OAuth and Microsoft

[bdin1]

I've seen a few posts that discuss Google's OAuth, is their something for Microsoft? I already have a process to get email, but the sending processing is a little crazy. I like PHPMailer's easy interface and if I can just change a few lines of code it would be a but easier than trying to re-create all of my emailing pages.

[Synchro]

Yes. Microsoft uses exactly the same mechanism as Google, just with different params. The key setup script provided with PHPMailer handles Microsoft already, so read the code and use that.

[decomplexity]

Note firstly that Steve Maguire’s ‘provider’ Stevenmaguire\OAuth2\Client\Provider\Microsoft was apparently written for Windows Live Mail (see for example the WLM scopes in get_oauth_token.php) and has had little maintenance since then. Jan Hajek’s thenetworg/oauth2-azure is still under active development and works well with PHPMailer. We use it on all our websites.

You will almost certainly run into the traps that MSFT have unintentionally left for the unwary, and they seem to have made things difficult for the developer; perhaps they just wanted to get everyone using MSAL and Graph!
To pre-empt problems, see the ‘MSFT OAuth2 quirks.md’ document in GitHub decomplexity/SendOauth2. In summary, your target resource should be https://outlook.office.com/ and not https://graph.microsoft.com/ or an SMTP connection from PHPMailer will try to use Graph itself as an interface to Exchange Online (the way MSFT would like you to work) and not a direct connection to outlook.office.com from PHPMailer (which is the way you do want to work). But outlook.office.com does not appear in AAD’s resource list in a resource to which you can add permissions, so to get round this, you add almost all the permissions needed via app scopes.

It is worth noting, that – unlike Google – MSFT now revoke refresh tokens after 90 days maximum and client secrets after 2 years maximum. Neither PHPMailer nor League oauth2-client provide refresh token refreshment, even though a new refresh token is optionally available from the endpoint when each access token is acquired.
The way round this involves a one-line addition to TheLeague’s \AccessToken.php plus a few lines of code in your own app.

Note finally that the more elegant way to authorise a backend service such as PHPMailer is with client credentials grants rather then the more general authorization_code grants. In June, MSFT announced client_credentials grant support for IMAP and POP but not SMTP. I queried this with MSFT and Steve Taylor of the Exchange team confirmed to me that this is still work in progress. Adding PHPMailer support for client credentials grants involves a minor update to the OAuth.php only; TheLeague’s oauth2-client already supports it.

[Synchro]

Great info, thanks

[bdin1]

So, I have tried some of the sample code, and receive
Call to a member function getAccessToken() on string in C:\inetpub\wwwroot\vendor\phpmailer\phpmailer\src\OAuth.php:113
I already have a token, I just need to see about using it and not worrying about having to check it out
$mail->setOAuth(
new OAuth(
[
'provider' => $provider,
'clientId' => $clientId,
'clientSecret' => $clientSecret,
'refreshToken' => $refreshToken, (pulled from a file and it is good)
'userName' => $email,
]
)
);

[bdin1]

I think I found a work around in the OAuth
public function getOauth64()
{
//Get a new token if it's not available or has expired
/* commented out
if (null === $this->oauthToken || $this->oauthToken->hasExpired()) {
// $this->oauthToken = $this->getToken();//double commented out
}
*/
return base64_encode(
'user=' .
$this->oauthUserEmail .
"\001auth=Bearer " .
$this->oauthToken .
"\001\001"
);

}

public function __construct($options)
{
// $this->provider = $options['provider'];
$this->oauthUserEmail = $options['userName'];
// $this->oauthClientSecret = $options['clientSecret'];
// $this->oauthClientId = $options['clientId'];
// $this->oauthRefreshToken = $options['refreshToken'];
$this->oauthToken = $options['Token']; //added in to have token that I know is good

I pass the useremail/username and the token .
Now I get SMTP ERROR: AUTH command failed: 535 5.7.3 Authentication unsuccessful

[bdin1]

When using XOUTH2 and the token, is it the same token you get for the entire APP that was built in Azure? If so do we need to add in the tenet information? This appears that it should be pretty easy, but I can't get the auth process to work

[decomplexity]

In your https://login.microsoftonline.com/ API call, you could use a specific tenant ID (domain name or GUID**) or 'common' (for multi-tenant) or (indicating that the tenant is work or school account) 'organizations' .
When using PHPMailer as a background (demon) application, any of them should work.

