mutt_oauth2.py.README : instructions do not work for Azure tenant
The README has the following instructions for generating a client_id and client_secret on Office365.
-- How to create a Microsoft registration --
Go to portal.azure.com, log in with a Microsoft account (get a free
one at outlook.com), then search for "app registration", and add a
new registration. On the initial form that appears, put a name like
"Mutt", allow any type of account, and put "http://localhost/" as
the redirect URI, then more carefully go through each
screen:
Branding
- Leave fields blank or put in reasonable values
- For official registration, verify your choice of publisher domain
Authentication:
- Platform "Mobile and desktop"
- Redirect URI "http://localhost/"
- Any kind of account
- Enable public client (allow device code flow)
API permissions:
- Microsoft Graph, Delegated, "offline_access"
- Microsoft Graph, Delegated, "IMAP.AccessAsUser.All"
- Microsoft Graph, Delegated, "POP.AccessAsUser.All"
- Microsoft Graph, Delegated, "SMTP.Send"
- Microsoft Graph, Delegated, "User.Read"
Overview:
- Take note of the Application ID (a.k.a. Client ID), you'll need it shortly
End users who aren't able to get to the app registration screen within
portal.azure.com for their work/school account can temporarily use an
incognito browser window to create a free outlook.com account and use that
to create the app registration.
Edit the client_id (and client_secret if there is one) into the
mutt_oauth2.py script.
I think the following instruction is incorrect, at least for Azure tenants:
Authentication:
- Platform "Mobile and desktop"
I used the Thunderbird client_secret and client_id to successfully connect to an Office365 account at my organization. Then I was given access to the App Registration component of the portal. When I tried to set up an app registration for my own client_id and client_secret using the instructions, I got the following error:
AADSTS700025: Client is public so neither 'client_assertion' nor 'client_secret' should be presented.
It turns out that there are different kinds of classifications for the different platforms offered in app registration. The "Mobile and desktop" platform is considered a public platform, and cannot transfer confidential information like client_secrets. The "Web" platform is considered confidential. Documentation about that is here: https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-client-applications . Switching to the "Web" platform fixed this.
In the Web platform there is an entry for "Front-channel logout URL", which I left blank. There were two other checkboxes, both of which I checked: for "Implicit Grant and Hybrid Flows" I selected both "Access Tokens" and "ID Tokens". I am not sure whether they are both necessary.
I do not know whether the given instructions are wrong for everybody or just me. In particular I did not try to set up an outlook.com account with Mutt.
Also: it is my belief that Thunderbird also sets up its App Registration this way (using confidential rather than public apps), and it is causing problems for them. See https://bugzilla.mozilla.org/show_bug.cgi?id=1685414