[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [nmh-workers] Thank You
From: |
Ken Hornstein |
Subject: |
Re: [nmh-workers] Thank You |
Date: |
Tue, 30 Apr 2019 21:03:36 -0400 |
>I think there may also be an option to use a personal token (which may
>have to be enabled). I cannot search for it at the moment, but I do
>recall seeing some discussion in the Davmail forums about using a token
>instead of MFA.
Here is my understanding of the situation. It certainly may be wrong
or incomplete.
- Aside from username/password, the "normal" way things are authenticated to
Office 365 is OAuth (there were other options with older protocols).
- The way that works in practice is your application (in this case DavMail)
opens up a web browser window, you enter in your second factor, and that
gets the OAuth bearer token.
- I won't get into the details of the OAuth protocol, but when you get the
bearer token incorporated into it is a client software identifier (nmh
has one registered for Gmail, for example). So when I run DavMail the
authentication succeeds, but it then pulls up a window saying that an
administrator needs to enable DavMail to access email for this domain.
Clearly someone _registered_ DavMail (it had the DavMail icon and
everything), but I don't have the rights to make it work without getting
our Office 365 people involved.
- In theory you could put any client identifier and secret in there you
wanted, so if (for example) you could figure out the client identifier
and secret for, say, Outlook for Android you could use that (any
Android users want to spend some time trawling through the Outlook
client binary??). Although you need to run some app to enable those
mobile devices in O365, so maybe something else is needed.
I did see some of those messages you were talking about on the DavMail
user list, but all of the ones I saw were talking about things like RSA
tokens with Exchange (which use the older protocol, not Office 365).
What I have seen says for Office 365, you need OAuth and that means you're
kind of stuck if your domain doesn't allow the application identified
by the OAuth client identifier.
Again, I would like to stress that it is entirely possible my information
is incomplete or wrong.
--Ken