Content
View differences
Updated by Hagen Mahnke 11 months ago
**As** an administrator
**I want to** configure IMAP authentication with an OAuth client credentials flow
**so that** I can use the inbound email feature with IMAP servers that support the OAuth client credentials flow - for example Microsoft Exchange.
The inbound emails feature is not usable with a Microsoft Exchange email server without this!
**Acceptance criteria**
* Auth method can be chosen from
* Basic Auth (username & password)
* OAuth client credentials
* When OAuth client credentials is chosen it's possible to either
* Custom:
* enter _client\_id_, _client\_secret_, _token\_url_ client\_id, client\_secret, token\_url and _scope_ scope
* Use existing OpenID provider configuration
* choose from list of existing OpenID provider
* enter _scope_
* **Bonus**: Bonus: Pre-fill known values when specific email servers are chosen
* When choosing OAuth client credentials the following options are shown
* Microsoft Exchange
* Use existing OpenID provider configuration
* Custom
* When choosing Microsoft Exchange, pre-fill
* token\_path (NOT URL) `/oauth2/v2.0/token`
* We'd need to make it obvious that the admin needs to set the full URL, maybe it's better not to pre-fill this at all.
* scope [`https://outlook.office.com/IMAP.AccessAsUser.All`](https://outlook.office.com/IMAP.AccessAsUser.All)
**Technical notes**
* Use [client credential flow](https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/)
* When an existing OpenID provider is chose, we'll request a token from the OAuth Client chosen provider and inject the scope required for IMAP access
* Question: How do we store the correct scope to inject for this flow? The OpenID provider is configured with some scopes, but we'll need different scopes to get the emails via IMAP. Those scopes are not (completely) standardised, so users will need to be able to set them.
**Permissions and visibility considerations**
* Administrators
**Translation considerations**
* Don't translate
* _Basic auth_
* _OAuth_
* _Client ID_
* Client secret
* Token URL
* Scope
**Out of scope**
* OAuth with authorization code flow for OAuth, as used by Gmail
**I want to** configure IMAP authentication with an OAuth client credentials flow
**so that** I can use the inbound email feature with IMAP servers that support the OAuth client credentials flow - for example Microsoft Exchange.
The inbound emails feature is not usable with a Microsoft Exchange email server without this!
**Acceptance criteria**
* Auth method can be chosen from
* Basic Auth (username & password)
* OAuth client credentials
* When OAuth client credentials is chosen it's possible to either
* Custom:
* enter _client\_id_, _client\_secret_, _token\_url_
* Use existing OpenID provider configuration
* choose from list of existing OpenID provider
* enter _scope_
* **Bonus**:
* When choosing OAuth client credentials the following options are shown
* Microsoft Exchange
* Use existing OpenID provider configuration
* Custom
* When choosing Microsoft Exchange, pre-fill
* token\_path (NOT URL) `/oauth2/v2.0/token`
* We'd need to make it obvious that the admin needs to set the full URL, maybe it's better not to pre-fill this at all.
* scope [`https://outlook.office.com/IMAP.AccessAsUser.All`](https://outlook.office.com/IMAP.AccessAsUser.All)
**Technical notes**
* Use [client credential flow](https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/)
* When an existing OpenID provider is chose, we'll request a token from the OAuth Client chosen provider and inject the scope required for IMAP access
* Question: How do we store the correct scope to inject for this flow? The OpenID provider is configured with some scopes, but we'll need different scopes to get the emails via IMAP. Those scopes are not (completely) standardised, so users will need to be able to set them.
**Permissions and visibility considerations**
* Administrators
**Translation considerations**
* Don't translate
* _Basic auth_
* _OAuth_
* _Client ID_
* Client secret
* Token URL
* Scope
**Out of scope**
* OAuth with authorization code flow for OAuth, as used by Gmail