Missed Team ’24? Catch up on announcements here.

×
Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Microsoft Oauth2.0 for incoming mails

Jan Kampling October 1, 2020

Hello,

I try to setup OAuth 2.0 for an Office365 mail account.

I created the Oauth App in the Azure portal and successfully add the connection in the Jira system setting.

When I now add the mail account to the Jira Service Desk. I could login into the Microsoft Account and the redirected to the Jira Service Desk settings.

There I get the message: 

We couldn't connect to your mail server

Here's the error we received: "OAuth token not defined for connection. OAuth Authorisation required."

In the log file there is this message: 

2020-10-01 13:52:11,585+0200 http-nio-8080-exec-553 ERROR admin-jira-local 832x527172x1 oob6dj 192.xxx.xxx.xxx,212.xxx.xxx.xxx /rest/servicedesk/1/servicedesk/PER/incomingemail/oauth/validateandsaveflow/47622dd0-33c6-4d14-9385-371ead930dca [c.a.s.i.rest.emailchannel.EmailChannelResource] Failed to validate and save token: jep.mail.connection.verifier.unknown.error : 'Here's the error we received: "LOGIN failed.

I'm running Jira 8.12.2 with the official Docker image behind a traefik proxy for https. The docker container is http only.

Any idea what is wrong in my setup?

Thanks

Jan

3 answers

0 votes
Peter Hamilton-Harding November 23, 2021

Hi All,

 

We are also encountering this issue. The strange thing is, we already have a mailbox set up using this Oauth integration and working fine. Can you not use the one integration for multiple service desks?

 

Scopes are correct as per other comments here, we have the POP one as well

I can successfully add 'the old school way' with a Mail Server and Handler with Oauth2 for this mailbox, so Im pretty sure auth is set up properly - it's just not working in 'Email Requests'. I don't even recall why we moved off the Server+Handler setup but there was a good reason. 

 

I'll enable debug logging today and report back

 

Kind Regards,

Peter

Peter Hamilton-Harding November 25, 2021

This eventually worked fine with no further changes!

I'm going to blame MS for whatever that was

Like Aaron Vo likes this
Aaron Vo December 3, 2021

Chiming in because we had the same "solution" as Peter. It just eventually worked again.

 

We tried re-creating the OAuth2.0 integration, tested a few emails on two different projects. After about 3 days it eventually it just started working again using our original one. No changes made. I think it's a MS issue.

Like Matt Baillargeon likes this
0 votes
Baptiste Billy June 21, 2021

Same issue. 

@Jan Kampling @Martin Haagen How did you solve the problem ?

Regards

Craig Shannon
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 8, 2021

Hi @Baptiste Billy

Have you tried adding additional logging to see if this helps narrow down the issue and some of the other suggestions on this thread? 

When we see these issues, usually they are related either to the scopes, OAuth 2.0 client configuration or permissions on Azure which cause the token to be invalid. It might be worth verifying everything on Azure is setup correctly. 

Sorry I don't have anything more concrete, but as the error is on the Azure authentication side, it's hard to understand exactly why the token was rejected - perhaps you can get additional auditing/logs from Microsoft Azure Portal.

Thanks,

Craig. 

0 votes
Craig Shannon
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 1, 2020

Hi @Jan Kampling

Thanks for reaching out for help on the Atlassian Community!

Can I ask you to verify that this is still an issue as there were connection issues with Microsoft yesterday which I noticed when I was doing testing with Office365? I can see from this morning I am able to connect with no issues again, but was facing similar errors yesterday. 

To give you a bit more insight into the specific error which you encountered, that occurs at the end of the OAuth authorisation flow when JSD receives a token back from the service and JSD uses this token along with your email address to try and connect. Only when this is successful does JSD then persist the token, along with the refresh token, in the OAuth 2.0 token store for later use when retrieving emails. 

So I think that if JSD got a token back, but was unable to login, it could be an issue on the provider's side - or possibly an invalid scope. Can you also verify what scopes you have requested, you'll likely want the following when using IMAP:

"https://outlook.office.com/IMAP.AccessAsUser.All" and "offline_access".

Here's a couple references on the Microsoft outage:

https://www.theverge.com/2020/10/1/21496667/microsoft-outlook-down-outage-service-issues

https://portal.office.com/servicestatus

Let me know if you still experience issues and we can help you out further. 

Thanks,

Craig.

Jira Service Desk.

Jan Kampling October 2, 2020

Hi Craig,

I tried this today again with the same result.

Scope is set correctly.

Any other idea?

Thanks a lot

Jan

Jan Kampling October 6, 2020

@Craig Shannon  Any other hint? I need to get this running. :(

Jonathan Skördeman
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
October 7, 2020

Hi, this also interested in this issue as i am experiencing the same issue - scope is IMAP and offline_access as stated in the above post.

According to our MS admin the token is verified correctly on the office365 side.

Is there any packages i can enable in jira to enable further logging?

Craig Shannon
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 7, 2020

Hi,

Sorry for the late response. It is possible to turn on additional logging on the mail library by setting the system property `-Dmail.debug=true`. This should give more information on what is happening during the authentication. For instructions on how to set system properties, see here

You can also try adding debug logging to the package `com.atlassian.jira.internal.mail.processor.feature.channel.connectionverifier`, however I checked the code and do not think we'll get much more info from this logging other than a message if the connection is ever successful. There should also be errors and warnings logged from this package which you should see in the logs. 

"Unable to connect to the server at <hostname> due to the following exception:"

Let me know if the mail.debug system property helps track down where the error is coming from. 

Thanks,

Craig. 

Martin Haagen
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
October 15, 2020

Hi,

We are also experiencing the same problem with configuring JSD email requests to use Microsoft Office365 and OAuth2.0, and get the exact same error message. ("OAuth token not defined for connection. OAuth Authorisation required.")
Configuring native Jira Incoming Mail servers using the same OAuth Integration works fine.

I've extended the logging and see this in atlassian-jira-incoming-mail.log when trying to authorize:

2020-10-15 21:46:38,242+0000 DEBUG [] https-jsse-nio-443-exec-25 mhaagen 1306x24373x2 ah4zwh 172.29.17.35,172.17.15.41 /rest/servicedesk/1/servicedesk/INFOSEC/incomingemail/oauth/validateandsaveflow/743fe88d-8898-4819-855c-d6a6ef3ec728 Adding system override mail.imaps.auth.plain.disable=true
2020-10-15 21:46:38,242+0000 DEBUG [] https-jsse-nio-443-exec-25 mhaagen 1306x24373x2 ah4zwh 172.29.17.35,172.17.15.41 /rest/servicedesk/1/servicedesk/INFOSEC/incomingemail/oauth/validateandsaveflow/743fe88d-8898-4819-855c-d6a6ef3ec728 Adding system override mail.imaps.auth.ntlm.disable=true
2020-10-15 21:46:38,242+0000 DEBUG [] https-jsse-nio-443-exec-25 mhaagen 1306x24373x2 ah4zwh 172.29.17.35,172.17.15.41 /rest/servicedesk/1/servicedesk/INFOSEC/incomingemail/oauth/validateandsaveflow/743fe88d-8898-4819-855c-d6a6ef3ec728 Adding system override mail.debug=true
2020-10-15 21:46:38,242+0000 DEBUG [] https-jsse-nio-443-exec-25 mhaagen 1306x24373x2 ah4zwh 172.29.17.35,172.17.15.41 /rest/servicedesk/1/servicedesk/INFOSEC/incomingemail/oauth/validateandsaveflow/743fe88d-8898-4819-855c-d6a6ef3ec728 Adding system override mail.imaps.auth.gssapi.disable=true
2020-10-15 21:46:38,242+0000 DEBUG [] https-jsse-nio-443-exec-25 mhaagen 1306x24373x2 ah4zwh 172.29.17.35,172.17.15.41 /rest/servicedesk/1/servicedesk/INFOSEC/incomingemail/oauth/validateandsaveflow/743fe88d-8898-4819-855c-d6a6ef3ec728 Adding system override mail.mime.decodeparameters=true
2020-10-15 21:46:40,223+0000 DEBUG [] https-jsse-nio-443-exec-25 mhaagen 1306x24373x2 ah4zwh 172.29.17.35,172.17.15.41 /rest/servicedesk/1/servicedesk/INFOSEC/incomingemail/oauth/validateandsaveflow/743fe88d-8898-4819-855c-d6a6ef3ec728 Connection to Mail Server established successfully
2020-10-15 21:46:40,296+0000 DEBUG [] https-jsse-nio-443-exec-25 mhaagen 1306x24373x2 ah4zwh 172.29.17.35,172.17.15.41 /rest/servicedesk/1/servicedesk/INFOSEC/incomingemail/oauth/validateandsaveflow/743fe88d-8898-4819-855c-d6a6ef3ec728 Unable to open folder with URI 'inbox'
2020-10-15 21:46:41,573+0000 DEBUG [] https-jsse-nio-443-exec-21 mhaagen 1306x24399x3 ah4zwh 172.29.17.35,172.17.15.41 /rest/servicedesk/1/servicedesk/admin/email/test Adding system override mail.imaps.auth.plain.disable=true
2020-10-15 21:46:41,573+0000 DEBUG [] https-jsse-nio-443-exec-21 mhaagen 1306x24399x3 ah4zwh 172.29.17.35,172.17.15.41 /rest/servicedesk/1/servicedesk/admin/email/test Adding system override mail.imaps.auth.ntlm.disable=true
2020-10-15 21:46:41,576+0000 DEBUG [] https-jsse-nio-443-exec-21 mhaagen 1306x24399x3 ah4zwh 172.29.17.35,172.17.15.41 /rest/servicedesk/1/servicedesk/admin/email/test Adding system override mail.debug=true
2020-10-15 21:46:41,576+0000 DEBUG [] https-jsse-nio-443-exec-21 mhaagen 1306x24399x3 ah4zwh 172.29.17.35,172.17.15.41 /rest/servicedesk/1/servicedesk/admin/email/test Adding system override mail.imaps.auth.gssapi.disable=true
2020-10-15 21:46:41,576+0000 DEBUG [] https-jsse-nio-443-exec-21 mhaagen 1306x24399x3 ah4zwh 172.29.17.35,172.17.15.41 /rest/servicedesk/1/servicedesk/admin/email/test Adding system override mail.mime.decodeparameters=true
2020-10-15 21:46:41,578+0000 ERROR [] https-jsse-nio-443-exec-21 mhaagen 1306x24399x3 ah4zwh 172.29.17.35,172.17.15.41 /rest/servicedesk/1/servicedesk/admin/email/test Unable to connect to the server at outlook.office365.com due to the following exception:
com.atlassian.jira.internal.mail.processor.errors.MailConnectionException: OAuth token not defined for connection. OAuth Authorisation required.
Stacktrace.....

