Login to MS Exchange using OAuth2

allanhmedeiros · October 6, 2022, 7:18pm

Hi, I’m facing an issue when trying to use rpaframework 17.1.1 to login on my company Exchange server. I’m getting:
KeyError: 'access_token'
Error on Robot Framework console output in Authorize keyword.
I’ve setup the application properly on Azure side.
Using App Password approach was not approved by our security team, so I have to go through OAuth2 setup.

jippo · October 7, 2022, 6:35am

And you have seen this example: Email Authorization with OAuth2 Flow robot and read this documentation: RPA.Email.Exchange library | Robocorp documentation

erik.palen · October 7, 2022, 7:12am

Do you have plans to add the Oauth2.py library functionality into your RPA.xxx libraries? As far as I understand, currently this additional helper library is needed to get a token and initialize Oauth2 flow?

cosmin · October 7, 2022, 5:04pm

You are correct, but at the moment there’s no plan on including it by default. As that helper library is very coupled to the robot example itself and it is available there (and not inside our official rpaframework one) in order to be customized if needed on a case by case.

Details

PROVIDERS are adequate for a simple example, but a customer might need a specific scope custom to their app intended permissions configured in AD as well.
Based on the security level, the permission URL might be upgraded with PKCE if somebody needs a more secure front-channel flow.
The authorize_and_get_token function is open to token customization patching, like we’ve seen we needed afterwards with Microsoft because of the missing access token expiration time which created issues with certain versions of our underlying dependency exchangelib.
There’s no automatic token refresh possible with the XOAUTH2 protocol (as we can see in generate_google_oauth2_string function), so that might improve in the future.

Conclusion

Once we get the OAuth2 flow sorted out on our side with Google & Microsoft as well, mature enough given the usage and edge-cases and stable enough to cover most of our customer cases, then we’ll have enough experience on knowing how to integrate this best by default in the library.

Alternative

For now we still recommend App Passwords (so avoiding OAuth2 entirely during automation) given the setup & usage complexity this flow brings.

erik.palen · October 8, 2022, 12:35pm

Thank you @cosmin for your detailed response! Azure App Passwords is actually something new for me, and I’ll take a look at that.

cosmin · October 10, 2022, 8:43am

You welcome!

You can find more about App Password in the Portal example itself and under this article. Good luck!

cosmin · October 13, 2022, 11:12am

Unfortunately, App Passwords were deprecated and disabled entirely by Microsoft, so no matter the tenant settings, you’ll get Unauthorized errors when trying to avoid the OAuth2 flow.

Community Slack announcement

Additionally, we included a new library called RPA.MSGrapth which might overlap in the future with the ability to send e-mails as well.

cosmin · December 15, 2022, 12:51pm

Good news @erik.palen, we support now OAuth2 natively starting with rpaframework==19.4.1.

Check out this updated Portal example: Email Authorization with OAuth2 Flow robot