-
-
Notifications
You must be signed in to change notification settings - Fork 9.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication fails with MSFT Provider extension, V2.0 endpoints and Graph #2116
Comments
A few minor things first: Why use PHP 5.6, especially if you're doing new development? It's years out of date and no longer supported. Since you're using composer (you're loading its autoloader), you don't need to load PHPMailer's classes manually as well. I'd also recommend against using dev-master; stick with release versions. I always have a hard time with OAuth at the best of times, but one thing that strikes me as odd (even as I look at PHPMailer's own examples) is why the access token isn't kept and used for auth, and the refresh token only used in case the access token has expired. |
Thanks Synchro. And to your comment about priming the system with a refresh token rather than an access token (either being taken from a manual run of get_oauth_token), I can only assume that this reflects the possibility that the access token will indeed have life-expired, and that using a refresh token (which has a longer – perhaps indefinite – shelf life) allows the invocation of PHPMailer to immediately use the refresh token to request an access token. But this is an assumption: I have failed to find any explanatory documentation. |
Did you manage to find a solution to this? I am having the same error. Authentication fails. I have successfully done all this with GMAIL and PHPMAILER XOAUTH2, but O365 fails authentication. |
Yes - try using an O365 scope of: |
Thanks for the fast reply, WOW!. I looked into the "MSFT OAuth2 quirks.md" note by you. Thanks for the explanation. Do you mind if I contact you by email for a few questions regarding this integration? |
Fine - I'm at [email protected] |
I have used Decomplexity's code and amendments to achieve authentication via OAuth. I do get a refresh token, but still can't authenticate: 2022-09-29 12:01:14 SMTP INBOUND: "535 5.7.3 Authentication unsuccessful [AM0PR02CA0082.eurprd02.prod.outlook.com]" Can you explain the solution? I did read MSFT OAuth2 quirks.md, but don't understand the solution. |
Suggest using a scope of: |
Thank you for your answer - So if I understand correctly I need to change: ORIGINAL NEW ORIGINAL NEW Correct? |
Almost. Suggest: |
Unfortunately, that still doesn't work. Can you look at my code? |
Hi, @ewalscargocare I have made some changes. I hope it helps. index.txt good luck! |
Ok, this is good. We are going to see two things: Now you need to configure in Azure the permissions to the resource that your application requests. In portal Azure, you have the next information Delegated permissions or application permissions. For your case, it is probably worth having delegated permissions on the resource that you request from the API. if you use For example. if you use app permissions, an admin in your organization may need to pre-approve it for you in Azure. |
Re SMTP AUTH: Re Abienvenido’s suggestions and your further comments:
|
Thanks Decomplexity! I will further test and come back with feedback asap. |
Hi, @ewalscargocare In Microsoft graph, SMTP.Send. Too, you can see this: TOKEN JWS echo 'token jwt', $token = $provider->getAccessToken( and see in y with PHPMailer, what you have built: $_SESSION['token'] = $token->getRefreshToken(); |
I was able to authenticate! SMTP auth was already activated, so I didn't need to change anything for that. I use these URLS: https://login.microsoftonline.com/82b7989c-1a0e-454b-9ed4-6ddeaa59ff7c/oauth2/v2.0/authorize Scope: offline_access https://outlook.office.com/SMTP.Send Hope this helps other people! |
It would be awesome if you could summarise this in a wiki page. |
Steve Maguire’s stevenmaguire/oauth2-microsoft provider was written before the V2 authorization and token endpoints were a common option. Jan Hajek’s thenetworg/oauth2-azure provider is up-to-date and includes them. |
Hello @decomplexity Do you have any new news about this issue from Microsoft? Thank you very much! |
I have discussed this at some length with MSFT's Graph team and raised issues that apparently need specialist input. One quirk I presented is that if a scope parameter URI is omitted, it appears not always to default to https://graph.microsoft.com and that the order of scopes specified in a scope statement apparently matters, both apparently contrary to MSFT documentation and sufficient to cause either successful obtaining of a refresh token or successful SMTP authentication to fail because a scope parameter is pointing at the wrong resource API.