Jira Software 8.12.2, JSD 4.12.2

Craig Shannon
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 21, 2020

Hi,

Can you try also adding the scope for POP as well as IMAP? I am not sure why as I could not replicate this on our test account, but this I believe resolved the issue for @Jan Kampling

https://outlook.office.com/IMAP.AccessAsUser.All

https://outlook.office.com/POP.AccessAsUser.All

You may also need this scope: https://outlook.office.com/offline_access

For more information on the Microsoft mail scopes, see here 

Thanks,

Craig. 

Jaswanth P October 2, 2022

I am in similar situation. All scopes are set right, and have full rights on the shared mailbox but keep getting authorization for the past 3 days. 

Any recommendations?

Florian Obradovic February 1, 2023

I have the same issue on JSD 5.4.0 and Exchange Online

  • sharedemailbox@domain.com
  • user-with-full-access-on-mailbox@domain.com is used to authorize OAuth2.0 flow

CleanShot 2023-02-02 at 00.17.41@2x.png

We couldn't connect to your mail server

CleanShot 2023-02-02 at 00.19.31@2x.png

/secure/admin/SDMailInfo.jspa - Status:

CleanShot 2023-02-02 at 00.27.01@2x.png

Here's the error we received: "OAuth token not defined for connection. OAuth Authorisation required."

Application Link:

CleanShot 2023-02-02 at 00.21.10@2x.png

We have multiple serviceDesks which have their own dedicated SharedMailbox. Using BasicAuthentication works fine by allowing IMAP+Basic Auth via ConditionalAccess and setting a password for the username of the shared Mailbox.

Workaround

For one of my serviceDesks I converted the SharedMailbox to a regular user and added an ExchangeOnline license.Then I used the same user/e-mail address in the JSD E-Mail Channel and to authorize it! 
CleanShot 2023-02-02 at 00.25.15@2x.png

Analysis:

The Microsoft Remote Connectivity Analyzer works for the user I just converted from the SharedMailbox: https://testconnectivity.microsoft.com/tests/O365Imap/input

CleanShot 2023-02-02 at 00.34.35@2x.png

It doesn't work with delegate access and doesn't matter if it's a SharedMailbox or a regular user.

Message: The IMAP server responded with an error status "3 BAD User is authenticated but not connected.".

CleanShot 2023-02-02 at 00.38.06@2x.png

CleanShot 2023-02-02 at 00.43.33@2x.png

Best regards, Flo.

Florian Obradovic February 1, 2023

Ok, the fix is easy.

Set a password for the username and use sharedmbox@domain.com & password for authorization!

It will tell you it fail, try again 1-5 times and wait 10 minutes or so - suddenly it turns green, wth?

That worked for all sharedMailboxes / email channels.
Going to bed now 😂

CleanShot 2023-02-02 at 01.07.16@2x.png

Like Huseyin Savas likes this
Florian Obradovic February 12, 2024

This hit me exactly one year later.

After digging around I found out that you have to do the following steps to make it work again with Shared Mailboxes.

  1. Convert Shared Mailbox to Regular Mailbox:
    CleanShot 2024-02-12 at 18.25.25@2x.png
  2. Assign an Exchange license to the user of the mailbox
  3. Connect to Exchange Online using PowerShell and make sure IMAP is still enabled
  4. Connect-ExchangeOnline
    Get-CASMailbox -Filter {ImapEnabled -eq "true" -or PopEnabled -eq "true" } | Select-Object @{n = "Identity"; e = {$_.primarysmtpaddress}}|ft 
    # It should list your mailbox
  5. Check with Microsoft Remote Connectivity Analyzer:
    https://testconnectivity.microsoft.com/tests/O365Imap/input
  6. Check again in Jira and "Reauthorize"
  7. It should work now.
  8. Convert Regular Mailbox back to Shared Mailbox. 
  9. Wait at least 5 minutes !
  10. Remove Exchange License
  11. Connect to Exchange Online and make sure IMAP is still enabled.
    If not, re-enable IMAP:
  12. Get-CASMailbox -Identity your_shared_Mailbox@DOMAIN.com | Select-Object @{n = "Identity"; e = {$_.primarysmtpaddress}} | Set-CASMailbox -ImapEnabled $true
  13. Wait 5-30 minutes (seriously!)
  14. Test in jira again. 
  15. Worked for us
Like Aaron Vo likes this

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events