Howto16r1:Configure OAuth2 E-Mail

From innovaphone wiki
Jump to navigation Jump to search
FIXME: This product is in the beta phase and is not yet finished

The innovaphone PBX and apps can be configured to send E-Mails for various subjects and purposes. Major E-Mail providers intent to discontinue the username/password authentication schemes in favour of OAuth2. PBX and Apps version 16r1 does support OAuth2 authentication for SMTP. Here is a step by step guide how to set up OAuth2 support in Microsoft 365 through the Azure Portal and how to set it up on a Google Gmail account in the Google Cloud Console.

Microsoft 365

Azure Portal

Log in to Microsoft Azure Portal (https://portal.azure.com) and go to Microsoft Entra ID.

/AzureMicrosoftEntraID.png

Add a new app registration to create client credentials.

/AzureAddAppRegistration.png

Register the application and maybe already fill in the redirect URI for Web based application type to path OAUTH2-CLIENT/auth.htm at the PBX.

/AzureRegisterAnApplication.png

App registration is complete. Client ID and tenant needs to be configured at the PBX and every app that will be sending e-mails.

/AzureApp.png

Create a client secret. Note that expiry is limited to no longer than 2 years. The client secret must be renewed before expiry and the new secret configured and interactive authorisation carried out again to ensure continuous operation.

/AzureAddClientSecret.png

Copy the client secret. It also needs to be configured at the PBX and every app that will be sending e-mails.

/AzureCopyClientSecret.png

Add permissions located in APIs my organization uses.

/AzureAddApiPermissionMyOrganization.png

More precisely located in Office 365 Exchange Online.

/AzureAddApiPermissionExchange.png

And there in the application permissions.

/AzureAddApiExchangeApplication.png

Namely SMTP Mail.Send.

/AzureAddApiSendMailAsUser.png

Grant admin permission for Mail.Send.

/AzureGrantApiPermissions.png

API permissions are now granted.

/AzureApiPermissionsGranted.png

Tell all redirect URIs that the PBX and the apps will be using during interactive authorization.

/AzureRedirectUris.png

Allow public client flows of OAuth2. Resource Owner Password Credentials Flow has the advantage that it doesn't need interactive authorization.

/AzureAllowPublicClientFlows.png

Microsoft 365 admin center

Log in to the Microsoft 365 admin center (https://admin.cloud.microsoft).

/MS365AdminCenter.png

Make sure that Microsoft 365 licenses are assigned to your user.

/MS365UserLicenses.png

Set your user active.

/MS365ActiveUsers.png

Locate the Mail tab of your user.

/MS365UserEMail.png

Allow authenticated SMTP.

/MS365AuthenticatedSMTP.png

Exchange admin center

Login to the Exchange admin center (https://admin.exchange.microsoft.com).

/ExchangeAdminCenter.png

Remove deactivation of the SMTP AUTH protocol.

/ExchangeRemoveDeavtivatedOAuth2.png

PBX Example configuration

With this Microsoft setup the OAuth2 configuration for the resource owner password credentials flow can be filled in as follows.

/OAuth2ResourceOwnerPasswordCredentials.png

For interactive authorization this is the OAuth2 configuration. Authorize e-mail access one time and send a test mail to verify everything went well.

/OAuth2InteractiveAuthorization.png

Gmail

Preparations

Login to the Google Cloud Console (https://console.cloud.google.com), select a project, New project.

/GoogleSelectProject.png

Create the project.

/GoogleCreateProject.png

Client credentials will be created in this project.

/GoogleProjectCreated.png

From the library specify the APIs needed to access.

/GoogleApisServicesFromLibrary.png

These are in the Gmail API.

/GoogleApisServicesApiLibrary.png

Choose the Gmail API and enable it.

/GoogleGmailApis.png

Credentials need to be created.

/GoogleGmailApiAdded.png

Invoke the help me choose wizard.

/GoogleCreateCredentialsHelpMeChoose.png

User data access is needed.

/GoogleCredentialsUserData.png

Configure the consent screen of the interactive authorization.

/GoogleOAuthConsentScreen.png

Specify the permissions that need to be authorized by the user.

/GoogleOAuthScopes.png

Its mail.google.com in general.

/GoogleScopeMailGoogleCom.png

And its to send email on the users behalf.

/GoogleScopeAuthGmailSend.png

These are the scopes needed.

/GoogleScopes.png

Ask client credentials for Web type application.

/GoogleOAuthClientID.png

Tell all redirect URIs that the PBX and the apps will be using during interactive authorization.

/GoogleRedirectURIs.png

Download the credentials. This json file contains all information for OAuth2 configuration.

/GoogleClientCredentialsDownload.png

Customize the OAuth consent screen

/GoogleOAuthConsentScreenSettings.png

Start the customization wizard.

/GoogleConsentScreenWizard.png

Choose which users may authorize.

/GoogleAudienceExternal.png

Google workspace users may choose internal audience. Users not in Google workspace proceed with external.

/GoogleContactInformation.png

Add a test user.

/GoogleTestUserAdded.png

PBX Example configuration

The OAuth2 parameters can be filled in with the information from the json file downloaded above. Authorize e-mail access one time and send a test mail to verify everything went well.

/OAuth2InteractiveGmail.png

Generic

For other e-mail providers the client secret post OAuth2 flow may be configured in a generic way. Details need to be supplied by the e-mail provider.

For the Microsoft 365 setup above it would be as follows with Token endpoint https://login.microsoftonline.com/af326a34-169c-469e-946b-1ef57925306b/oauth2/v2.0/token Authorization URL https://login.microsoftonline.com/af326a34-169c-469e-946b-1ef57925306b/oauth2/v2.0/authorize?scope=https://outlook.office.com/SMTP.Send offline_access The configuration appends &response_type=code&prompt=consent&login_hint=...&redirect_uri=...&client_id=... automatically.

/OAuth2ClientSecretPost.png

For the Gmail example above the generic confguration would be like this with Token endpoint https://oauth2.googleapis.com/token Authorization URL https://accounts.google.com/o/oauth2/auth?access_type=offline&scope=https://mail.google.com/ The configuration appends &response_type=code&prompt=consent&login_hint=...&redirect_uri=...&client_id=... automatically.

/OAith2ClientSecretPostGmail.png

The private key jwt OAuth2 flow can be configured generically as well.

/OAuth2PrivateKeyJWT.png

Related Articles

https://wiki.innovaphone.com/index.php?title=Reference16r1:PBX/Config/Authentication