Oauth2 scope query - is it me or is it the setup at office365 end?

Question

0.00/5 (No votes)

See more:

Hi code, is in vb.net, I can acquire a authtoken if I specify .default - but if I try to specify Mail.Send for example, I dont get an authtoken:
(smtpoauth2_* are vars)

Dim redirectUri = "http://localhost:3017"


       Dim scopes = New List(Of String) From {
           ".default"
       }


   Dim confidentialClient = ConfidentialClientApplicationBuilder.Create(SMTPOAUTH2_CLIENT_ID).WithClientSecret(SMTPOAUTH2_CLIENT_SECRET).WithAuthority(New Uri(SMTPOAUTH2_AUTHORENDPOINT)).WithRedirectUri(redirectUri).Build()
           Dim accessTokenRequest = confidentialClient.AcquireTokenForClient(scopes)
           accessToken = accessTokenRequest.ExecuteAsync().Result.AccessToken

I thought under the .default, I just acquire "whatever I am allowed to", hence I get an AuthToken, but when I try to send email, I get

SmtpCmdResp: 530 5.7.57 Client not authenticated to send mail. [LO4P265CA0055.GBRP265.PROD.OUTLOOK.COM]

What I have tried:

have tried (separately) Mail.Send, Mail.Write and .default

.default gives me an authtoken, but the email error message and mail.send and mail.write will not give me authtoken

ChilkatLog:
  SendEmail:
    DllDate: Aug 25 2018
    ChilkatVersion: 9.5.0.75
    UnlockPrefix: FRHGTN.CB1032019
    Architecture: Little Endian; 32-bit
    Language: .NET 4.0
    VerboseLogging: 0
    Component successfully unlocked using purchased unlock code.
    sendEmailInner:
      renderToMime_pt1:
        createEmailForSending:
          Auto-generating Message-ID
        --createEmailForSending
      --renderToMime_pt1
      sendMimeInner:
        ensureSmtpSession:
          ensureSmtpConnection:
            smtpParams:
              SmtpHost: smtp.office365.com
              SmtpPort: 587
              SmtpUsername: XXXXXXXXXX
              SmtpSsl: 0
              StartTLS: 1
            --smtpParams
            smtpConnect:
              smtpHostname: smtp.office365.com
              smtpPort: 587
              connectionIsReady:
                Need new SMTP connection
              --connectionIsReady
              smtpSocketConnect:
                socketOptions:
                  SO_SNDBUF: 262144
                  SO_RCVBUF: 4194304
                  TCP_NODELAY: 1
                  SO_KEEPALIVE: 1
                --socketOptions
              --smtpSocketConnect
              smtpGreeting:
                readSmtpResponse:
                  SmtpCmdResp: 220 LO4P123CA0388.outlook.office365.com Microsoft ESMTP MAIL Service ready at Fri, 9 Dec 2022 12:41:44 +0000
                --readSmtpResponse
              --smtpGreeting
              startTLS:
                sendCmdToSmtp:
                  SmtpCmdSent: EHLO DESKTOP-DM5MON3<CRLF>
                --sendCmdToSmtp
                readSmtpResponse:
                  SmtpCmdResp: 250-LO4P123CA0388.outlook.office365.com Hello [XXXXXXXXXX]
                  SmtpCmdResp: 250-SIZE 157286400
                  SmtpCmdResp: 250-PIPELINING
                  SmtpCmdResp: 250-DSN
                  SmtpCmdResp: 250-ENHANCEDSTATUSCODES
                  SmtpCmdResp: 250-STARTTLS
                  SmtpCmdResp: 250-8BITMIME
                  SmtpCmdResp: 250-BINARYMIME
                  SmtpCmdResp: 250-CHUNKING
                  SmtpCmdResp: 250 SMTPUTF8
                --readSmtpResponse
                sendCmdToSmtp:
                  SmtpCmdSent: STARTTLS<CRLF>
                --sendCmdToSmtp
                readSmtpResponse:
                  SmtpCmdResp: 220 2.0.0 SMTP server ready
                --readSmtpResponse
                TLS connection established.
              --startTLS
              ehloCommand:
                sendCmdToSmtp:
                  SmtpCmdSent: EHLO DESKTOP-DM5MON3<CRLF>
                --sendCmdToSmtp
                readSmtpResponse:
                  SmtpCmdResp: 250-LO4P123CA0388.outlook.office365.com Hello [XXXXXXXXXX]
                  SmtpCmdResp: 250-SIZE 157286400
                  SmtpCmdResp: 250-PIPELINING
                  SmtpCmdResp: 250-DSN
                  SmtpCmdResp: 250-ENHANCEDSTATUSCODES
                  SmtpCmdResp: 250-AUTH LOGIN XOAUTH2
                  SmtpCmdResp: 250-8BITMIME
                  SmtpCmdResp: 250-BINARYMIME
                  SmtpCmdResp: 250-CHUNKING
                  SmtpCmdResp: 250 SMTPUTF8
                --readSmtpResponse
              --ehloCommand
            --smtpConnect
          --ensureSmtpConnection
          ensureSmtpAuthenticated:
            SmtpAuthMethod: XOAUTH2
            smtpAuthenticate:
              smtp_host: smtp.office365.com
              smtp_port: 587
              smtp_user: XXXXXXXXXX
              auth-method: XOAUTH2
              smtpAuthMethod: XOAUTH2
              smtpAuthenticate:
                login_method: NONE or already authenticated
              --smtpAuthenticate
              ConnectionType: SSL/TLS
            --smtpAuthenticate
          --ensureSmtpAuthenticated
        --ensureSmtpSession
        sendSmtpEmail:
          sendWithPipelining:
            sendMailFrom:
              mailFrom: XXXXXXXXXX
              sendCmdToSmtp:
                SmtpCmdSent: MAIL FROM:<XXXXXXXXXX><CRLF>
              --sendCmdToSmtp
            --sendMailFrom
            sendRcptTo:
              sendCmdToSmtp:
                SmtpCmdSent: RCPT TO:<XXXXXXXXXX><CRLF>
              --sendCmdToSmtp
            --sendRcptTo
            sendCmdToSmtp:
              SmtpCmdSent: DATA<CRLF>
            --sendCmdToSmtp
            readSmtpResponse:
              SmtpCmdResp: 530 5.7.57 Client not authenticated to send mail. [LO4P123CA0388.GBRP123.PROD.OUTLOOK.COM]
            --readSmtpResponse
            readRcptTo:
              readSmtpResponse:
                isConnected_recv_peek:
                  SocketError: WSAECONNRESET An existing connection was forcibly closed by the remote host.
                  For more information see this Chilkat Blog post: http://www.cknotes.com/?p=217
                --isConnected_recv_peek
              --readSmtpResponse
            --readRcptTo
            Failed to read RCPT TO response.
          --sendWithPipelining
        --sendSmtpEmail
      --sendMimeInner
    --sendEmailInner
    Failed.
  --SendEmail
--ChilkatLog

