*products versions - {webMethods Integration Server version: 10.3 and above}
Introduction:
webMethods Integration Server supports OAuth 2.0 in Email Listener from 10.3 onwards. Since with Microsoft announcement related to disabling of Basic Authentication for Outlook, EWS, RPS, POP, IMAP, and EAS protocols in Exchange Online from Oct 1 2022 onwards, many users are now configuring Email listener with OAuth 2.0 to comply with the new Microsoft guidelines.
NOTE: In the Microsoft announcement, they are not disabling or changing any settings for SMTP AUTH, so Basic authentication will be working for sending mails (SMTP).
In this process of moving to OAuth 2.0 , user might encounter issues when trying to enable the Email listener. This article highlights the things that needs to be check in order to successfully enable a Email listener with OAuth settings.
Pre-requisite
- User has an account and setup application correctly in the Microsoft Azure. Please follow the article Setting up OAuth 2.0 compliant email listener in Integration Server using Microsoft Azure Active Directory (Azure AD) - Knowledge base - webMethods - Software AG Tech Community & Forums
- Latest IS core fixes are applied on the environment.
Troubleshooting Tips:
If Email listener with OAuth settings is not enabled , then please check:
"0068 Email Listener " component logging is set to TRACE in the Settings > Logging > View Server Logger Details
The “_ Auth URL ” and “ Access Token URL _” in the Email listener is in below format.
Auth URL :https://login.microsoftonline.com/{TenantID}/oauth2/v2.0/authorize
Access Token URL: https://login.microsoftonline.com/{TenantID}/oauth2/v2.0/tokenUser has specified correct secret in the “_ Client Secret _” field. Note: Secret ID is different from Client Secret.
_ Scope _ is defined correctly and must be “
offline_access https://outlook.office365.com/IMAP.AccessAsUser.All”“ Transport Layer Security ” is set to “Implicit”
The Truststore configured in the “Truststore Alias (optional)” field has the certificates of the Microsoft server. Generally JVM truststore (cacerts) have certificates from the popular sites including Microsoft .
If “_ Access Token Expiry Time ” is empty, it means Integration Server has not yet received the Access token from the Microsoft. So, please enter the “ Client Secret ” field and click on “ Get Authorization Code _” link again to get a new Authorization code and access token.
Once the Email listener is enabled but the service mentioned in the listener is not invoked , then please check below mentioned configurations. This information is already there in Online Help/Integration Server Administrator guide.
Check the “_ Access Mode ” of the port. It should be “ Allow by Default _” or the service is part of allowed list.
A user is specified in “_ Run services as user _” field in the Email Port. Otherwise the authentication details needs to be part of the Email message.
If “_ Send reply email with service output ” , “ Send reply email on error ” are set to “Yes” in the Email port, then make sure that “ Email Notification ” under " Settings > Resources _ " is configured correctly as those settings are used by Integration Server to send mails.
Additonal Notes:
- Integration Server support OAuth 2.0 for IMAP and SMTP (pub.client:smtp) only. Support of OAuth 2.0 for POP and “Email Notification” is planned and might be available in future fixes.
Useful links | Relevant resources
- Microsoft identity platform and OAuth 2.0 authorization code flow - Microsoft Entra | Microsoft Docs
- Setting up OAuth 2.0 compliant email listener in Integration Server using Microsoft Azure Active Directory (Azure AD) - Knowledge base - webMethods - Software AG Tech Community & Forums
- POP, IMAP, and SMTP settings (microsoft.com)
- Basic Authentication Deprecation in Exchange Online – September 2022 Update - Microsoft Tech Community
Top comments (0)