Open Bug 1780765 Opened 2 years ago Updated 3 months ago

Add OAuth2 capability for Outlook/ M365 for China

Categories

(MailNews Core :: Backend, enhancement)

Product:
MailNews Core
Component:
Backend
Version:
Thunderbird 102
Type:
enhancement

Tracking

(Not tracked)

People

(Reporter: dev-mozilla.org_6183c9754aa36d894748ad30, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(1 file, 1 obsolete file)

patch.diff
1.21 KB, patch
Details | Diff | Splinter Review

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0

Steps to reproduce:

Microsoft moves to OAuth2 for M365 and Outlook, not only for the global infrastructure but also for the separate infrastructures operated for China or US Government. Neither works at present as no providers are configured in OAuth2Providers.jsm.
A bug related to US Government is already open (https://bugzilla.mozilla.org/show_bug.cgi?id=1699487).

The relevant servers for China seem to be

Like for US Gov (.us), there is no app ID created for Thunderbird on the Chinese Azure environment (https://portal.azure.cn). Do Mozilla have an account on the Chinese Azure already and could whoever owns it create an app id? The newly created app id needs to be for public access (Desktop/Mobile app, authorized for IMAP and SMTP (and if really necessary also POP)).

Component: Untriaged → Backend
Product: Thunderbird → MailNews Core
Summary: Add OAuth2 capability for Outlook/ Exchange Online for China → Add OAuth2 capability for Outlook/ M365 for China
See Also: → 1685414
See Also: → 1780083
Status: UNCONFIRMED → NEW
Ever confirmed: true
Duplicate of this bug: 1834057

This issue is now urgent as partner.outkook.cn now can not be login with normal password auth method and we are not able to use Thunderbird to connect to our business email.

See the following link for the endpoint details:
https://learn.microsoft.com/en-us/previous-versions/office/office-365-api/api/o365-china-endpoints

The app registration is management on:
https://portal.azure.cn

Attached file patch.diff (obsolete) —

Now I am able to get an Client ID from portal.azure.cn using my own email account from my organization.

Here is how I obtained the Client ID and configured the scope permission as well as the redirect urls:

  1. Login to https://portal.azure.cn/ with my normal user account. This is my email account assigned to my by my organization. The steps below does not require an administration account and does not require the approval from the admin.

  2. Click the "View" button below the "Manage Microsoft Entra ID" section on the page.

  3. Go to "App registrations -> New registration".
    Use the following parameters:
    Name: "Thunderbird"
    Supported account types: "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)"
    Redirect URI: Select "Public client/native (mobile & desktop)" from the dropdown list, and enter "https://localhost" as the redirect url.

Click "Register". You will find the client id on the returned page, and find the "end points" when you click the "Endpoints" link.

I also added a "Client secret", but after my login test it seems that the client secret is not needed since it is a "public client".

  1. Go to "API permissions > Add a permission > Microsoft Graph > Delegated permissions".
    Enable the following permissions:
    IMAP.AccessAsUser.All
    POP.AccessAsUser.All
    SMTP.Send (This may not needed? Office 365 does not require oauth I think.?)

Then I downloaded the thunderbird source code, edited the mailnews/base/src/OAuth2Providers.jsm file, build and run, add my account with the auth type "OAuth2". Now it works!

So, should someone who has commit access to the code base to add the attached change to the OAuth2Providers.jsm file. Thanks.

I will be maintaining this client id as far as I am using Thunderbird in my organization. However, in case I no longer have access to it (e.g. if I leave this company), someone else can request a new one following the steps above.

It would be ideal if thunderbird can obtain an client id on its own, but as far as I know https://portal.azure.cn does need a scanned copy of the "business license" of your organization and you need to contact there sales person to obtain an account and they do not accept personal account.

Comment on attachment 9372415 [details]
patch.diff

diff --git a/./OAuth2Providers-master.jsm b/./OAuth2Providers-revised.jsm
index f243d44..5120a9a 100644
--- a/./OAuth2Providers-master.jsm
+++ b/./OAuth2Providers-revised.jsm
@@ -56,6 +56,13 @@ var kHostnames = new Map([
       "https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send offline_access",
     ],
   ],
+  [
+    "partner.outlook.cn",
+    [
+      "login.chinacloudapi.cn",
+      "https://partner.outlook.cn/IMAP.AccessAsUser.All https://partner.outlook.cn/POP.AccessAsUser.All https://partner.outlook.cn/SMTP.Send offline_access",
+    ],
+  ],
   [
     "smtp.office365.com",
     [
@@ -155,6 +162,19 @@ var kIssuers = new Map([
     },
   ],
 
+  [
+    "login.chinacloudapi.cn", // Microsoft 365 operated by 21Vianet in China.
+    {
+      clientId: "84f9a7d4-d73c-4fe3-949f-53afc9d9626f",
+      authorizationEndpoint:
+        "https://login.partner.microsoftonline.cn/organizations/oauth2/v2.0/authorize",
+      tokenEndpoint:
+        "https://login.partner.microsoftonline.cn/organizations/oauth2/v2.0/token",
+      redirectionEndpoint: "https://localhost",
+      usePKCE: true,
+    },
+  ],
+
   [
     "www.fastmail.com",
     {
Attachment #9372415 - Attachment description: OAuth2Providers-revised.jsm → patch.diff
Attachment #9372415 - Attachment filename: OAuth2Providers-revised.jsm → patch.diff
Attachment #9372415 - Attachment is obsolete: true
Attachment #9372415 - Attachment is patch: false
Attached patch patch.diffSplinter Review
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: