Skip to content

Java (SpringBoot) app connecting to Outlook365 IMAP using OAuth2 authentication

Notifications You must be signed in to change notification settings

lfriends/java-outlook365-oauth2

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Java Sample App to connect to outlook365 with OAuth2

This project is an example on how make a client-to-server connection to outlook365 (or any similar service) over IMAP using OAUTH2 authentication without a user interaction (MFA).

It requires some Azure configuration.

The app connects to an INBOX to test the connection is valid.
It also:

  • prints out the number of messages
  • possibility to save a message as an .eml file (see: saveMessageToFile() method)

Table of Contents

Requirements

In order to successfully run this sample app you need to:

  1. register a new app on the azure portal
  2. Authorize access on the Exchange server
  3. Fill up the application.properties file, by adding
    • the email account
    • the tenant id
    • the application id
    • the secret id (OAuth2AppClientId, OAuth2AppClientSecret) by copying over from the keys section for your app.
  4. git-clone this project: git clone https://github.com/lfriends/java-outlook365-oauth2

Registering an app on Azure

  1. Sign in to the Azure portal

  2. If you have more tenants, switch to the desired one

  3. Open Azure Active Directory

  4. Click on App registrations on the left panel

  5. Add a new registration

    1. set a name as you like (Il will be displayed on the access token info)
    2. select "Accounts in any organizational directory"
    3. click "Register"

  6. Open up your newly create App registration

    • click Authentication on the left panel

    • click Certificates and secrets

      • New client secret
      • choose the name and duration
      • click "ADD"
      • VERY IMPORTANT: note down the Secret "Value" because it wont be visible again
    • goto App permission

      • "Add permission"

      • select tab "APIs my organization uses" > search: "Office 365 Exchange Online" > select

        • IMAP.AccessAsApp
        • IMAP.AccessAsApp
        • Mail.Read
        • Mail.Send (if you want to send)
      • click "Add permission"

      • DON'T FORGET to click "Grant admin consent for ..." to activate the grants

Authorizing access on the Exchange server

this can only be done by powershell scripts on exchange

  1. connect to powershell console on exchange (Help on how to connect can be found here )
  2. Install ExchangeOnlineManagement
Install-Module -Name ExchangeOnlineManagement -allowprerelease Import-module ExchangeOnlineManagement Connect-ExchangeOnline -Organization   

3.Register Service Principal in Exchange

New-ServicePrincipal -AppId <APPLICATION_ID> -ServiceId <OBJECT_ID> [-Organization <ORGANIZATION_ID>]   

Make sure to use ObjectId from enterprise applications rather than object id of application as well described in this post Exchange config: Make sure to use ObjectId from enterprise applications rather than object id of application

Updating the app parameters

Open the "application.properties" file and update with your IDs:

  • mail.username: is the email account you want to access - e.g.: john.doe@example.com
  • mail.oauth2.secret_value: use the secret value (not the ID) generated at step #1.6 - e.g.: XUad94~M...
  • mail.oauth2.application_client_id: this the "Application (client) ID" visible on the "overview" panel of the application
  • mail.oauth2.direcotry_tenant_id: this the "Directory (tenant) ID" visible on the "overview" panel of the application

Libs Deps

Maven POM.XML
<dependency>
    <groupId>com.microsoft.azure</groupId>
    <artifactId>msal4j</artifactId>
    <version>1.10.1</version>
</dependency>

<dependency>
    <groupId>com.sun.mail</groupId>
    <artifactId>javax.mail</artifactId>
    <version>1.6.2</version>
</dependency>
Single Libs (if not using the POM.XML)
  • accessors-smart-2.4.8.jar
  • activation-1.1.jar
  • asm-9.1.jar
  • content-type-2.1.jar
  • javax.mail-1.6.2.jar
  • jcip-annotations-1.0-1.jar
  • json-smart-2.4.8.jar
  • lang-tag-1.5.jar
  • msal4j-1.10.1.jar
  • nimbus-jose-jwt-9.9.3.jar
  • oauth2-oidc-sdk-9.7.jar

Troubleshooting

ERROR: OAUTH2 is not working?
DEBUG IMAP: AUTH: PLAIN
.OR.
DEBUG IMAP: Can't load SASL authenticator 

verify you are using javaMail >= 1.6

and that you have correctly set all the mail properties, like:

props.put("mail.imap.sasl.enable", "true");
props.put("mail.imap.sasl.mechanisms", "XOAUTH2");
props.put("mail.imap.auth.mechanisms", "XOAUTH2");
props.put("mail.imap.auth.login.disable", "true");
props.put("mail.imap.auth.plain.disable", "true");
[...]

Please note that in case you are connecting to "imaps"

Store store = session.getStore("imaps");

remember also to update all the props to imaps too:

props.put("mail.imaps.sasl.enable", "true");
props.put("mail.imaps.sasl.mechanisms", "XOAUTH2");
[...]

ERROR: AADSTS7000215: Invalid client secret provided...
> AADSTS7000215: Invalid client secret provided Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '*********'.

as the message is stating: ensure you are using the SECRET VALUE and not the SECRET ID.
Note that you can copy the Secret value only at creation time. As you close the creation page, the Secret value will never be visible again. In case you missed it, you will need to create a new Secret value.

ERROR: AUTHENTICATE failed
> DEBUG IMAP:  XOAUTH2  
> DEBUG IMAP:   
> A1 AUTHENTICATE XOAUTH2 **********   
> A1 NO AUTHENTICATE failed.   
> javax.mail.AuthenticationFailedException: AUTHENTICATE failed.  

You most probably have missed to set, or have set the wrong permissions over one of the followings:

  1. Make sure you have set the proper rights on the azure application configuration
  2. ensure you have ran the CLI commands to authorize the application to access the email folder requested (this can only be solved by powershells script on exchange)

check this out Application permissions .and. Exchange config

Please note that you need to wait up to 15 minutes for these change to apply

Reference Documentation

Further reference and credit for this project:

About

Java (SpringBoot) app connecting to Outlook365 IMAP using OAuth2 authentication

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages