Improve handling of oauth2_scope and redirect_uri misconfiguration (

#60) Support (but discourage) use without `offline` scopes; add further documentation for `redirect_uri` and O365 `offline_access`, and try to catch misconfigurations of this parameter.
simonrob · Sep 6, 2022 · 8c874c2 · 8c874c2
1 parent 5579ac3
commit 8c874c2
Show file tree

Hide file tree

Showing 3 changed files with 106 additions and 72 deletions.
diff --git a/README.md b/README.md
@@ -33,7 +33,7 @@ As part of the proxy setup process you need to provide an OAuth 2.0 `client_id`
 
 If you have an existing client ID and secret for a desktop app, you can use these directly in the proxy. If this is not possible, you can also reuse the client ID and secret from any email client that supports IMAP/POP/SMTP OAuth 2.0 authentication with the email server you would like to connect to (such as the [various](https://github.com/mozilla/releases-comm-central/blob/master/mailnews/base/src/OAuth2Providers.jsm) [open](https://github.com/Foundry376/Mailspring/blob/master/app/internal_packages/onboarding/lib/onboarding-constants.ts) [source](https://gitlab.gnome.org/GNOME/evolution-data-server/-/blob/master/CMakeLists.txt) [clients](https://gitlab.gnome.org/GNOME/gnome-online-accounts/-/blob/master/meson_options.txt) with OAuth 2.0 support), but please do this with care and restraint as access through reused tokens will be associated with the token owner rather than your own client.
 
-If you do not have access to credentials for an existing client you will need to register your own. The process to do this is different for each provider, but the registration guides for several common ones are linked below. In all cases, when registering, make sure your client is set up to use an OAuth scope that will give it permission to access IMAP/POP/SMTP as desired (see the sample configuration file for examples).
+If you do not have access to credentials for an existing client you will need to register your own. The process to do this is different for each provider, but the registration guides for several common ones are linked below. In all cases, when registering, make sure your client is set up to use an OAuth scope that will give it permission to access IMAP/POP/SMTP as desired. It is also highly recommended to use a scope that will grant "offline" access (i.e., a way to [refresh the OAuth 2.0 authentication token](https://oauth.net/2/refresh-tokens/) without user intervention). The sample configuration file provides example scope values for several common providers.
 
 - Office 365: register a new [Microsoft identity application](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app)
 - Gmail / Google Workspace: register a [Google API desktop app client](https://developers.google.com/identity/protocols/oauth2/native-app)

diff --git a/emailproxy.config b/emailproxy.config
@@ -82,6 +82,10 @@ documentation = Accounts are specified using your email address as the section h
  See the proxy's README.md file for more information and further configuration options.
 
  Office 365 customisation:
+ - Unlike other providers, Office 365 requires an OAuth 2.0 scope that explicitly specifies `offline_access` (shown
+ in the example below) in order to allow the proxy to refresh its access token on your behalf. The proxy will still
+ work if this parameter is not included, but you will need to re-authenticate extremely often (about once per hour).
+
  - If your Office 365 configuration requires a tenant ID, place it in both `permission_url` and `token_url` in place
  of `common` in the example below. For more detail about this, and guides for setting up your desktop app API client,
  see the documentation at https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app.
@@ -93,7 +97,9 @@ documentation = Accounts are specified using your email address as the section h
  setup, delete the `client_secret` line from your account's configuration entry (do not leave the default value).
 
  Advanced account configuration:
- - For most configurations the default `redirect_uri` value of `http://localhost` is correct, but when using the
+ - For most configurations the default `redirect_uri` value of `http://localhost` is correct, unless you have
+ explicitly set your OAuth 2.0 client to use a different address here (which you will need to manually redirect to
+ the proxy). Please also note that this address is `http` and not `https` (which is not supported). When using the
  `--local-server-auth` proxy option you will need to either run the script via sudo (to use the implicit default port
  80) or specify a different port (and/or a different host) - for example, `redirect_uri = http://localhost:8080`. In
  addition, if you are using this proxy option in a configuration that is not directly exposed (such as a container or