Institutional Office365 not working

Hi everyone

I am using 1.9.1 now. There are still issues with short-lived refresh tokens. Microsoft is probably not giving out a new refresh token when Mailspring fetches the access token. They probably only serve the original one.
I guess the solution is to find a way to make Microsoft issue longer-lived refresh tokens.

Mailspring Version: 1.9.1-30ef802f
Platform: linux
Account State: invalid
Account Provider: office365
IMAP Server: outlook.office365.com
SMTP Server: smtp.office365.com
--------------------------------------------
***

251655 [2021-04-19 22:57:51.356] [main] [info] Identity created at 1607501098 - using ID Schema 1
251655 [2021-04-19 22:57:51.357] [main] [info] ------------- Starting Sync (Havard.Korsvoll@*******.com) ---------------
251655 [2021-04-19 22:57:51.364] [metadata] [info] Metadata delta stream starting...
251655 [2021-04-19 22:57:52.364] [background] [info] Fetching XOAuth2 access token (office365) for 2........4
251655 [2021-04-19 22:57:52.676] [background] [critical] 
***
*** Mailspring Sync 
*** An exception occurred during program execution: 
*** {"debuginfo":"https://login.microsoftonline.com/common/oauth2/v2.0/token RETURNED {\"error\":\"invalid_grant\",\"error_description\":\"AADSTS700081: The refresh token has expired due to maximum lifetime. The token was issued on 2021-04-18T20:06:09.9921920+00:00 and the maximum allowed lifetime for this application is 1.00:00:00.\\r\\nTrace ID: d4d0638e-d304-464d-bcb4-cbc2e17f4900\\r\\nCorrelation ID: 9ae91127-2af9-49d0-95ac-cfb95c98b2c6\\r\\nTimestamp: 2021-04-19 20:57:52Z\",\"error_codes\":[700081],\"timestamp\":\"2021-04-19 20:57:52Z\",\"trace_id\":\"d4d0638e-d304-464d-bcb4-cbc2e17f4900\",\"correlation_id\":\"9ae91127-2af9-49d0-95ac-cfb95c98b2c6\",\"error_uri\":\"https://login.microsoftonline.com/error?code=700081\"}","key":"Invalid Response Code: 400","retryable":false,"what":"std::exception"}
***
4 Likes

I’m facing the same problem with Office365 on macOS. Here is a part of the log of the problem:

Mailspring Version: 1.9.1-30ef802f
Platform: darwin
Account State: invalid
Account Provider: office365
IMAP Server: outlook.office365.com
SMTP Server: smtp.office365.com
--------------------------------------------
***

73589 [2021-04-22 12:29:05.639] [background] [critical] *** Stack trace (line numbers are approximate):
*** in mailsync  ValidateRequestResp(CURLcode, void*, string)
*** in mailsync  PerformRequest(void*)
*** in mailsync  PerformJSONRequest(void*)
*** in mailsync  MakeOAuthRefreshRequest(string, string, string)
*** in mailsync  XOAuth2TokenManager::partsForAccount(shared_ptr)
*** in mailsync  MailUtils::configureSessionForAccount(mailcore::IMAPSession&, shared_ptr)
*** in mailsync  SyncWorker::configure()
*** in mailsync  runBackgroundSyncWorker()
*** in mailsync  main::$_6::operator()() const
*** in mailsync  void* __thread_proxy(void*)
*** in mailsync  thread_start()
***

73598 [2021-04-22 12:29:05.844] [main] [info] Identity created at 1619087345 - using ID Schema 1
73598 [2021-04-22 12:29:05.852] [main] [info] ------------- Starting Sync (commissaricna@fibs.it) ---------------
73598 [2021-04-22 12:29:05.865] [metadata] [info] Metadata sync disabled, not logged in.
73598 [2021-04-22 12:29:07.865] [background] [info] Fetching XOAuth2 access token (office365) for 40f968ef
73598 [2021-04-22 12:29:08.365] [background] [critical] 
***
*** Mailspring Sync 
*** An exception occurred during program execution: 
*** {"debuginfo":"https://login.microsoftonline.com/common/oauth2/v2.0/token RETURNED {\"error
\":\"invalid_grant\",\"error_description\":\"AADSTS700081: The refresh token has expired due to maximum 
lifetime. The token was issued on 2021-04-19T15:03:54.5612034+00:00 and the maximum allowed lifetime for 
this application is 1.00:00:00.\\r\\nTrace ID: 53b61948-44d0-40cd-aac2-183fb2c52700\\r\\nCorrelation ID:
e5a22a79-817a-456b-85ce-83c21b9b939b\\r\\nTimestamp: 2021-04-22 10:29:08Z\",\"error_codes\":[700081]
\"timestamp\":\"2021-04-22 10:29:08Z\",\"trace_id\":\"53b61948-44d0-40cd-aac2-183fb2c52700
\",\"correlation_id\":\"e5a22a79-817a-456b-85ce-83c21b9b939b\",\"error_uri
\":\"https://login.microsoftonline.com/error?code=700081\"}","key":"Invalid Response Code: 
400","retryable":false,"what":"std::exception"}
***

Hoping that the fix coming very soon.

Alex.

I just wanted to say that this worked for me.
I was getting “An unknown error has occurred (mailsync: 3765269347)” but after adding authenticated SMTP to my account, I was able to login and start using Mailspring.
Just wanted to contribute my results.

Thanks for sharing with the class. :smiley:

I have the same problem and would like to identify a solution!

Hi all

I have done some more investigation. Looking through Microsofts OAuth 2.0 authentication protocol, I found this section: Microsoft identity platform and OAuth 2.0 authorization code flow - Microsoft identity platform | Microsoft Docs

The following text describes the behaviour we experience in Mailspring. Maybe it is worth digging into this @bengotow.

1 Like

Hi, the documentation for setting up a Single Page Application / Native App with OAuth 2.0 and OpenID connect protocols can be found here:

In particular, the recommended flow is Auth Code Grant flow

1 Like

Do you by chance know if the time outs might have something to do with the size of folders in outlook? Mine are about 25 GB - is that why I keep getting synch errors and disconnects?

Is size related to the token issue?

No, I can not imagine that. The time out of the refresh token is due to the fact that Mailspring is a native app, which is handled the same way as a Single Page Application.

The reason behind these short-lived refresh token, is that a native application running on a users device cannot be trusted to store the secrets (which refresh tokens are) securely on a device. It is vulnerable to malicious attacks on that device.

In order to mitigate this security issue, one must implement the authorization code flow (also referenced to Proof Key for Code Exchange, PKCE). Here is a blog post describing this:

The Microsoft documentation for this is the first link I posted: Microsoft identity platform and OAuth 2.0 authorization code flow - Microsoft identity platform | Microsoft Docs

1 Like

Thank you. I will study this and see if I can figure out how to fix it - it does not seem overly easy for a novice like me, but I will see what I can learn

Just checking in again. This is the error I keep getting, followed by the red one saying connection is not established. I want to be sure this is the same issue we are discussing and dealing with? Unfortunately I can’t understand how to implement the PKCE as I don’t have sufficient coding experience… is there another work around? I really love mainspring but will need to abandon it due to this issue, unfortunately…Screen Shot 2021-06-11 at 9.23.22 PM

I should also add that this error comes when scanning my multiple folders. Only some of the folders get fully scanned.

Thanks!

Ok, I don’t see any relationship when scanning multiple folders. But it is quite clear what has happened if I go to the account settings and I see a message that Mailspring no longer can authenticate with the account. Clicking on Error Details… brings up the log with a clear error message: The refresh token has expired due to maximum lifetime.

1 Like

After a month of trying every possible solution i discovered that connecting to VPN solves the issue permanently. Another person suggested disconnecting from the VPN and it solved his problem but in my case it was the opposite that solved my issue.

2 Likes

Do you know if there is some update on this issue? Vpn does not do anything to solve my problem. It’s really annoying.

Thank you so much for pointing this out. SMTP was unchecked by default for my account. I checked it and it worked!

Now the only things left for MS to implement are Calendar(do they have any implementation of Calendar in the pipeline?) and more Dark Themes. :stuck_out_tongue:

I’m not sure this update is helpful but thought I would share. The problem seems to have gotten worse and is now requiring me to re-authenticate multiple times a day. I’ve also noticed that even when I am authenticated, it doesn’t seem to be syncing properly (e.g. I archive mail but it doesn’t get sync’d so when I open it up again, those emails are still in my inbox). That could be because it times out so quickly… :woman_shrugging:

Thanks to everyone who is able to contribute to the investigation and solution. :pray:

Hi! I’m probably in minority here, but I don’t mind re-authorizing every time refresh token expires. refresh tokens’ validity period will always be server side managed and IMHO there is not much a client app can do about that. Don’t get me wrong, any effort from client app to try to make better user experience is greatly appreciated!

Thus said, I still have a problem: re-authorization doesn’t always work in Mailspring 1.9.1

I have two Office365 institutional accounts for two different institutions. Both have 2FA enabled (although, 2FA is non issue here, I’d say). At the beginning of day both accounts fail to connect. I get to Settings->Accounts->Reconnect. Both accounts open Office365 signup page as shown in other screenshots above. First one reconnects successfully.

Second one shows OAuth success screeen in new browser tab, but fails to reconnect in Mailspring.

C/P second account URL:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize

query params parsed for readability:

{
  "client_id": ["xxxxxxxx-yyyy-zzzz-aaaa-bbbbbbbbbbbb"],
  "redirect_uri": ["http://localhost:12141"],
  "response_type": ["code"],
  "scope": [
    "user.read offline_access Contacts.ReadWrite Contacts.ReadWrite.Shared Calendars.ReadWrite Calendars.ReadWrite.Shared https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send"
  ],
  "response_mode": ["query"],
  "code_challenge": ["xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"],
  "code_challenge_method": ["S256"]
}

Error details:

Mailspring Version: 1.9.2-6e14dad1
Platform: linux
Account State: invalid
Account Provider: office365
IMAP Server: outlook.office365.com
SMTP Server: smtp.office365.com
--------------------------------------------
***

444079 [2021-09-16 10:21:50.765] [background] [critical] *** Stack trace (line numbers are approximate):
*** ??:?        ValidateRequestResp(CURLcode, void*, string)
*** ??:?        PerformRequest(void*)
*** ??:?        PerformJSONRequest(void*)
*** ??:?        MakeOAuthRefreshRequest(string, string, string)
*** ??:?        XOAuth2TokenManager::partsForAccount(shared_ptr)
*** ??:?        MailUtils::configureSessionForAccount(mailcore::IMAPSession&, shared_ptr)
*** ??:?        SyncWorker::configure()
*** ??:?        runBackgroundSyncWorker()
*** main.cpp:?  main::{lambda()#3}::operator()() const
*** main.cpp:?  _Bind_simple::operator()()
*** main.cpp:?  thread::_Impl::_M_run()
*** thread.o:?  execute_native_thread_routine()
***

444091 [2021-09-16 10:21:50.902] [main] [info] Identity created at 1631688190 - using ID Schema 1
444091 [2021-09-16 10:21:50.902] [main] [info] ------------- Starting Sync (xxxxxxxx@yyyyyyyyyy.com) ---------------
444091 [2021-09-16 10:21:50.906] [background] [info] Fetching XOAuth2 access token (office365) for f9a16a1c
444091 [2021-09-16 10:21:50.906] [metadata] [info] Metadata delta stream starting...
444091 [2021-09-16 10:21:51.339] [background] [critical] 
***
*** Mailspring Sync 
*** An exception occurred during program execution: 
*** {"debuginfo":"https://login.microsoftonline.com/common/oauth2/v2.0/token RETURNED {\"error\":\"invalid_grant\",\"error_description\":\"AADSTS700084: The refresh token was issued to a single page app (SPA), and therefore has a fixed, limited lifetime of 1.00:00:00, which cannot be extended. It is now expired and a new sign in request must be sent by the SPA to the sign in page. The token was issued on 2021-09-15T07:53:08.6207667+00:00.\\r\\nTrace ID: 2675aa75-1fd9-42ad-b0c7-ad3ca49d0a00\\r\\nCorrelation ID: b0b5f84d-bda0-43c6-ade9-22e9fa7fad5b\\r\\nTimestamp: 2021-09-16 08:21:51Z\",\"error_codes\":[700084],\"timestamp\":\"2021-09-16 08:21:51Z\",\"trace_id\":\"2675aa75-1fd9-42ad-b0c7-ad3ca49d0a00\",\"correlation_id\":\"b0b5f84d-bda0-43c6-ade9-22e9fa7fad5b\",\"error_uri\":\"https://login.microsoftonline.com/error?code=700084\"}","key":"Invalid Response Code: 400","retryable":false,"what":"std::exception"}
***

444091 [2021-09-16 10:21:51.339] [background] [critical] *** Stack trace (line numbers are approximate):
*** ??:?        ValidateRequestResp(CURLcode, void*, string)
*** ??:?        PerformRequest(void*)
*** ??:?        PerformJSONRequest(void*)
*** ??:?        MakeOAuthRefreshRequest(string, string, string)
*** ??:?        XOAuth2TokenManager::partsForAccount(shared_ptr)
*** ??:?        MailUtils::configureSessionForAccount(mailcore::IMAPSession&, shared_ptr)
*** ??:?        SyncWorker::configure()
*** ??:?        runBackgroundSyncWorker()
*** main.cpp:?  main::{lambda()#3}::operator()() const
*** main.cpp:?  _Bind_simple::operator()()
*** main.cpp:?  thread::_Impl::_M_run()
*** thread.o:?  execute_native_thread_routine()
***

Ok, scratch the post above. The issue was following.

First account requested re-authorization. This required me to login to outlook.com using password and 2FA. Also, checkbox “Stay signed in” was selected. First account re-auth in Mailspring passes fine.

Then second account re-auth is requested. No outlook.com login page is shown but instead what happens is (because of “Stay signed in” checkbox) second re-auth request from Mailspring gets processed using first account that is still logged in browser. This results by token approved by acccount1 being given to Mailspring to try to use it for account2.

In the end, Mailspring fails to use received token for account2 - because it is wrong token (it was issued using account1 credentials).

2 Likes