Hi all
I have done some more investigation. Looking through Microsofts OAuth 2.0 authentication protocol, I found this section: Microsoft identity platform and OAuth 2.0 authorization code flow - Microsoft identity platform | Microsoft Docs
The following text describes the behaviour we experience in Mailspring. Maybe it is worth digging into this @bengotow.
Hi, the documentation for setting up a Single Page Application / Native App with OAuth 2.0 and OpenID connect protocols can be found here:
In particular, the recommended flow is Auth Code Grant flow
Do you by chance know if the time outs might have something to do with the size of folders in outlook? Mine are about 25 GB - is that why I keep getting synch errors and disconnects?
Is size related to the token issue?
No, I can not imagine that. The time out of the refresh token is due to the fact that Mailspring is a native app, which is handled the same way as a Single Page Application.
The reason behind these short-lived refresh token, is that a native application running on a users device cannot be trusted to store the secrets (which refresh tokens are) securely on a device. It is vulnerable to malicious attacks on that device.
In order to mitigate this security issue, one must implement the authorization code flow (also referenced to Proof Key for Code Exchange, PKCE). Here is a blog post describing this:
The Microsoft documentation for this is the first link I posted: Microsoft identity platform and OAuth 2.0 authorization code flow - Microsoft identity platform | Microsoft Docs
Thank you. I will study this and see if I can figure out how to fix it - it does not seem overly easy for a novice like me, but I will see what I can learn
Just checking in again. This is the error I keep getting, followed by the red one saying connection is not established. I want to be sure this is the same issue we are discussing and dealing with? Unfortunately I can’t understand how to implement the PKCE as I don’t have sufficient coding experience… is there another work around? I really love mainspring but will need to abandon it due to this issue, unfortunately…
I should also add that this error comes when scanning my multiple folders. Only some of the folders get fully scanned.
Thanks!
Ok, I don’t see any relationship when scanning multiple folders. But it is quite clear what has happened if I go to the account settings and I see a message that Mailspring no longer can authenticate with the account. Clicking on Error Details… brings up the log with a clear error message: The refresh token has expired due to maximum lifetime.
After a month of trying every possible solution i discovered that connecting to VPN solves the issue permanently. Another person suggested disconnecting from the VPN and it solved his problem but in my case it was the opposite that solved my issue.
Do you know if there is some update on this issue? Vpn does not do anything to solve my problem. It’s really annoying.
Thank you so much for pointing this out. SMTP was unchecked by default for my account. I checked it and it worked!
Now the only things left for MS to implement are Calendar(do they have any implementation of Calendar in the pipeline?) and more Dark Themes. 
I’m not sure this update is helpful but thought I would share. The problem seems to have gotten worse and is now requiring me to re-authenticate multiple times a day. I’ve also noticed that even when I am authenticated, it doesn’t seem to be syncing properly (e.g. I archive mail but it doesn’t get sync’d so when I open it up again, those emails are still in my inbox). That could be because it times out so quickly… 
Thanks to everyone who is able to contribute to the investigation and solution. 
Hi! I’m probably in minority here, but I don’t mind re-authorizing every time refresh token expires. refresh tokens’ validity period will always be server side managed and IMHO there is not much a client app can do about that. Don’t get me wrong, any effort from client app to try to make better user experience is greatly appreciated!
Thus said, I still have a problem: re-authorization doesn’t always work in Mailspring 1.9.1
I have two Office365 institutional accounts for two different institutions. Both have 2FA enabled (although, 2FA is non issue here, I’d say). At the beginning of day both accounts fail to connect. I get to Settings->Accounts->Reconnect. Both accounts open Office365 signup page as shown in other screenshots above. First one reconnects successfully.
Second one shows OAuth success screeen in new browser tab, but fails to reconnect in Mailspring.
