locked
2-Legged OAuth Client Credentials Flow for POP3 and SMTP RRS feed

  • Question

  • My company distributes an application with a background service component that sends and receives mail from a single email account using SMTP/POP3.

    The app uses basic authentication, but we need to implement OAuth 2.0 now due to Microsoft's planned rollback of basic auth for POP3 (and likely SMTP in the future). We have been investigating the account setup and API permissions necessary to achieve this in Azure AD.

    Our current understanding is that it is possible to implement the 2-legged client credentials flow by getting an access token and then sending requests to the Graph API (eg. https://graph.microsoft.com/Mail.ReadWrite). However, our application is built to send and receive with the legacy SMTP/POP3 protocols and changing the mail features to send HTTP requests to the Microsoft API endpoints requires a partial redesign.

    It appears that only 3-legged flows are supported for the legacy SMTP and POP protocols. These permissions are only available as "delegated permissions" on the Graph API. There are no equivalent "application permissions" that would allow us to use these protocols from our background service without a user present to do the initial authentication.

    Integrating a browser redirect into the app for the initial authentication also requires a significant update to the application. The app is 14 years old and the original programmer is no longer at the company. Due to that fact as well as limited resources, we're hoping for a solution that doesn't involve implementing browser integration or major changes to the sending and receiving functions.

    Is it possible to implement a 2-legged OAuth flow to authenticate an account for sending and receiving over SMTP/POP3?

    Please let me know if any of our assumptions are incorrect. Any info or suggestions would be much appreciated!

    Friday, May 22, 2020 4:28 PM