Add support for falling back to login password as secret

See #271

Author: simonrob

emailproxy.config

@@ -292,6 +292,15 @@ documentation = The parameters below control advanced options for the proxy. In
 	using catch-all accounts or the proxy's `--cache-store` parameter you must manually remove unencrypted secrets from
 	the local configuration file after the encrypted secret has been created (i.e., this will not be automatic).
 
+	- use_login_password_as_client_credentials_secret (default = False): When using the O365 client credentials grant
+	(CCG) flow, rather than encrypting the client secret (see above), the proxy can be instructed to use the given
+	IMAP/POP/SMTP login password as the client secret. This approach removes the risk of storing the unencrypted client
+	secret in the proxy's configuration file, and also means there is no risk of unauthorised account access when using
+	the O365 CCG flow in conjunction with the proxy's catch-all mode (see below). To enable this option, set
+	`use_login_password_as_client_credentials_secret` to True. Note that if a `client_secret` value is present in your
+	account's configuration entry, that value will be used instead of the given IMAP/POP/SMTP login password even if
+	this option is enabled. To avoid this, remove the entire `client_secret` line from the configuration entry.
+
 	- allow_catch_all_accounts (default = False): The default behaviour of the proxy is to require a full separate
 	configuration file entry for each account. However, when proxying multiple accounts from the same domain it can be
 	cumbersome to have to create multiple near-identical configuration profiles. To simplify this the proxy supports
@@ -308,4 +317,5 @@ documentation = The parameters below control advanced options for the proxy. In
 [emailproxy]
 delete_account_token_on_password_error = True
 encrypt_client_secret_on_first_use = False
+use_login_password_as_client_credentials_secret = False
 allow_catch_all_accounts = False

emailproxy.py

@@ -6,7 +6,7 @@
 __author__ = 'Simon Robinson'
 __copyright__ = 'Copyright (c) 2024 Simon Robinson'
 __license__ = 'Apache 2.0'
-__version__ = '2024-07-29'  # ISO 8601 (YYYY-MM-DD)
+__version__ = '2024-09-07'  # ISO 8601 (YYYY-MM-DD)
 __package_version__ = '.'.join([str(int(i)) for i in __version__.split('-')])  # for pyproject.toml usage only
 
 import abc
@@ -1125,6 +1125,11 @@ def get_oauth2_authorisation_tokens(token_url, redirect_uri, client_id, client_s
                 params['client_assertion_type'] = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
                 params['client_assertion'] = jwt_client_assertion
 
+            # CCG flow can fall back to the login password as the client secret (see GitHub #271 discussion)
+            elif oauth2_flow == 'client_credentials' and AppConfig.get_global(
+                    'use_login_password_as_client_credentials_secret', fallback=False):
+                params['client_secret'] = password
+
         if oauth2_flow != 'authorization_code':
             del params['code']  # CCG/ROPCG flows have no code, but we need the scope and (for ROPCG) username+password
             params['scope'] = oauth2_scope