« HiDPI for ChartDirect… | Home | Moving data from ODBC… »

More follow up on oAuth for Office 365

There is more to come based on questions and feedback.


If you like to change our IMAP example to use oAuth, please use script steps like this:

Set Variable [ $r ; Value: MBS("CURL.SetOptionURL"; $curl; "imaps://outlook.office365.com/INBOX") ]
Set Variable [ $r ; Value: MBS("CURL.SetOptionXOAuth2Bearer"; $curl; "eyJ0eXAiOi...") ] // your oAuth token
Set Variable [ $r ; Value: MBS("CURL.SetOptionUserName"; $curl; "test@outlook.com") ] // no password needed!

You remove the CURL.SetOptionPassword there and add the CURL.SetOptionXOAuth2Bearer with the token. For the URL make sure you have the imaps protocol with the s. A typo in the URL and nothing will work. Don't forget the user name, which is usually the email from the account. This may be or may not be the same as the from or sender email.

Refresh Token

We updated the example database for 13.1 to include handling of refresh tokens. The tokens by default expire within 30 to 90 minutes. So you need to refresh the token. And your admin my

Please add offline_access to the scope to enable this. e.g. use this scope:

"offline_access https://outlook.office365.com/SMTP.Send https://outlook.office365.com/IMAP.AccessAsUser.All"

That is for offline_access to get the refresh_token, the SMTP and IMAP access permissions. You may leave away one of them if you like.

Please check the script on how to refresh the token. Since refresh tokens work some time, e.g. 90 days, you may need to do the refresh regularly to get a new access token and a new refresh token.

Enable flags in Office 365 admin settings

We run into several users, where SMTP, IMAP or offline access was not checked in the options. But his is Office 365 specific, so you need to find the right check marks to allow the user.

Book keeping

Please be aware, that you need to keep track of a lot of things here.
For each mail account, you need to store the current access token and the refresh token.
When you get such a token, please write down the current time in a field for each. The JSON from the server includes expires in values which provide a time in seconds for how long they are valid, so you can calculate the end timestamp and store them.

For the refresh, please store the scope used to get the original token as you need to specify the same scope again later for a refresh.

And since the client secret changes at least every 2 years, you need to store which secret belongs to which key as you may have at some point two client secrets in use in parallel.

See also
SMTP with OAuth for Office 365 in FileMaker article
Follow up on SMTP with OAuth for Office 365 in FileMaker
MBS @ FMTraining.TV - Microsoft Office 365 Authentication with oAuth 2

PS: Also check if you have a fmplugin extended privilege, which if not allowed, prevents the plugin from triggering scripts.
11 02 23 - 09:51