Institutional Office365 not working

I understand your frustration. Unfortunately, there’s nothing more we can do either. This is a high priority, but it isn’t possible to know when it’ll be resolved. As you said, this is a basic feature, and as such, the Pro subscription really has no bearing on it.

Ben, the core developer, is wrapping up a release with some urgent promised functionality right now, and then hopefully this can be the next item on the horizon. That’s why this is tagged #critical and #accepted.

Thank you for your patience.

Hey folks! Thanks for triaging this and adding so much detail - I really appreciate it! This is the #1 priority for the 1.9.1 release and I’ve set up a business Office365 account I’m hoping we can use to reproduce the problem. I’ve also reached out and found someone willing to share their Exchange university login so I can test with that too.

@hkorsvoll, I think you are correct - Mailspring should be storing the new refresh tokens that Office365 returns when we refresh the access token. I think that will alleviate some of the problems, and we can make that change immediately. That said, there are a couple other things happening here I think:

  • Mailspring only supports Office 365 via IMAP + SMTP, which CAN be turned off at the organizational level, leaving only Exchange. If your organization has turned off IMAP+SMTP in Office365, you cannot use Mailspring. The Exchange protocol is closed source and very different from IMAP, and we haven’t built support for it. (I was actually hoping to never have to since they have expanded IMAP+SMTP support a lot in the last few years, but it seems folks are disabling that for security purposes, leaving Exchange important).

  • Mailspring uses OAuth to sign you in to Office365, and that OAuth flow (where it bounces out to your web browser) will direct you through 2FA if it is configured by your organization. Exchange might provide a way for email clients to directly capture and send your 2FA authentication code, but as far as I know we cannot do that via IMAP.

  • I need to read all the docs linked above, but if your organization decides that OAuth refresh tokens must be refreshed every day, odds are you’ll have to sign in to Mailspring every day. This is a totally awful user experience I’m hoping we can improve a bit, but at the end of the day if your university / company is putting in place policies that discourage use of third party mail clients, it’s going to be pretty rough.

Thanks everyone - sorry this has taken a while to get resolved. As we figure this out, I’ll also create a dedicated page we can link folks to from the Office365 authentication screen that details the limitations and solutions, etc. as we get them ironed out!

Ben

7 Likes

Great news @bengotow

I do have admin access to an office365 domain (NGO, 100 free licenses). So I can contribute by setting up mail accounts for you to test on.

Håvard

2 Likes

FYI - I’m running Mailspring 1.9.1, but still having issues with institutional 365 login with two factor authentication - but closer than before. Possibly the issue is because IMAP+SMTP is turned off by my institution, but I have no confirmation of that. When I try to set up an account i’m redirected to my institutional web login, which then appears to work with a screen saying “You’re all set! Go back to Mailspring to finish linking your account and configuring the app.” On returning to Mailspring the dialogue box reads “Authentication Error - Check your username and password. (IMAP)”.

1 Like

Hi everyone

I am using 1.9.1 now. There are still issues with short-lived refresh tokens. Microsoft is probably not giving out a new refresh token when Mailspring fetches the access token. They probably only serve the original one.
I guess the solution is to find a way to make Microsoft issue longer-lived refresh tokens.

Mailspring Version: 1.9.1-30ef802f
Platform: linux
Account State: invalid
Account Provider: office365
IMAP Server: outlook.office365.com
SMTP Server: smtp.office365.com
--------------------------------------------
***

251655 [2021-04-19 22:57:51.356] [main] [info] Identity created at 1607501098 - using ID Schema 1
251655 [2021-04-19 22:57:51.357] [main] [info] ------------- Starting Sync (Havard.Korsvoll@*******.com) ---------------
251655 [2021-04-19 22:57:51.364] [metadata] [info] Metadata delta stream starting...
251655 [2021-04-19 22:57:52.364] [background] [info] Fetching XOAuth2 access token (office365) for 2........4
251655 [2021-04-19 22:57:52.676] [background] [critical] 
***
*** Mailspring Sync 
*** An exception occurred during program execution: 
*** {"debuginfo":"https://login.microsoftonline.com/common/oauth2/v2.0/token RETURNED {\"error\":\"invalid_grant\",\"error_description\":\"AADSTS700081: The refresh token has expired due to maximum lifetime. The token was issued on 2021-04-18T20:06:09.9921920+00:00 and the maximum allowed lifetime for this application is 1.00:00:00.\\r\\nTrace ID: d4d0638e-d304-464d-bcb4-cbc2e17f4900\\r\\nCorrelation ID: 9ae91127-2af9-49d0-95ac-cfb95c98b2c6\\r\\nTimestamp: 2021-04-19 20:57:52Z\",\"error_codes\":[700081],\"timestamp\":\"2021-04-19 20:57:52Z\",\"trace_id\":\"d4d0638e-d304-464d-bcb4-cbc2e17f4900\",\"correlation_id\":\"9ae91127-2af9-49d0-95ac-cfb95c98b2c6\",\"error_uri\":\"https://login.microsoftonline.com/error?code=700081\"}","key":"Invalid Response Code: 400","retryable":false,"what":"std::exception"}
***
3 Likes

I’m facing the same problem with Office365 on macOS. Here is a part of the log of the problem:

Mailspring Version: 1.9.1-30ef802f
Platform: darwin
Account State: invalid
Account Provider: office365
IMAP Server: outlook.office365.com
SMTP Server: smtp.office365.com
--------------------------------------------
***

73589 [2021-04-22 12:29:05.639] [background] [critical] *** Stack trace (line numbers are approximate):
*** in mailsync  ValidateRequestResp(CURLcode, void*, string)
*** in mailsync  PerformRequest(void*)
*** in mailsync  PerformJSONRequest(void*)
*** in mailsync  MakeOAuthRefreshRequest(string, string, string)
*** in mailsync  XOAuth2TokenManager::partsForAccount(shared_ptr)
*** in mailsync  MailUtils::configureSessionForAccount(mailcore::IMAPSession&, shared_ptr)
*** in mailsync  SyncWorker::configure()
*** in mailsync  runBackgroundSyncWorker()
*** in mailsync  main::$_6::operator()() const
*** in mailsync  void* __thread_proxy(void*)
*** in mailsync  thread_start()
***

73598 [2021-04-22 12:29:05.844] [main] [info] Identity created at 1619087345 - using ID Schema 1
73598 [2021-04-22 12:29:05.852] [main] [info] ------------- Starting Sync (commissaricna@fibs.it) ---------------
73598 [2021-04-22 12:29:05.865] [metadata] [info] Metadata sync disabled, not logged in.
73598 [2021-04-22 12:29:07.865] [background] [info] Fetching XOAuth2 access token (office365) for 40f968ef
73598 [2021-04-22 12:29:08.365] [background] [critical] 
***
*** Mailspring Sync 
*** An exception occurred during program execution: 
*** {"debuginfo":"https://login.microsoftonline.com/common/oauth2/v2.0/token RETURNED {\"error
\":\"invalid_grant\",\"error_description\":\"AADSTS700081: The refresh token has expired due to maximum 
lifetime. The token was issued on 2021-04-19T15:03:54.5612034+00:00 and the maximum allowed lifetime for 
this application is 1.00:00:00.\\r\\nTrace ID: 53b61948-44d0-40cd-aac2-183fb2c52700\\r\\nCorrelation ID:
e5a22a79-817a-456b-85ce-83c21b9b939b\\r\\nTimestamp: 2021-04-22 10:29:08Z\",\"error_codes\":[700081]
\"timestamp\":\"2021-04-22 10:29:08Z\",\"trace_id\":\"53b61948-44d0-40cd-aac2-183fb2c52700
\",\"correlation_id\":\"e5a22a79-817a-456b-85ce-83c21b9b939b\",\"error_uri
\":\"https://login.microsoftonline.com/error?code=700081\"}","key":"Invalid Response Code: 
400","retryable":false,"what":"std::exception"}
***

Hoping that the fix coming very soon.

Alex.

I just wanted to say that this worked for me.
I was getting “An unknown error has occurred (mailsync: 3765269347)” but after adding authenticated SMTP to my account, I was able to login and start using Mailspring.
Just wanted to contribute my results.

Thanks for sharing with the class. :smiley:

I have the same problem and would like to identify a solution!

Hi all

I have done some more investigation. Looking through Microsofts OAuth 2.0 authentication protocol, I found this section: Microsoft identity platform and OAuth 2.0 authorization code flow - Microsoft identity platform | Microsoft Docs

The following text describes the behaviour we experience in Mailspring. Maybe it is worth digging into this @bengotow.

1 Like

Hi, the documentation for setting up a Single Page Application / Native App with OAuth 2.0 and OpenID connect protocols can be found here:

In particular, the recommended flow is Auth Code Grant flow

Do you by chance know if the time outs might have something to do with the size of folders in outlook? Mine are about 25 GB - is that why I keep getting synch errors and disconnects?

Is size related to the token issue?

No, I can not imagine that. The time out of the refresh token is due to the fact that Mailspring is a native app, which is handled the same way as a Single Page Application.

The reason behind these short-lived refresh token, is that a native application running on a users device cannot be trusted to store the secrets (which refresh tokens are) securely on a device. It is vulnerable to malicious attacks on that device.

In order to mitigate this security issue, one must implement the authorization code flow (also referenced to Proof Key for Code Exchange, PKCE). Here is a blog post describing this:

The Microsoft documentation for this is the first link I posted: Microsoft identity platform and OAuth 2.0 authorization code flow - Microsoft identity platform | Microsoft Docs

Thank you. I will study this and see if I can figure out how to fix it - it does not seem overly easy for a novice like me, but I will see what I can learn

Just checking in again. This is the error I keep getting, followed by the red one saying connection is not established. I want to be sure this is the same issue we are discussing and dealing with? Unfortunately I can’t understand how to implement the PKCE as I don’t have sufficient coding experience… is there another work around? I really love mainspring but will need to abandon it due to this issue, unfortunately…Screen Shot 2021-06-11 at 9.23.22 PM

I should also add that this error comes when scanning my multiple folders. Only some of the folders get fully scanned.

Thanks!

Ok, I don’t see any relationship when scanning multiple folders. But it is quite clear what has happened if I go to the account settings and I see a message that Mailspring no longer can authenticate with the account. Clicking on Error Details… brings up the log with a clear error message: The refresh token has expired due to maximum lifetime.

After a month of trying every possible solution i discovered that connecting to VPN solves the issue permanently. Another person suggested disconnecting from the VPN and it solved his problem but in my case it was the opposite that solved my issue.

1 Like