#698 5.1.0 - ADFS authentication is broken for O365Modern

[rickyrockrat]

davmail bails on 302 response after the NTLM authenticate request.

There is another redirect request after a successful ADFS authorization. There appear to be various issues starting about line 287 - I believe it should be getResponseHeader (not Request) to find the location (which does have Location set). Once we get past that error checking (I've added some additional code to print out bits), the logic is not working with the 302 response. I'm thinking another get should be run on the new URL.

[rickyrockrat]

More detail - I added another get after retreiving the location from the respons, and I am presented with yet another form post. I also notice when I reload the browser URL, I get about 21 consecutive 302s before the browser does a GET for https://outlook.office.com/owa/ev.owa2?ns=PendingRequest&ev=PendingNotificationRequest&UA=0&cid=756d8773-02f1-4d21-9d82-ae9979fd36c4&ecnsq=1&X-OWA-CANARY=X58hTgU2Dkm-zJoYxiLga-C1j_R9cdYYf6wgA79Pyy1vYVp_k16LnsPXPCplNP0-JiZPGsJGjJU

[rickyrockrat]

Here is the bit of code I added to src/java/davmail/exchange/auth/O365Authenticator.java

location = targetMethod.getResponseHeader("Location").getValue();
        if (location.contains("code=") && location.contains("&session_state=")) {
            String code = location.substring(location.indexOf("code=") + 5, location.indexOf("&session_state="));
            LOGGER.debug("Authentication Code: " + code);
            return code;
        }else {
            GetMethod redirectMethod = new GetMethod(location);
            try {
                httpClient.executeMethod(redirectMethod);
                responseBodyAsString = redirectMethod.getResponseBodyAsString();
            } finally {
                redirectMethod.releaseConnection();
            }
            LOGGER.debug(responseBodyAsString);
        }
        //LOGGER.debug("Location is: " +location);
        throw new IOException("Unknown ADFS authentication failure");

And the last bit that comes back (from LOGGER.debug(responseBodyAsString);) is:

2019-01-03 06:13:39,535 DEBUG [ImapConnection-42122] davmail.exchange.auth.O365Authenticator - <title>Working...</title>

<form action="https://login.microsoftonline.com:443/common/DeviceAuthTls/reprocess" method="POST" name="hiddenform"><input type="hidden" name="ctx" value="rQIIAdNiNtQztFIxgAAjXRCpa5CWZqibnApiIYEiIS6BstgLv-oPBbhMec33wDIpiH8HI-MFRsYXjIyTmERSiguKMvPSU4sccjOTi_Lz9JLzc28x8fs7lpZkGIGI_KLMqtRPTKyFpalFlauYZTNKSgqKrfT180tLcvLzs_Xy09Iyk1ONzUxBOjcxswHJ3Py8G8yMj5ixGn6BhfEVC48BsxUHB5sAowSDAsMPFsZFrEBnPrysk_dpX77TZrmSp9tWCTCcYtUvMchPDfQLyDVJSc9zdg_yCCkxLPAPcjcuSc1JtIw0Ms3QD8-J9AxxDLMotjW0MpzAxviBjamDnWEXpw3MnTn56Zl5emD7i_PTSvLzcjLzUkEO0Ye4VD8_EeRV_bzEksyy1OSczNS8kh-cjLe4RIwMDC11DQx1DYwVDI2tgMjYIgoA0"><input type="hidden" name="flowtoken" value="AQABAAEAAAC5una0EUFgTIF8ElaxtWjTAzeAdUH2DwoL1xqg4hPXQxwDsZKLWcC61pJf8eNDNVsHYYeVb3LidS5bkCsrBpe4iaO1WWaBz4RJwf4UNeUVyz0aOWXJPdT1ffSuOM25rrbMIRdLA1XgGVKXa1lcna42Pv5_oKz03U9g7DWow4p9FN0vXcYydSmwTP43YtY-AxFuAj6JvI2GRdV-OKee4GYxddBcW13dM_pjJEU35cjWX9TQcYpublK_0aRIOq7e3lcp4imsK1QK9UQkwY9M1rtUCeViY0mfiDvu6ENV_w4eCqUtcXM3OckbfvSrSrzWNo5K6U2hZwqL9Aun58VTr2pUYWmWFkFd5AAvkLZOSQOeMGZLnTNgkFHtdVno1t-TUPtBu4_FT5DoRlJ3j2LB2HKVop-qdgJjVvIeh7B3k2EgVwdbl5i60pFpV7pOwO4pfdMvpiTUB3QthIt-KruEphz7kxZv28SHGXYQulWjrETbexsdWwcIRpKg_ICur_VJU3nKdbNi5a3OS_0e1bFIKGkkdFawScSt8SG0FwgdbYIbqm6eAn7ilLWlQGZbMqbMjyAn0MKD1aCTTu-rLqFuNExrZlj87KMB2I6EKvZiFLWZ5DdMTx521YSgpZblq7R_w0TeSz-aTJ4z0pC4M_2Eeouilx9RucrzbiLd634f3kwwlJJxYEicUywRdtjLRDl0w7zmQocCOiYfu35W8ddOJADNz3mhEDnVem62_N2x8u1mY6PVoYt6w_LQB0_RzPsgxBYgAA"><noscript>

Script is disabled. Click Submit to continue.

<input type="submit" value="Submit"></noscript></form><script language="javascript">document.forms<span>[0]</span>.submit();</script>

[Mickael Guessant]

Didn't notice this, my code was similar => added a new step to submit this form.

=> the next step will probably be client certificate validation.

Found this interesting doc on device registration:
https://ping.force.com/Support/PingFederate/Integrations/Automatic-Azure-AD-device-registration-for-Windows-10-devices

[rickyrockrat]

Here is the latest against 2923. Looks like you need a 302 loop until you get something besides 302.

[Mickael Guessant]

Sorry, wrong header check => new fix available.
Now we should call https://device.login.microsoftonline.com

[rickyrockrat]

Giving me a build error with org.jetbrains.annotations. I'm still trying to figure out how to get that available on my system. Might be Monday before I get back to it.
[javac] /src/davmail/davmail-code-r2926/src/java/davmail/exchange/ews/EWSMethod.java:37: error: package org.jetbrains.annotations does not exist
[javac] import org.jetbrains.annotations.NotNull;
Thought I would try to get Maven to run, so added this to the pom:
<dependency>
<groupid>org.jetbrains</groupid>
<artifactid>annotations</artifactid>
<version>16.0.2</version>
</dependency>

    But Maven is complaining about other things now. Sheesh. Nothing I do goes smoothly.

[rickyrockrat]

Got 'er figured out, just downloaded the annotations jar to lib. Might want to add that to your repo.

[rickyrockrat]

Here is the latest log from 2926.

[Mickael Guessant]

AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application
=> you are using OWA clientId, please try Outlook values instead;

davmail.oauth.clientId=d3590ed6-52b3-4102-aeff-aad2292ab01c
davmail.oauth.redirectUri=urn:ietf:wg:oauth:2.0:oob

Source: https://officeclient.microsoft.com/config15

[rickyrockrat]

I'll be darned. it worked. My username is user@company.com for both outgoing and incoming. The domain, for whatever reason, is not needed. I've attached my working properties file for the other lost souls in the cloud...
Thanks a million.

[Mickael Guessant]

Great news, wouldn't have been possible without your feedback.

Thanks to you.

[Mickael Guessant]

Released in 5.2.0