What scope should be used to connect IMAP store from JAVA application using OAuth 2.0
I have a backend application that connects to IMAP store and does some jobs inside. It works fine with basic authentication.
Now we're trying to switch it to OAuth 2.0 but it fails with "A1 NO AUTHENTICATE failed." error on an attempt to connect to IMAP store with a token(we are using Resource Owner Password Credentials flow, due to some reasons we can't use other flows).
After reading a huge number of articles it seems to be related to the scope, we have tried "https://graph.microsoft.com/IMAP.AccessAsUser.All", "IMAP.AccessAsUser.All" and "https://outlook.office.com/IMAP.AccessAsUser.All".
With the first two scopes, it gives us the token but
"store.connect("outlook.office365.com", 993, "user@some_domain.onmicrosoft.com", "access_token");" it fails with "A1 NO AUTHENTICATE failed.".
With the last one("https://outlook.office.com/IMAP.AccessAsUser.All") we can't get a token with the "AADSTS65001: The user or administrator has not consented to use the application with ID.." error. That kinda makes sense because we can't add the permissions for Outlook but for Microsoft Graph only.
Any ideas are highly appreciated.
I guess the correct scope is https://outlook.office.com/IMAP.AccessAsUser.All
In the app registration screen in the azure portal, you can add common used api permissions. You can also take a look at the second tab where you can add additional api like outlook.
You then need the application id, to find the correct one, go to enterprise applications, switch the filter to Microsoft applications and look for exchange. I’m on my iPad, so it doesn’t work well here, but you should be able to find the correct ID there.
Apart from that, imap needs to be enabled in your organization and access should not be permitted through conditional access.
Second advise, consider migrating to graph api. That is the way forward for all new applications.
- What's the point of refresh token?
- Migrating from validate-jwt to validate-azure-ad-token policy
- What is the purpose of authorization code in OAuth
- JWT validation failure error in azure apim
- How to authenticate resource owner with JWT when sending request to /oauth2/authorize?
- Some scopres missing from Google Gmail API oAuth Consent Flow
- passport-oauth2 client how to use profile data received
- Microsoft as OAuth2 provider for personal accounts does not issue JWT access tokens
- How access Azure APIs
- Chrome identity launchWebAuthFlow only opens empty callback page
- Limiting the scopes of an OAuth 2.0 flow
- Is Endpoint Security Authentication in WSO2 APIM Done per API or per request?
- Why do i need to specify redirect_uri if i am authenticating from server side?
- Error 400: invalid_scope with Postman and Google OAuth2
- Issues Adding SMTP.Send Permission to Azure Application for Office 365 SMTP
- PHP - How to get OAuth 2.0 Token
- UPS Outh Rating API return Invalid Authentication Information
- How to store sensitive data in React Native or expo code ? ( with Keychain and Keystore )
- How to get Optum sandbox to authenticate with OAuth 2.0 using Java and okhttp
- Spring Boot redirection back to login page
- New Google place api using google OAuth, ask failed to refresh token
- Authentication Problems using Google's ARCore API
- Getting OAuth code challenge on loopback server
- How do I solve audience (aud) invalid claim error for downstream api service?
- oauth 2 parameters can only have a single value: scope
- #oauth2 security expressions on method level
- Calling spring authorization server OAuth2 REST endpoints
- Google AdWords API authorization raising AdsCommon::Errors::AuthError
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- Azure AD:Authenticate Devices