** - the GUID is the ID of your AAD instance

[decomplexity]

Ducking why you want to authorize with an existing access token instead of letting a ‘provider’ plus TheLeague’s OAuth2 code do it for you using a refresh token, it is worth confirming that your ‘good’ access token really is good. It will help if you could provide the decoded token (if the token is still 64-based, debase with e.g. base64decode.org, followed by a token decode with e.g. jwt.ms or jwt.io) with anything sensitive redacted. If the ‘aud’ field is 00000003-0000-0000-c000-000000000000 (i.e. Graph) instead of https://outlook.office.com/ authorization will fail. You also need an ‘scp’ of SMTP.Send.
If you have any Graph-specific scopes such as Mail.Send, this will force a change of aud to Graph instead of office.outlook.com.
Finally also check the time fields: access tokens have a very short life.

[bdin1]

I think I found one of the main issues, I'm trying to use the Microsoft Graph token to authenticate for SMTP and as you stated it doesn't work and will not work. I have a process that refreshes my token every hour, so I thought I was good. I have asked my IT folks that help to create the app on Azure to add in the SMTP to the current program or maybe create a new one. - Thank you for your help on this, I have been using PHPMailer for several years with basic authentication and now that is going away, I am scrambling to get this fixed.

The Microsoft Graph way of sending emails is overly complicated from the testing that I have done and PHPMailer is so much easier

[bdin1]

when using the gmail example, i see the code below, since we are using Office 365, what should we put in for Provider? Microsoft or a web link?
$mail->setOAuth(
new OAuth(
[
'provider' => $provider,
'clientId' => $clientId,
'clientSecret' => $clientSecret,
'refreshToken' => $refreshToken,
'userName' => $email,

    ]
)

);

[bdin1]

Another dump question - Looking at the stevenmaguire](https://github.com/stevenmaguire)
// Required
'clientId' => '{microsoft-client-id}',
'clientSecret' => '{microsoft-client-secret}',
'redirectUri' => 'https://example.com/callback-url',

The redirectUri is that something on my local machine that I need to have for a token or something like office.outlook.com/SMTP.Send

[decomplexity]

For provider, use Jan Hajek’s Azure.
Since you have already used PHPMailer with basic authentication, I trust you have installed using Composer. If not, now is the time.

If not:
require 'vendor/thenetworg/oauth2-azure/src/Provider/Azure.php';

Then:
use TheNetworg\OAuth2\Client\Provider\Azure;

$this->provider = new Azure(
                    [
                    'clientId'          => $this->clientId,
                    'clientSecret'      => $this->clientSecret,
                    'redirectUri'       => $this->redirectURI,
                    ]
                );

Then

 setOAuth(
           new OAuth(
               [
               'provider' => $this->provider,
               etc as you proposed.
                ]
           )
       );

The redirectURI must be EXACTLY the same as the redirectURI you specify to AAD when setting up the app, similar to that shown in get_oauth_token.php in the PHPMailer code example. It is the URL of your PHP script that MSFT's authorization server returns to with an authorization code and is usually the same script that called the authorization server.

Note finally that your SMTP server should be: 'smtp.office365.com'
And the scope to be authorized should be 'offline_access https://outlook.office.com/SMTP.Send';

[bdin1]

I would like to thank everyone for input and help. I would like to close this out, I wasn't able to get this working and looking at the permissions from the decoded Token, I just don't don't see it available. I will look at other options like Microsoft Graph

Thank you all again for the help

[decomplexity]

A pity, since you are already as PHPMailer user – but understandable.
If you decide to switch tack again back from Graph to PHPMailer, please feel free to contact me via decomplexity.com (which, unsurprisingly, uses PHPMailer with MSFT OAuth2...).

[Synchro]

I recommend having a look at app passwords. You should be able to create one of those and then use it exactly like an old-style username and password, without any of the complexity and confusion of OAuth.

[Synchro]

Anyone looking for solutions for Azure, please take a look at this.