N/A Javamail to Outlook365 in BSSV with OAUTH2

craig_welton

craig_welton

Legendary Poster
Hi all,

This is a bit of a Hail Mary, but here it goes ...

We have a BSSV that connects to outlook365 using the javamail library and the IMAP protocol. It polls email accounts and integrates stuff in to JDE; been working great for years. MS is disabling this type of access which is considered "Basic Authentication" since we pass a user and password during the login. The "MODERN" authentication is based on OAUTH2 and seems to require interaction with an Azure application to get tokens etc. I have no experience with Azure and the documentation for calling the right endpoints is not clear to me. It currently seems like there needs to be interaction from a user to authenticate, which is not possible in our BSSV called from a UBE.

So hoping someone here has some experience with Azure and calling APIs to get a token for use with OAUTH2 and javamail.

thanks,
Craig
 
Craig, it's very very hairy with a steep learning curve. Best to find someone who's done it and can develop it for you. There should be Java people around, try Java forums, since you are already using Java here. My experience was completely Java-free.
 
Craig, it's very very hairy with a steep learning curve. Best to find someone who's done it and can develop it for you. There should be Java people around, try Java forums, since you are already using Java here. My experience was completely Java-free.
Hey Alex, nice to hear from you. I hope all is well. I was hoping this was just a chain of web API calls to end up with a token I can use in the login, but the MS documentation is all over the place. The Azure app setup adds a layer of obscurity. Maybe I'm just too old.
 
Yes, thanks. Been there, done that, have bitemarks ;-) Everything goes there these days, so we needed to support all that too. Doable, but fiddly. What do you need in the end? - a JWT you can send back in headers? What's your target hardware platform?
 
Yes, thanks. Been there, done that, have bitemarks ;-) Everything goes there these days, so we needed to support all that too. Doable, but fiddly. What do you need in the end? - a JWT you can send back in headers? What's your target hardware platform?
In the end, I don't want to change any of the javamail logic in the BSSV, other than authorization process. OAUTH2 is available when connecting, I just don't understand how to get the token from Azure. We just pull the emails from a mailbox and store as a media object(s) along with a message header table. Mainly used for PO and workflow approvals from user's phones.
 
Not sure about using IMAP with Azure AD which is what I assume you're trying to do. We use Microsoft Graph to integrate with their Microsoft's cloud services (Email, Sharepoint etc) and you can find details on authentication here:

I'm guessing if you're going down the IMAP route you'd probably need to set up a Personal Access Token for the service account you're using and then from there you can complete the authentication process without prompts from the user. You can set the expiry on the PAT so that it has a long TTL.
 
Not sure about using IMAP with Azure AD which is what I assume you're trying to do. We use Microsoft Graph to integrate with their Microsoft's cloud services (Email, Sharepoint etc) and you can find details on authentication here:

I'm guessing if you're going down the IMAP route you'd probably need to set up a Personal Access Token for the service account you're using and then from there you can complete the authentication process without prompts from the user. You can set the expiry on the PAT so that it has a long TTL.
Hi Russell,

Thanks for your input. We're looking to continue using IMAP since the solution is already working and is technically supported. The issue is with authentication. From my understanding (which is lean), using Microsoft Graph for the solution would require reading emails in JSON format from API calls. Is that correct? (which would require a big refactoring project) I'll see what I can find out about the PAT.

thanks again,
Craig
 
Hi Russell,

Thanks for your input. We're looking to continue using IMAP since the solution is already working and is technically supported. The issue is with authentication. From my understanding (which is lean), using Microsoft Graph for the solution would require reading emails in JSON format from API calls. Is that correct? (which would require a big refactoring project) I'll see what I can find out about the PAT.

thanks again,
Craig
Yes, Microsoft Graph is a REST API and not a native IMAP/POP3 type solution.

You may want to have a look at https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-overview with details on how to get an access token using different techniques and libraries. The PAT approach still requires you to generate an access token, it more allows you to bypass things like user access acceptance and MFA as part of the process.

The documentation on the OAuth2 flows can be found at https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols

If it makes you feel any better we've had to implement this stuff for Azure AD, Oracle IDCS, Okta and Google Firebase and do think any of them can follow the same process? My favorite moments so far have been logging bugs with Oracle and Okta where their solutions don't follow either the published standards or their own documentation. Both companies decided the best response to our bugs was to change their documentation. Oracle didn't even tell us, they just removed an entire section from the IDCS doco and closed our ticket as working as designed.

Have fun.
 
Back
Top