POP3 Authentication with OAuth gives “Err Protocol error. Connection is closed”

问题

My company needs to upgrade an application to integrate two-legged OAuth 2.0 for POP3. I'm testing with an outlook online account and trying to authenticate on outlook.office365.com (I've also tried pop3.live.com).

I registered for an Exchange Online trial using my test outlook account.

I've registered my app on Azure and have enabled API Application Permissions for MS Graph (Mail.ReadWrite, Mail.Send) and Exchange (full_access_as_app). The same outlook account I used for the Exchange registration is the Global Admin of the Azure tenant.

I'm able to request a valid OAuth token from both the Graph and Exchange endpoints. However, when I use the token and try to log into the POP server, I get the following error:

<PopCmdSent>AUTH XOAUTH2 [token]</PopCmdSent>    
<PopCmdResp>-ERR Protocol error. Connection is closed. 10</PopCmdResp>

Followed by:

<error>POP3 authentication failed</error>

I'm not sure what this error means. Does my mail component need to be set up to use a different protocol (not sure if this is possible)? Could this be an issue with the way my application is registered/authenticated or with the Exchange security settings?

The login works fine if I use Basic Auth instead of OAuth.

I'm not sure how to troubleshoot this. Any info or suggestions would be much appreciated!

EDIT

I recently stumbled across this Microsoft article that references the same error, but it's related to Exchange Server 2007. The article says the solution is to increase the "MaxCommandSize" setting on the Exchange server from the default 40kb.

This is literally the only other place I've seen this error referenced online:

https://support.microsoft.com/en-ca/help/945552/error-message-when-you-try-to-connect-to-a-pop3-mailbox-on-exchange-se

I wonder if this is relevant for Exchange Online/Outlook? I'm unable to find a similar setting on my Exchange Online trial or Outlook mail settings

EDIT 2

I had an email exchange with a developer of the mail component I'm using (Chilkat Mailman). He has apparently been stuck on the same problem for a few months. He says the correct protocols for XOAUTH2 are implemented in the component and should work the same for any mail server.

However, he's also having difficulty linking the Azure app registration to a specific O365 account and getting the correct scope/permissions to authenticate the account.

It's good to hear that I'm not the only one struggling with this and that there isn't an obvious piece I'm missing. But also pretty concerning that the developer of a popular mail component is having trouble replicating what used to be an incredibly simple process.

Article he wrote on his current understanding (not sure if this is relevant):

https://cknotes.com/o365-imap-authentication-oauth-mfa-wtf/

回答1:

I found the solution which is working properly.

Add below scope

"https://outlook.office.com/POP.AccessAsUser.All" explicitly in the code during acquire token.

This is some kind of pseudo code in c#:

 private readonly string[] Scopes = new string[] { "outlook.office.com/POP.AccessAsUser.All" };
 m_clientApp=PublicClientApplicationBuilder.Create(m_mailAccount.ClientID) 
.WithAuthority($"{LoginURI}{m_mailAccount.TenantID}") .WithDefaultRedirectUri() .Build(); 
authResult = m_clientApp.AcquireTokenSilent(Scopes,existingUserID).ExecuteAsync().Result;