Token Returned, Authentication Error in mbsync

[jpowellrussell]

Hi @harishkrupo,

First off, thank you for writing this script and the step-by-step instructions here - they've been incredibly helpful to someone just starting out learning how this kind of authentication works. I have a slightly different error than issue #2.

When I run oauth2ms directly from the shell, I get a token that when plugged into jwt.ms seems correct (unique_id, scope, tenant and client ID all look right - but I do not know much about what I am looking at and might be missing something).

When I run mbsync -V, I receive the following output:

Opening far side store rice-remote...
Resolving outlook.office365.com... ok
Connecting to outlook.office365.com (52.96.103.18:143)...
Opening near side store rice-local...
Connection is now encrypted
Logging in...
Authenticating with SASL mechanism XOAUTH2...
Error performing SASL authentication step: SASL(-1): generic failure: Unable to find a callback: 18948

Here's the relevant part of my .mbsyncrc:

Host outlook.office365.com
User jr75@rice.edu
AuthMechs XOAUTH2
Passcmd oauth2ms

Searching for the whole or part of that error message has not gotten me to anything that has helped me. I am on macos and had to install the cyrus-sasl-xoauth2 plugin to /usr/local/lib/sasl2 instead of /usr/lib/sasl2, so it might be something with not finding the right plugin, but I was receiving a different error message before, and I think that I've resolved that piece of it. Changing to passcmd "oauth2ms --encode-xoauth2" returned the same behavior.

So my working hypothesis is that oauth2ms is properly fetching a token, mbsync is finding something to attempt xoauth2, but perhaps not the right plugin. It's also possible there's a setting in my azure that has been set by my organization's IT department that prevents this from working without an extra step (for example, I had to request permission the first time I ran oauth2ms, but that was granted).

I realize this is likely outside of the scope of issues for oauth2ms, but any troubleshooting advice you have would be much appreciated.

[harishkrupo]

Comparing with the logs that you pasted, looks like this line in the mbsync code fails and here it looks like they are checking if xoauth2 is supported by sasl before trying that method. This probably means that the xoauth2 library is loaded correctly. I am not sure what else could be causing this. You can try the below options to debug further:

• One option would be try the troubleshooting options given here: https://www.cyrusimap.org/sasl/sasl/sysadmin.html#troubleshooting.
• Another definite way to figure out the reason would be to build debug versions of mbsync/cyrus-sasl/cyrus-sasl-xoauth2 yourself and try to step through the code. This might be a bit difficult and time consuming but will certainly help you solve the problem

Sorry, I don't use MacOS so I am unable to help much. Let me know if you find the solution, It will help others too. If you are stuck somewhere, please post here. I might be able to help :)

Note: --encode-xoath2 is not needed for passcmd. The token is encoded internally.

[jpowellrussell]

@harishkrupo Thanks so much for tracking that down - I'm barely comfortable finding relevant code on github, and I'm less familiar with sourceforge (also, not knowing a lick of C doesn't help either). This is a good starting place - it might take me a while and I might have to learn a lot to work it out, but I at least have an idea of where to start looking.

I'll post anything I figure out here.

[guibor]

Hi! Wondering if anyone figured anything out. I would love to use this plugin on Mac OS.

[leothelocust]

bump, same issue here... @jpowellrussell did you ever resolve this?

[averter]

I think I've got a lead on this one (despite also sucking at C). Try to 1) run mbsync despite the error, and then 2) check your syslog file; since I am using linux mint for me that's less /var/log/syslog. You should see this message

mypcname sasl-xoauth2: auth failed: 2022-07-24 18:05:22: TokenStore::Read: failed to open file <<my token>>

My conclusion is that the sasl-xoauth2 plugin is waiting for a file but is receiving the token from oauth2ms in another format (a string perhaps) and thus returns an error. Any thoughts?

[epichub]

I was using mbsync 1.5 (isync-git on arch aur) - downgrading to isync 1.4.4 (official package) made this problem dissapear for me.
Using aur/cyrus-sasl-xoauth2-git and:

IMAPAccount <accname>
Host outlook.office365.com
Port 993
User <user>
SystemCertificates yes
AuthMechs XOAUTH2
SSLType IMAPS
SSLVersions TLSv1.1 TLSv1.2
PassCmd "oauth2ms"