Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-73486

Jenkins Email Extension plugin: OAuth 2.0 does not work with O365

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • email-ext-plugin
    • Jenkins version: 2.468
      Plugin version: 1814.v404722f34263

      This is more or less a follow-up to JENKINS-69414.

      While OAuth2 authentication may work for generic providers such as GMail, it does not work for Office365, as instead of using the client secret as a password, one has to first request an access token from "https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token" using the client_credentials flow, then use that token as the password.

      Without this, as in, using the client secret as a password, authentication always fails:

      14:40:44 DEBUG SMTP: AUTH XOAUTH2 failed
      14:40:44 AuthenticationFailedException message: 535 5.7.3 Authentication unsuccessful [VI1PR0102CA0059.eurprd01.prod.exchangelabs.com 2024-07-19T12:40:44.173Z 08DCA6EA4C774BA8] 

      If, however, you retrieve an access token using the aforementioned API, authentication succeeds and the e-mail gets delivered:

      354 Start mail input; end with <CRLF>.<CRLF>
      
      ------=_Part_33_1071535181.1721393717667--
      .
      250 2.0.0 OK <1621590247.34.1721393718389@c427e035ed5b> [Hostname=AM9PR03MB6802.eurprd03.prod.outlook.com]
      DEBUG SMTP: message successfully delivered to mail server
      QUIT 

      Example call:

      While one could simply call the API manually and configure the provided access token, this becomes quite tedious, as the token is only valid for an hour. I therefore request some sort of mechanism / configuration option in the plugin so it retrieves the token by itself.

      Relevant SO entry: https://stackoverflow.com/questions/73449562/jenkins-email-extension-plugin-and-oauth-2-0-query

          [JENKINS-73486] Jenkins Email Extension plugin: OAuth 2.0 does not work with O365

          Andreas Willinger created issue -
          Andreas Willinger made changes -
          Link New: This issue relates to JENKINS-69414 [ JENKINS-69414 ]
          Andreas Willinger made changes -
          Description Original: This is more or less a follow-up to JENKINS-69414.

          While OAuth2 authentication may work for generic providers such as GMail, it does not work for Office365, as instead of sending the generated secret, one has to first request an access token from "https://login.microsoftonline.com/\{tenantId}/oauth2/v2.0/token" using the client_credentials flow, then use that token as the password.

          Without this, as in, using the client secret as a password, authentication always fails:
          {code:java}
          14:40:44 DEBUG SMTP: AUTH XOAUTH2 failed
          14:40:44 AuthenticationFailedException message: 535 5.7.3 Authentication unsuccessful [VI1PR0102CA0059.eurprd01.prod.exchangelabs.com 2024-07-19T12:40:44.173Z 08DCA6EA4C774BA8] {code}
          If, however, you retrieve an access token using the aforementioned API, authentication succeeds and the e-mail gets delivered:
          {code:java}
          354 Start mail input; end with <CRLF>.<CRLF>

          ------=_Part_33_1071535181.1721393717667--
          .
          250 2.0.0 OK <1621590247.34.1721393718389@c427e035ed5b> [Hostname=AM9PR03MB6802.eurprd03.prod.outlook.com]
          DEBUG SMTP: message successfully delivered to mail server
          QUIT {code}
          Example call:

          !image-2024-07-19-14-59-29-121.png!

          While one could simply call the API manually and configure the provided access token, this becomes quite tedious, as the token is only valid for an hour. I therefore request some sort of mechanism / configuration option in the plugin so it retrieves the token by itself.
          New: This is more or less a follow-up to JENKINS-69414.

          While OAuth2 authentication may work for generic providers such as GMail, it does not work for Office365, as instead of sending the generated secret, one has to first request an access token from "https://login.microsoftonline.com/\{tenantId}/oauth2/v2.0/token" using the client_credentials flow, then use that token as the password.

          Without this, as in, using the client secret as a password, authentication always fails:
          {code:java}
          14:40:44 DEBUG SMTP: AUTH XOAUTH2 failed
          14:40:44 AuthenticationFailedException message: 535 5.7.3 Authentication unsuccessful [VI1PR0102CA0059.eurprd01.prod.exchangelabs.com 2024-07-19T12:40:44.173Z 08DCA6EA4C774BA8] {code}
          If, however, you retrieve an access token using the aforementioned API, authentication succeeds and the e-mail gets delivered:
          {code:java}
          354 Start mail input; end with <CRLF>.<CRLF>

          ------=_Part_33_1071535181.1721393717667--
          .
          250 2.0.0 OK <1621590247.34.1721393718389@c427e035ed5b> [Hostname=AM9PR03MB6802.eurprd03.prod.outlook.com]
          DEBUG SMTP: message successfully delivered to mail server
          QUIT {code}
          Example call:

          !image-2024-07-19-14-59-29-121.png!