C/P second account URL:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
query params parsed for readability:
{
"client_id": ["xxxxxxxx-yyyy-zzzz-aaaa-bbbbbbbbbbbb"],
"redirect_uri": ["http://localhost:12141"],
"response_type": ["code"],
"scope": [
"user.read offline_access Contacts.ReadWrite Contacts.ReadWrite.Shared Calendars.ReadWrite Calendars.ReadWrite.Shared https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send"
],
"response_mode": ["query"],
"code_challenge": ["xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"],
"code_challenge_method": ["S256"]
}
Error details:
Mailspring Version: 1.9.2-6e14dad1
Platform: linux
Account State: invalid
Account Provider: office365
IMAP Server: outlook.office365.com
SMTP Server: smtp.office365.com
--------------------------------------------
***
444079 [2021-09-16 10:21:50.765] [background] [critical] *** Stack trace (line numbers are approximate):
*** ??:? ValidateRequestResp(CURLcode, void*, string)
*** ??:? PerformRequest(void*)
*** ??:? PerformJSONRequest(void*)
*** ??:? MakeOAuthRefreshRequest(string, string, string)
*** ??:? XOAuth2TokenManager::partsForAccount(shared_ptr)
*** ??:? MailUtils::configureSessionForAccount(mailcore::IMAPSession&, shared_ptr)
*** ??:? SyncWorker::configure()
*** ??:? runBackgroundSyncWorker()
*** main.cpp:? main::{lambda()#3}::operator()() const
*** main.cpp:? _Bind_simple::operator()()
*** main.cpp:? thread::_Impl::_M_run()
*** thread.o:? execute_native_thread_routine()
***
444091 [2021-09-16 10:21:50.902] [main] [info] Identity created at 1631688190 - using ID Schema 1
444091 [2021-09-16 10:21:50.902] [main] [info] ------------- Starting Sync (xxxxxxxx@yyyyyyyyyy.com) ---------------
444091 [2021-09-16 10:21:50.906] [background] [info] Fetching XOAuth2 access token (office365) for f9a16a1c
444091 [2021-09-16 10:21:50.906] [metadata] [info] Metadata delta stream starting...
444091 [2021-09-16 10:21:51.339] [background] [critical]
***
*** Mailspring Sync
*** An exception occurred during program execution:
*** {"debuginfo":"https://login.microsoftonline.com/common/oauth2/v2.0/token RETURNED {\"error\":\"invalid_grant\",\"error_description\":\"AADSTS700084: The refresh token was issued to a single page app (SPA), and therefore has a fixed, limited lifetime of 1.00:00:00, which cannot be extended. It is now expired and a new sign in request must be sent by the SPA to the sign in page. The token was issued on 2021-09-15T07:53:08.6207667+00:00.\\r\\nTrace ID: 2675aa75-1fd9-42ad-b0c7-ad3ca49d0a00\\r\\nCorrelation ID: b0b5f84d-bda0-43c6-ade9-22e9fa7fad5b\\r\\nTimestamp: 2021-09-16 08:21:51Z\",\"error_codes\":[700084],\"timestamp\":\"2021-09-16 08:21:51Z\",\"trace_id\":\"2675aa75-1fd9-42ad-b0c7-ad3ca49d0a00\",\"correlation_id\":\"b0b5f84d-bda0-43c6-ade9-22e9fa7fad5b\",\"error_uri\":\"https://login.microsoftonline.com/error?code=700084\"}","key":"Invalid Response Code: 400","retryable":false,"what":"std::exception"}
***
444091 [2021-09-16 10:21:51.339] [background] [critical] *** Stack trace (line numbers are approximate):
*** ??:? ValidateRequestResp(CURLcode, void*, string)
*** ??:? PerformRequest(void*)
*** ??:? PerformJSONRequest(void*)
*** ??:? MakeOAuthRefreshRequest(string, string, string)
*** ??:? XOAuth2TokenManager::partsForAccount(shared_ptr)
*** ??:? MailUtils::configureSessionForAccount(mailcore::IMAPSession&, shared_ptr)
*** ??:? SyncWorker::configure()
*** ??:? runBackgroundSyncWorker()
*** main.cpp:? main::{lambda()#3}::operator()() const
*** main.cpp:? _Bind_simple::operator()()
*** main.cpp:? thread::_Impl::_M_run()
*** thread.o:? execute_native_thread_routine()
***Ok, scratch the post above. The issue was following.
First account requested re-authorization. This required me to login to outlook.com using password and 2FA. Also, checkbox “Stay signed in” was selected. First account re-auth in Mailspring passes fine.
Then second account re-auth is requested. No outlook.com login page is shown but instead what happens is (because of “Stay signed in” checkbox) second re-auth request from Mailspring gets processed using first account that is still logged in browser. This results by token approved by acccount1 being given to Mailspring to try to use it for account2.
In the end, Mailspring fails to use received token for account2 - because it is wrong token (it was issued using account1 credentials).
This worked for me. Thanks.
Current Error i’m having with my Institution Office365. It seems that the refresh token is not being extended so it fails and forces me to re-authenticate.
"stack": "Error: null13751 [2021-10-01 09:44:01.325] [background] [critical] \n***\n*** Mailspring Sync \n*** An exception occurred during program execution: \n*** {\"debuginfo\":\"https://login.microsoftonline.com/common/oauth2/v2.0/token RETURNED {\\\"error\\\":\\\"invalid_grant\\\",\\\"error_description\\\":\\\"AADSTS700084: The refresh token was issued to a single page app (SPA), and therefore has a fixed, limited lifetime of 1.00:00:00, which cannot be extended. It is now expired and a new sign in request must be sent by the SPA to the sign in page. The token was issued on 2021-09-30T13:53:41.8505874+00:00.\\\\r\\\\nTrace ID: 1e3b46a9-409a-4fc1-9cce-49a201c91e00\\\\r\\\\nCorrelation ID: 1aa53ff4-d31e-4eb0-924c-0e886ef8e64b\\\\r\\\\nTimestamp: 2021-10-01 14:44:01Z\\\",\\\"error_codes\\\":[700084],\\\"timestamp\\\":\\\"2021-10-01 14:44:01Z\\\",\\\"trace_id\\\":\\\"1e3b46a9-409a-4fc1-9cce-49a201c91e00\\\",\\\"correlation_id\\\":\\\"1aa53ff4-d31e-4eb0-924c-0e886ef8e64b\\\",\\\"error_uri\\\":\\\"https://login.microsoftonline.com/error?code=700084\\\"}\",\"key\":\"Invalid Response Code: 400\",\"retryable\":false,\"what\":\"std::exception\"}\n***\n\n13751 [2021-10-01 09:44:01.325] [background] [critical] *** Stack trace (line numbers are approximate):\n*** ??:? ValidateRequestResp(CURLcode, void*, string)\n*** ??:? PerformRequest(void*)\n*** ??:? PerformJSONRequest(void*)\n*** ??:? MakeOAuthRefreshRequest(string, string, string)\n*** ??:? XOAuth2TokenManager::partsForAccount(shared_ptr)\n*** ??:? MailUtils::configureSessionForAccount(mailcore::IMAPSession&, shared_ptr)\n*** ??:? SyncWorker::configure()\n*** ??:? runBackgroundSyncWorker()\n*** main.cpp:? main::{lambda()#3}::operator()() const\n*** main.cpp:? _Bind_simple::operator()()\n*** main.cpp:? thread::_Impl::_M_run()\n*** thread.o:? execute_native_thread_routine()\n***\n\n/usr/share/mailspring/resources/app.asar.unpacked/mailsync: line 5: 13751 Aborted SASL_PATH=\"$SCRIPTPATH\" LD_LIBRARY_PATH=\"$SCRIPTPATH;$LD_LIBRARY_PATH\" \"$SCRIPTPATH/mailsync.bin\" \"$@\"\n\n at ChildProcess.onStreamCloseOrExit (file:///tmp/nylas-build/electron-packager/linux-x64/mailspring-linux-x64/resources/app/src/mailsync-process.ts:301:17)\n at ChildProcess.emit (events.js:210:5)\n at ChildProcess.EventEmitter.emit (domain.js:476:20)\n at Process.ChildProcess._handle.onexit (internal/child_process.js:272:12)",
Just contributing that I am having same issue with a university exchange account (no IMAP, only “modern authentication”), and getting the error “Connection Error - Unable to connect to the server / port you provided. (IMAP)”
Wondering if there are any updates on this, even if its just “we’re stuck on XYZ”.
I’ve hit this problem too. My employer has just locked down our exchange server, removing insecure authentication.
They have added a method for authentication with IMAP using oauth2, (Authenticate an IMAP, POP or SMTP connection using OAuth | Microsoft Docs) But I can’t see that this is supported yet. Is it likely or too hard?
If your Office/Microsoft 365 admins disable IMAP for your tenant, there’s not much you can do. You need to use a mail client that supports EWS/EAS…
