N/A Javamail to Outlook365 in BSSV with OAUTH2

craig_welton

craig_welton

Legendary Poster
Hi all,

This is a bit of a Hail Mary, but here it goes ...

We have a BSSV that connects to outlook365 using the javamail library and the IMAP protocol. It polls email accounts and integrates stuff in to JDE; been working great for years. MS is disabling this type of access which is considered "Basic Authentication" since we pass a user and password during the login. The "MODERN" authentication is based on OAUTH2 and seems to require interaction with an Azure application to get tokens etc. I have no experience with Azure and the documentation for calling the right endpoints is not clear to me. It currently seems like there needs to be interaction from a user to authenticate, which is not possible in our BSSV called from a UBE.

So hoping someone here has some experience with Azure and calling APIs to get a token for use with OAUTH2 and javamail.

thanks,
Craig
 
Craig, it's very very hairy with a steep learning curve. Best to find someone who's done it and can develop it for you. There should be Java people around, try Java forums, since you are already using Java here. My experience was completely Java-free.
 
Alex_Pastuhov said:
Craig, it's very very hairy with a steep learning curve. Best to find someone who's done it and can develop it for you. There should be Java people around, try Java forums, since you are already using Java here. My experience was completely Java-free.
Click to expand...
Hey Alex, nice to hear from you. I hope all is well. I was hoping this was just a chain of web API calls to end up with a token I can use in the login, but the MS documentation is all over the place. The Azure app setup adds a layer of obscurity. Maybe I'm just too old.
 
Yes, thanks. Been there, done that, have bitemarks ;-) Everything goes there these days, so we needed to support all that too. Doable, but fiddly. What do you need in the end? - a JWT you can send back in headers? What's your target hardware platform?
 
Alex_Pastuhov said:
Yes, thanks. Been there, done that, have bitemarks ;-) Everything goes there these days, so we needed to support all that too. Doable, but fiddly. What do you need in the end? - a JWT you can send back in headers? What's your target hardware platform?
Click to expand...
In the end, I don't want to change any of the javamail logic in the BSSV, other than authorization process. OAUTH2 is available when connecting, I just don't understand how to get the token from Azure. We just pull the emails from a mailbox and store as a media object(s) along with a message header table. Mainly used for PO and workflow approvals from user's phones.
 
Not sure about using IMAP with Azure AD which is what I assume you're trying to do. We use Microsoft Graph to integrate with their Microsoft's cloud services (Email, Sharepoint etc) and you can find details on authentication here:
docs.microsoft.com

Microsoft Graph authentication and authorization overview

Learn how to authenticate and work with permissions to securely access data through Microsoft Graph. Explore the following documentation to learn about app registration, authentication libraries, authorization, and other parts of the Microsoft identity platform that support Microsoft Graph...
docs.microsoft.com

I'm guessing if you're going down the IMAP route you'd probably need to set up a Personal Access Token for the service account you're using and then from there you can complete the authentication process without prompts from the user. You can set the expiry on the PAT so that it has a long TTL.
 
RussellCodlin said:
Not sure about using IMAP with Azure AD which is what I assume you're trying to do. We use Microsoft Graph to integrate with their Microsoft's cloud services (Email, Sharepoint etc) and you can find details on authentication here:
docs.microsoft.com

Microsoft Graph authentication and authorization overview

Learn how to authenticate and work with permissions to securely access data through Microsoft Graph. Explore the following documentation to learn about app registration, authentication libraries, authorization, and other parts of the Microsoft identity platform that support Microsoft Graph...
docs.microsoft.com

I'm guessing if you're going down the IMAP route you'd probably need to set up a Personal Access Token for the service account you're using and then from there you can complete the authentication process without prompts from the user. You can set the expiry on the PAT so that it has a long TTL.
Click to expand...
Hi Russell,

Thanks for your input. We're looking to continue using IMAP since the solution is already working and is technically supported. The issue is with authentication. From my understanding (which is lean), using Microsoft Graph for the solution would require reading emails in JSON format from API calls. Is that correct? (which would require a big refactoring project) I'll see what I can find out about the PAT.

thanks again,
Craig
 
craig_welton said:
Hi Russell,

Thanks for your input. We're looking to continue using IMAP since the solution is already working and is technically supported. The issue is with authentication. From my understanding (which is lean), using Microsoft Graph for the solution would require reading emails in JSON format from API calls. Is that correct? (which would require a big refactoring project) I'll see what I can find out about the PAT.

thanks again,
Craig
Click to expand...
Yes, Microsoft Graph is a REST API and not a native IMAP/POP3 type solution.

You may want to have a look at https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-overview with details on how to get an access token using different techniques and libraries. The PAT approach still requires you to generate an access token, it more allows you to bypass things like user access acceptance and MFA as part of the process.

The documentation on the OAuth2 flows can be found at https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols

If it makes you feel any better we've had to implement this stuff for Azure AD, Oracle IDCS, Okta and Google Firebase and do think any of them can follow the same process? My favorite moments so far have been logging bugs with Oracle and Okta where their solutions don't follow either the published standards or their own documentation. Both companies decided the best response to our bugs was to change their documentation. Oracle didn't even tell us, they just removed an entire section from the IDCS doco and closed our ticket as working as designed.

Have fun.
 

Similar threads

E9.2 BSSV to BSSV call asynchronously
Replies
0
Views
613
Dasgupta
salesforce123
A Beginner's Guide to Developing a Salesforce Connector
Replies
0
Views
637
salesforce123
salesforce123
E9.2 Showing hidden Group Box strange interaction with Full Elongation
Replies
0
Views
255
jlanawalt
E9.2 How to do AR and AP invoicing + bank statements in JDE
Replies
1
Views
260
cribeiro
JohnDanter2
E9.2 AIS calls - internal call speed vs external call speed and how to speed up external calls
Replies
5
Views
724
glen7x
Back
Top