          While one could simply call the API manually and configure the provided access token, this becomes quite tedious, as the token is only valid for an hour. I therefore request some sort of mechanism / configuration option in the plugin so it retrieves the token by itself.

          Relevant SO entry: https://stackoverflow.com/questions/73449562/jenkins-email-extension-plugin-and-oauth-2-0-query
          Andreas Willinger made changes -
          Description Original: This is more or less a follow-up to JENKINS-69414.

          While OAuth2 authentication may work for generic providers such as GMail, it does not work for Office365, as instead of sending the generated secret, one has to first request an access token from "https://login.microsoftonline.com/\{tenantId}/oauth2/v2.0/token" using the client_credentials flow, then use that token as the password.

          Without this, as in, using the client secret as a password, authentication always fails:
          {code:java}
          14:40:44 DEBUG SMTP: AUTH XOAUTH2 failed
          14:40:44 AuthenticationFailedException message: 535 5.7.3 Authentication unsuccessful [VI1PR0102CA0059.eurprd01.prod.exchangelabs.com 2024-07-19T12:40:44.173Z 08DCA6EA4C774BA8] {code}
          If, however, you retrieve an access token using the aforementioned API, authentication succeeds and the e-mail gets delivered:
          {code:java}
          354 Start mail input; end with <CRLF>.<CRLF>

          ------=_Part_33_1071535181.1721393717667--
          .
          250 2.0.0 OK <1621590247.34.1721393718389@c427e035ed5b> [Hostname=AM9PR03MB6802.eurprd03.prod.outlook.com]
          DEBUG SMTP: message successfully delivered to mail server
          QUIT {code}
          Example call:

          !image-2024-07-19-14-59-29-121.png!

          While one could simply call the API manually and configure the provided access token, this becomes quite tedious, as the token is only valid for an hour. I therefore request some sort of mechanism / configuration option in the plugin so it retrieves the token by itself.

          Relevant SO entry: https://stackoverflow.com/questions/73449562/jenkins-email-extension-plugin-and-oauth-2-0-query
          New: This is more or less a follow-up to JENKINS-69414.

          While OAuth2 authentication may work for generic providers such as GMail, it does not work for Office365, as instead of using the client secret as a password, one has to first request an access token from "https://login.microsoftonline.com/\{tenantId}/oauth2/v2.0/token" using the client_credentials flow, then use that token as the password.

          Without this, as in, using the client secret as a password, authentication always fails:
          {code:java}
          14:40:44 DEBUG SMTP: AUTH XOAUTH2 failed
          14:40:44 AuthenticationFailedException message: 535 5.7.3 Authentication unsuccessful [VI1PR0102CA0059.eurprd01.prod.exchangelabs.com 2024-07-19T12:40:44.173Z 08DCA6EA4C774BA8] {code}
          If, however, you retrieve an access token using the aforementioned API, authentication succeeds and the e-mail gets delivered:
          {code:java}
          354 Start mail input; end with <CRLF>.<CRLF>

          ------=_Part_33_1071535181.1721393717667--
          .
          250 2.0.0 OK <1621590247.34.1721393718389@c427e035ed5b> [Hostname=AM9PR03MB6802.eurprd03.prod.outlook.com]
          DEBUG SMTP: message successfully delivered to mail server
          QUIT {code}
          Example call:

          !image-2024-07-19-14-59-29-121.png!

          While one could simply call the API manually and configure the provided access token, this becomes quite tedious, as the token is only valid for an hour. I therefore request some sort of mechanism / configuration option in the plugin so it retrieves the token by itself.

          Relevant SO entry: [https://stackoverflow.com/questions/73449562/jenkins-email-extension-plugin-and-oauth-2-0-query]

          Any news on this? Is this plugin dead?

          Andreas Willinger added a comment - Any news on this? Is this plugin dead?

          Alex Earl added a comment -

          No, the plugin isn't dead. I just have a day job I am not sure what to do here yet, I'll have to do some research

          Alex Earl added a comment - No, the plugin isn't dead. I just have a day job I am not sure what to do here yet, I'll have to do some research
          Alex Earl made changes -
          Assignee New: Alex Earl [ slide_o_mix ]

          Alex Earl added a comment -

          I believe I have a way of doing this, but I don't really have a way of testing I don't think. I do have an office365 for work, but I am not sure if I can use that for testing purposes here.

          Alex Earl added a comment - I believe I have a way of doing this, but I don't really have a way of testing I don't think. I do have an office365 for work, but I am not sure if I can use that for testing purposes here.

          Afaik you should automatically get a free Entra ID instance if you sign up for an O365 service like Exchange Online. At least it should be enough for testing.

          Andreas Willinger added a comment - Afaik you should automatically get a free Entra ID instance if you sign up for an O365 service like Exchange Online. At least it should be enough for testing.

            slide_o_mix Alex Earl
            awillinger Andreas Willinger
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: