evolution-ews: ADFS with external Outlook fails at OAuth2 login.
When attempting to authenticate with OAuth2, I will get stuck in an infinite loop of attempted sign ins.
Currently I have a set up as follows:
- An outlook endpoint at
mail.domain.tld/owa/
- An ADFS endpoint at
adfs.srv.domain.tld/adfs/ls/
This educational environment requires OAuth version 2.
One hint i found by looking at OAUTH2_DEBUG=1
was that the token got generated as:
"token_type":"Bearer","scope":"https://outlook.office.com/EWS.AccessAsUser.All" ...
which i understand as incorrect, as outlook.office.com
is not the outlook instance I have an account on. Not even login in on the website as outlook.com
will work and gives errors, it must go trough mail.domain.tld
.
I also later attempted to set the redirect URI to mail.domain.tld/owa/
, but I'm unsure if this is the correct location as this returns an error message of:
The redirect URI 'https://mail.domain.tld/owa/' specified in the request does not match the redirect URIs configured for the application '20460e5d-ce91-49af-a3a5-70b6be7486d1'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.
Version info: evolution 3.48.4
and evolution-ews-3.48.2
.
An aside but the login loop will also give seperate 2nd window below the OAuth2 one with a user/password prompt for what it describes as "Calendar login" regardless of if calendar is enabled or disabled in ews. This may be a red herring.