nmh-workers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [nmh-workers] Thank You

From: Ken Hornstein
Subject: Re: [nmh-workers] Thank You
Date: Tue, 30 Apr 2019 21:03:36 -0400 
>I think there may  also be an option to use a  personal token (which may
>have to  be enabled). I  cannot search  for it at  the moment, but  I do
>recall seeing some discussion in the  Davmail forums about using a token
>instead of MFA.

Here is my understanding of the situation.  It certainly may be wrong
or incomplete.

- Aside from username/password, the "normal" way things are authenticated to
  Office 365 is OAuth (there were other options with older protocols).
- The way that works in practice is your application (in this case DavMail)
  opens up a web browser window, you enter in your second factor, and that
  gets the OAuth bearer token.
- I won't get into the details of the OAuth protocol, but when you get the
  bearer token incorporated into it is a client software identifier (nmh
  has one registered for Gmail, for example).  So when I run DavMail the
  authentication succeeds, but it then pulls up a window saying that an
  administrator needs to enable DavMail to access email for this domain.
  Clearly someone _registered_ DavMail (it had the DavMail icon and
  everything), but I don't have the rights to make it work without getting
  our Office 365 people involved.
- In theory you could put any client identifier and secret in there you
  wanted, so if (for example) you could figure out the client identifier
  and secret for, say, Outlook for Android you could use that (any
  Android users want to spend some time trawling through the Outlook
  client binary??).  Although you need to run some app to enable those
  mobile devices in O365, so maybe something else is needed.

I did see some of those messages you were talking about on the DavMail
user list, but all of the ones I saw were talking about things like RSA
tokens with Exchange (which use the older protocol, not Office 365).
What I have seen says for Office 365, you need OAuth and that means you're
kind of stuck if your domain doesn't allow the application identified
by the OAuth client identifier.

Again, I would like to stress that it is entirely possible my information
is incomplete or wrong.

--Ken
reply via email to
[Prev in Thread] Current Thread [Next in Thread]