION_ID> -ServiceId <OBJECT_ID> [-Organization <ORGANIZATION_ID>]
Here I have put enterprise application object id as ServiceId argument.在这里,我将企业应用程序 object id 作为 ServiceId 参数。 And that is ok.没关系。
But on但是在
Add-MailboxPermission -Identity "email address removed for privacy reasons" -User
<SERVICE_PRINCIPAL_ID> -AccessRights FullAccess
I have put my registered application object id as User argument.我已将我注册的应用程序 object id 作为用户参数。 I also tried setting object id of enterprise application, but it did not have success.我也试过设置企业应用程序的object id,但没有成功。
When I executed当我执行
Get-ServicePrincipal -Organization <ORGANIZATION_ID> | fl
I did not pay attention to ServiceId property, even with documentation specifying it and saying it will be different.我没有注意 ServiceId 属性,即使有文档指定它并说它会有所不同。
Now I cleared everything and started fresh.现在我清除了一切,重新开始。
I have executed all the steps again, but on the step for creating new service principal I used data from enterprise application view.我已经再次执行了所有步骤,但是在创建新服务主体的步骤中,我使用了来自企业应用程序视图的数据。 When I need to add mail permission, I list service principals, and then use ServiceId
value from the output, as argument for user.当我需要添加邮件权限时,我列出服务主体,然后使用 output 中的ServiceId
值作为用户的参数。
With that, I was able to authorise.有了这个,我就可以授权了。
Thanks everyone for sharing your experience.感谢大家分享您的经验。 This has proved to be a little confusing.事实证明,这有点令人困惑。 :) :)
To sum everything up, to access a mailbox with IMAPS and OAuth2 (as opposed to using Graph API which is another method Microsoft recommends):总而言之,使用 IMAPS 和 OAuth2 访问邮箱(而不是使用微软推荐的另一种方法 Graph API):
Connect-AzureAD
Connect-ExchangeOnline
$azapp = Get-AzureADApplication -SearchString 'App Registration Name'
$azsp = Get-AzureADServicePrincipal -SearchString $azapp.DisplayName
# GOTCHA: You need the ObjectId from 'Enterprise applications' (Get-AzureADServicePrincipal), not 'Application registrations' (Get-AzureADApplication) for ServiceId (thanks @[jamie][1])
$sp = New-ServicePrincipal -AppId $azapp.AppId -ServiceId $azsp.ObjectId -DisplayName "EXO Service Principal for $($azapp.DisplayName)"
$mbxs = 'mymbx1@yourdomain.tld',`
'mymbx2@yourdomain.tld',`
'mymbx3@yourdomain.tld'
$mbxs | %{ Add-MailboxPermission -Identity $_ -User $sp.ServiceId -AccessRights FullAccess } | fl *
Get-MailboxPermission $mbxs[-1] | ft -a
You can use Get-IMAPAccessToken.ps1 to test your setup您可以使用Get-IMAPAccessToken.ps1来测试您的设置
.\Get-IMAPAccessToken.ps1 -TenantID $TenantId -ClientId $ClientId -ClientSecret $ClientSecret -TargetMailbox $TargetMailbox
Other parameters you may need:您可能需要的其他参数:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.