Posted 9-Dec-22 1:46am

Member 12561559

Updated 13-Dec-22 23:35pm

Add a Solution

Comments

Graeme_Grant 9-Dec-22 19:55pm

It looks like you are using a "read-only" scope. Check the available scopes for a "write" scope.

Member 12561559 12-Dec-22 3:33am

How will I know if its set to read-only ? Ive had a guy who has access to the office365 website and he's put in smtp.send and mail.write as scopes, but he's not a manager of email, he's had the job dumped on him, so we're trying to figure it out together but its like the blind leading the blind, even following examples given by chilkat and other websites regarding setting up.

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard Deeming · Answer 1 · 2022-12-13T23:35:00

According to the documentation, the "scopes" for the client credentials flow must be:
https://outlook.office365.com/.default

But there are several steps you need to take to grant the necessary permissions to your application:
Authenticate an IMAP, POP or SMTP connection using OAuth | Microsoft Learn[^]

In particular, you need to register the service principal in Exchange, and then grant that principal permission on the relevant mailbox. This involves executing some Powershell commands:

PowerShell

Install-Module -Name ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement

Connect-ExchangeOnline ...

# The OBJECT_ID is the Object ID from the Overview page of the Enterprise Application node (Azure Portal) for the application registration. 
# It is NOT the Object ID from the Overview of the App Registrations node.
New-ServicePrincipal -AppId <APPLICATION_ID> -ServiceId <OBJECT_ID> 

Get-ServicePrincipal | fl

# SERVICE_PRINCIPAL_ID is the Id property listed from the previous command.
Add-MailboxPermission -Identity "<MAILBOX>" -User <SERVICE_PRINCIPAL_ID> -AccessRights FullAccess

Connect to Exchange Online PowerShell | Microsoft Learn[^]