Microsoft Oauth2.0 for incoming mails

This eventually worked fine with no further changes!

I'm going to blame MS for whatever that was

Chiming in because we had the same "solution" as Peter. It just eventually worked again.

We tried re-creating the OAuth2.0 integration, tested a few emails on two different projects. After about 3 days it eventually it just started working again using our original one. No changes made. I think it's a MS issue.

Hi @Baptiste Billy

Have you tried adding additional logging to see if this helps narrow down the issue and some of the other suggestions on this thread? 

When we see these issues, usually they are related either to the scopes, OAuth 2.0 client configuration or permissions on Azure which cause the token to be invalid. It might be worth verifying everything on Azure is setup correctly. 

Sorry I don't have anything more concrete, but as the error is on the Azure authentication side, it's hard to understand exactly why the token was rejected - perhaps you can get additional auditing/logs from Microsoft Azure Portal.

Thanks,

Craig. 

Hi Craig,

I tried this today again with the same result.

Scope is set correctly.

Any other idea?

Thanks a lot

Jan

@Craig Shannon  Any other hint? I need to get this running. :(

Hi, this also interested in this issue as i am experiencing the same issue - scope is IMAP and offline_access as stated in the above post.

According to our MS admin the token is verified correctly on the office365 side.

Is there any packages i can enable in jira to enable further logging?

Hi,

Sorry for the late response. It is possible to turn on additional logging on the mail library by setting the system property `-Dmail.debug=true`. This should give more information on what is happening during the authentication. For instructions on how to set system properties, see here. 

You can also try adding debug logging to the package `com.atlassian.jira.internal.mail.processor.feature.channel.connectionverifier`, however I checked the code and do not think we'll get much more info from this logging other than a message if the connection is ever successful. There should also be errors and warnings logged from this package which you should see in the logs. 

"Unable to connect to the server at <hostname> due to the following exception:"

Let me know if the mail.debug system property helps track down where the error is coming from. 

Thanks,

Craig. 

Hi,

We are also experiencing the same problem with configuring JSD email requests to use Microsoft Office365 and OAuth2.0, and get the exact same error message. ("OAuth token not defined for connection. OAuth Authorisation required.")
Configuring native Jira Incoming Mail servers using the same OAuth Integration works fine.

I've extended the logging and see this in atlassian-jira-incoming-mail.log when trying to authorize:

2020-10-15 21:46:38,242+0000 DEBUG [] https-jsse-nio-443-exec-25 mhaagen 1306x24373x2 ah4zwh 172.29.17.35,172.17.15.41 /rest/servicedesk/1/servicedesk/INFOSEC/incomingemail/oauth/validateandsaveflow/743fe88d-8898-4819-855c-d6a6ef3ec728 Adding system override mail.imaps.auth.plain.disable=true
2020-10-15 21:46:38,242+0000 DEBUG [] https-jsse-nio-443-exec-25 mhaagen 1306x24373x2 ah4zwh 172.29.17.35,172.17.15.41 /rest/servicedesk/1/servicedesk/INFOSEC/incomingemail/oauth/validateandsaveflow/743fe88d-8898-4819-855c-d6a6ef3ec728 Adding system override mail.imaps.auth.ntlm.disable=true
2020-10-15 21:46:38,242+0000 DEBUG [] https-jsse-nio-443-exec-25 mhaagen 1306x24373x2 ah4zwh 172.29.17.35,172.17.15.41 /rest/servicedesk/1/servicedesk/INFOSEC/incomingemail/oauth/validateandsaveflow/743fe88d-8898-4819-855c-d6a6ef3ec728 Adding system override mail.debug=true
2020-10-15 21:46:38,242+0000 DEBUG [] https-jsse-nio-443-exec-25 mhaagen 1306x24373x2 ah4zwh 172.29.17.35,172.17.15.41 /rest/servicedesk/1/servicedesk/INFOSEC/incomingemail/oauth/validateandsaveflow/743fe88d-8898-4819-855c-d6a6ef3ec728 Adding system override mail.imaps.auth.gssapi.disable=true
2020-10-15 21:46:38,242+0000 DEBUG [] https-jsse-nio-443-exec-25 mhaagen 1306x24373x2 ah4zwh 172.29.17.35,172.17.15.41 /rest/servicedesk/1/servicedesk/INFOSEC/incomingemail/oauth/validateandsaveflow/743fe88d-8898-4819-855c-d6a6ef3ec728 Adding system override mail.mime.decodeparameters=true
2020-10-15 21:46:40,223+0000 DEBUG [] https-jsse-nio-443-exec-25 mhaagen 1306x24373x2 ah4zwh 172.29.17.35,172.17.15.41 /rest/servicedesk/1/servicedesk/INFOSEC/incomingemail/oauth/validateandsaveflow/743fe88d-8898-4819-855c-d6a6ef3ec728 Connection to Mail Server established successfully
2020-10-15 21:46:40,296+0000 DEBUG [] https-jsse-nio-443-exec-25 mhaagen 1306x24373x2 ah4zwh 172.29.17.35,172.17.15.41 /rest/servicedesk/1/servicedesk/INFOSEC/incomingemail/oauth/validateandsaveflow/743fe88d-8898-4819-855c-d6a6ef3ec728 Unable to open folder with URI 'inbox'
2020-10-15 21:46:41,573+0000 DEBUG [] https-jsse-nio-443-exec-21 mhaagen 1306x24399x3 ah4zwh 172.29.17.35,172.17.15.41 /rest/servicedesk/1/servicedesk/admin/email/test Adding system override mail.imaps.auth.plain.disable=true
2020-10-15 21:46:41,573+0000 DEBUG [] https-jsse-nio-443-exec-21 mhaagen 1306x24399x3 ah4zwh 172.29.17.35,172.17.15.41 /rest/servicedesk/1/servicedesk/admin/email/test Adding system override mail.imaps.auth.ntlm.disable=true
2020-10-15 21:46:41,576+0000 DEBUG [] https-jsse-nio-443-exec-21 mhaagen 1306x24399x3 ah4zwh 172.29.17.35,172.17.15.41 /rest/servicedesk/1/servicedesk/admin/email/test Adding system override mail.debug=true
2020-10-15 21:46:41,576+0000 DEBUG [] https-jsse-nio-443-exec-21 mhaagen 1306x24399x3 ah4zwh 172.29.17.35,172.17.15.41 /rest/servicedesk/1/servicedesk/admin/email/test Adding system override mail.imaps.auth.gssapi.disable=true
2020-10-15 21:46:41,576+0000 DEBUG [] https-jsse-nio-443-exec-21 mhaagen 1306x24399x3 ah4zwh 172.29.17.35,172.17.15.41 /rest/servicedesk/1/servicedesk/admin/email/test Adding system override mail.mime.decodeparameters=true
2020-10-15 21:46:41,578+0000 ERROR [] https-jsse-nio-443-exec-21 mhaagen 1306x24399x3 ah4zwh 172.29.17.35,172.17.15.41 /rest/servicedesk/1/servicedesk/admin/email/test Unable to connect to the server at outlook.office365.com due to the following exception:
com.atlassian.jira.internal.mail.processor.errors.MailConnectionException: OAuth token not defined for connection. OAuth Authorisation required.
Stacktrace.....

Jira Software 8.12.2, JSD 4.12.2

Hi,

Can you try also adding the scope for POP as well as IMAP? I am not sure why as I could not replicate this on our test account, but this I believe resolved the issue for @Jan Kampling

https://outlook.office.com/IMAP.AccessAsUser.All

https://outlook.office.com/POP.AccessAsUser.All

You may also need this scope: https://outlook.office.com/offline_access

For more information on the Microsoft mail scopes, see here 

Thanks,

Craig. 

I am in similar situation. All scopes are set right, and have full rights on the shared mailbox but keep getting authorization for the past 3 days. 

Any recommendations?

I have the same issue on JSD 5.4.0 and Exchange Online

• sharedemailbox@domain.com
• user-with-full-access-on-mailbox@domain.com is used to authorize OAuth2.0 flow

We couldn't connect to your mail server

/secure/admin/SDMailInfo.jspa - Status:

Here's the error we received: "OAuth token not defined for connection. OAuth Authorisation required."

Application Link:

We have multiple serviceDesks which have their own dedicated SharedMailbox. Using BasicAuthentication works fine by allowing IMAP+Basic Auth via ConditionalAccess and setting a password for the username of the shared Mailbox.

Workaround

For one of my serviceDesks I converted the SharedMailbox to a regular user and added an ExchangeOnline license.Then I used the same user/e-mail address in the JSD E-Mail Channel and to authorize it! 

Analysis:

The Microsoft Remote Connectivity Analyzer works for the user I just converted from the SharedMailbox: https://testconnectivity.microsoft.com/tests/O365Imap/input

It doesn't work with delegate access and doesn't matter if it's a SharedMailbox or a regular user.

Message: The IMAP server responded with an error status "3 BAD User is authenticated but not connected.".

Best regards, Flo.

Ok, the fix is easy.

Set a password for the username and use sharedmbox@domain.com & password for authorization!

It will tell you it fail, try again 1-5 times and wait 10 minutes or so - suddenly it turns green, wth?

That worked for all sharedMailboxes / email channels.
Going to bed now 😂

This hit me exactly one year later.

After digging around I found out that you have to do the following steps to make it work again with Shared Mailboxes.

1. Convert Shared Mailbox to Regular Mailbox:
   
2. Assign an Exchange license to the user of the mailbox
3. Connect to Exchange Online using PowerShell and make sure IMAP is still enabled

4. Connect-ExchangeOnline
   Get-CASMailbox -Filter {ImapEnabled -eq "true" -or PopEnabled -eq "true" } | Select-Object @{n = "Identity"; e = {$_.primarysmtpaddress}}|ft 
   # It should list your mailbox 

5. Check with Microsoft Remote Connectivity Analyzer:
   https://testconnectivity.microsoft.com/tests/O365Imap/input
6. Check again in Jira and "Reauthorize"
7. It should work now.
8. Convert Regular Mailbox back to Shared Mailbox. 
9. Wait at least 5 minutes !
10. Remove Exchange License
11. Connect to Exchange Online and make sure IMAP is still enabled.
    If not, re-enable IMAP:
    

12. Get-CASMailbox -Identity your_shared_Mailbox@DOMAIN.com | Select-Object @{n = "Identity"; e = {$_.primarysmtpaddress}} | Set-CASMailbox -ImapEnabled $true

13. Wait 5-30 minutes (seriously!)
14. Test in jira again. 
15. Worked for us