Add OAuth2 capability for Outlook/ M365 for China
Categories
(MailNews Core :: Backend, enhancement)
Tracking
(Not tracked)
People
(Reporter: dev-mozilla.org_6183c9754aa36d894748ad30, Unassigned)
References
(Blocks 1 open bug)
Details
Attachments
(1 file, 1 obsolete file)
1.21 KB,
patch
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Steps to reproduce:
Microsoft moves to OAuth2 for M365 and Outlook, not only for the global infrastructure but also for the separate infrastructures operated for China or US Government. Neither works at present as no providers are configured in OAuth2Providers.jsm.
A bug related to US Government is already open (https://bugzilla.mozilla.org/show_bug.cgi?id=1699487).
The relevant servers for China seem to be
- API endpoints "https://login.partner.microsoftonline.cn/common/oauth2/authorize" and "https://login.partner.microsoftonline.cn/common/oauth2/token",
- mail: IMAP: partner.outlook.cn SMTP: smtp.partner.outlook.cn
Like for US Gov (.us), there is no app ID created for Thunderbird on the Chinese Azure environment (https://portal.azure.cn). Do Mozilla have an account on the Chinese Azure already and could whoever owns it create an app id? The newly created app id needs to be for public access (Desktop/Mobile app, authorized for IMAP and SMTP (and if really necessary also POP)).
Updated•2 years ago
|
Updated•1 year ago
|
Comment 2•11 months ago
|
||
This issue is now urgent as partner.outkook.cn now can not be login with normal password auth method and we are not able to use Thunderbird to connect to our business email.
Comment 3•3 months ago
|
||
See the following link for the endpoint details:
https://learn.microsoft.com/en-us/previous-versions/office/office-365-api/api/o365-china-endpoints
The app registration is management on:
https://portal.azure.cn
Comment 4•3 months ago
|
||
Now I am able to get an Client ID from portal.azure.cn using my own email account from my organization.
Here is how I obtained the Client ID and configured the scope permission as well as the redirect urls:
-
Login to https://portal.azure.cn/ with my normal user account. This is my email account assigned to my by my organization. The steps below does not require an administration account and does not require the approval from the admin.
-
Click the "View" button below the "Manage Microsoft Entra ID" section on the page.
-
Go to "App registrations -> New registration".
Use the following parameters:
Name: "Thunderbird"
Supported account types: "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)"
Redirect URI: Select "Public client/native (mobile & desktop)" from the dropdown list, and enter "https://localhost" as the redirect url.
Click "Register". You will find the client id on the returned page, and find the "end points" when you click the "Endpoints" link.
I also added a "Client secret", but after my login test it seems that the client secret is not needed since it is a "public client".
- Go to "API permissions > Add a permission > Microsoft Graph > Delegated permissions".
Enable the following permissions:
IMAP.AccessAsUser.All
POP.AccessAsUser.All
SMTP.Send (This may not needed? Office 365 does not require oauth I think.?)
Then I downloaded the thunderbird source code, edited the mailnews/base/src/OAuth2Providers.jsm file, build and run, add my account with the auth type "OAuth2". Now it works!
So, should someone who has commit access to the code base to add the attached change to the OAuth2Providers.jsm file. Thanks.
I will be maintaining this client id as far as I am using Thunderbird in my organization. However, in case I no longer have access to it (e.g. if I leave this company), someone else can request a new one following the steps above.
It would be ideal if thunderbird can obtain an client id on its own, but as far as I know https://portal.azure.cn does need a scanned copy of the "business license" of your organization and you need to contact there sales person to obtain an account and they do not accept personal account.
Comment 5•3 months ago
|
||
Comment on attachment 9372415 [details] patch.diff diff --git a/./OAuth2Providers-master.jsm b/./OAuth2Providers-revised.jsm index f243d44..5120a9a 100644 --- a/./OAuth2Providers-master.jsm +++ b/./OAuth2Providers-revised.jsm @@ -56,6 +56,13 @@ var kHostnames = new Map([ "https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send offline_access", ], ], + [ + "partner.outlook.cn", + [ + "login.chinacloudapi.cn", + "https://partner.outlook.cn/IMAP.AccessAsUser.All https://partner.outlook.cn/POP.AccessAsUser.All https://partner.outlook.cn/SMTP.Send offline_access", + ], + ], [ "smtp.office365.com", [ @@ -155,6 +162,19 @@ var kIssuers = new Map([ }, ], + [ + "login.chinacloudapi.cn", // Microsoft 365 operated by 21Vianet in China. + { + clientId: "84f9a7d4-d73c-4fe3-949f-53afc9d9626f", + authorizationEndpoint: + "https://login.partner.microsoftonline.cn/organizations/oauth2/v2.0/authorize", + tokenEndpoint: + "https://login.partner.microsoftonline.cn/organizations/oauth2/v2.0/token", + redirectionEndpoint: "https://localhost", + usePKCE: true, + }, + ], + [ "www.fastmail.com", {
Updated•3 months ago
|
Comment 6•3 months ago
|
||
Description
•