and after registering a client app with AAD, don't bother to manually specify any permissions, Graph or otherwise, but instead Accept the 'Permissions requested' prompt you will receive when you try to create a refresh token; this will add suitable Graph permissions to the User consent list (to check, see AAD Enterprise applications =>[select your app] => select Permissions =>select the User consent tab) |
Hi, @decomplexity I'll be happy to follow the progress. best regards |
Hi everyone, I though you'd like to know that @greew has very kindly put together an excellent wiki article about setting up Azure. He's also written a shiny new League adapter for Azure, and an implementation tweak to use that package in the PHPMailer OAuth setup example code via this PR. Since you all seem to be trying to get this working, please could you give this new solution a try and let us know if you run into any issues? |
Hi all, i'm working on phpmailer+oauth2+microsoft from some days, and i'm in struggle with this. |
@matteo-cavalli Have you tried the wiki article?? |
Hi, yes using azure as provider with a new and clean installation, every time that i make a request for get_oauth_token i can see many error ofr bas rquest uncaught function and so on. so in this case i've keep microsoft as provider but if you need some test or if you have another link i can test it. |
hi, i facing the same issue descripted as @matteo-cavalli. when i try to get the refresh token in get an exception on the request, i will thrown in parse response function. A hint/idea something would be helpfull and made my day. thanks |
dudestefani: if you are using Greew's oauth2-azure-provider, try temporarily changing line 14 (or thereabouts) in Azure.php from |
@decomplexity thanks for the tip, but unfortunately nothing change. same behavior/issue as before and yes its Greew's oauth2-azure-provider |
Same for me as per @dudestefani , same error. i've tried to change file Azure.php but error is the same, with Greew's provider |
In the last few lines of
to
And let us know the output of the exception. Hopefully the exception message can tell us a bit more about, what went wrong :) |
@greew i am not sure it helps, cause my issue is more in retrieving the refresh_token. first of all i need the token, then i can try so send a mail or did i get something wrong? |
Sorry - my bad. I had forgot the context. Let's try the same in the get_oauth_token.php file: Replace $token = $provider->getAccessToken(
'authorization_code',
[
'code' => $_GET['code']
]
); with try {
$token = $provider->getAccessToken(
'authorization_code',
[
'code' => $_GET['code']
]
);
} catch (IdentityProviderException $e) {
print "<pre>";
echo "An error occured" . PHP_EOL;
echo "Exception message: {$e->getMessage()}" . PHP_EOL;
echo "Response: {$e->getResponseBody()}";
die;
} and check the exception message for more info :) |
BACKGROUND
I am running PHP 5.6 and Steven Maguire’s Microsoft Provider extension to thephpleague’s oauth2-client in order to use the MSFT Identity Platform V2.0 authorization and token endpoints and the MSFT Graph V1.0 API with PHPMailer.
The V2 end-points and Graph are needed to support SMTP AUTH with Oauth2 (as announced in May 2020), and my MSFT tenant has SMTP AUTH enabled (MSFT is disabling it by default for new tenants).
I have made the obvious changes (below) needed to Steven’s code to support v2.0 endpoints and the Graph API v1.0.
PROBLEM DESCRIPTION
Running my get_oauth_token manually successfully gives a refresh token that is pasted into my PHPMailer invocation code.
But subsequently invoking PHPMailer results in a 535 5.7.3 authentication failure:
(A 535 5.7.3 fail code is not in RFC 4954’s code list but seems a common enough ‘invalid credentials’ error.)
I have posted variants of this problem on thephpleague/oauth2-client and stevenmaguire/oauth2-client repositories and also on the thenetworg/oauth2-azure (which has its own provider code)
DEBUG OUPUT
SMTP ERROR: AUTH command failed: 535 5.7.3 Authentication unsuccessful [AM3PR05CA0135.eurprd05.prod.outlook.com]
However: running get_oauth_token manually is recorded in AAD Sign-ins but subsequently invoking PHPMailer is not. It appears that whatever calls get_oauth_token (whether directly or by callback from an endpoint) is not doing so and hence not obtaining authentication.
I am baffled and clearly doing something daft. Any suggestions are most welcome, especially from anyone who has successfully implemented this using v2.0 endpoints and the Graph API.
CODE DETAIL
My compose.json ‘requires’ just:
My changes to the Steven Maguire’s Provider code are in vendor/stevenmaguire/oauth2-microsoft/src/Provider/Microsoft.php:
My PHPMailer invocation is:
My GET_AUTH_TOKEN.PHP is:
… just a Microsoft-specific and slightly pruned version of Steven’s own. The ‘Select Provider’ is thus strictly unnecessary.
The text was updated successfully, but these errors were encountered: