We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

为提升您的使用体验,本站正在维护,部分功能暂时无法使用。如果本站文章无法解决您的问题,您想要向社区提问的话,请到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 提问,我们的支持社区将会很快回复您的疑问。

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

Thunderbird Oauth Configuration for Azure AD

  • 1 个回答
  • 1 人有此问题
  • 1 次查看
  • 最后回复者为 Matt

more options

Due to the up coming disablement of basic authentication for O365 Exchange Online by Microsoft on 01/10/2022 we need to enable the use of modern authentication for Thunderbird in our tenant. To do this we have a rather strict security process in regard to reviewing how applications have been developed for OAuth before they can be approved for use. So to be able authorise the Azure AD Enterprise App registration the is required for Thunderbird to connect to Exchange Online mailboxes using modern auth I need to answer the questions below. I’ve spent a number of hours searching for this information on line, including looking through the Thunderbird OAuth module files at the following location but haven’t been able to find the required information:

https://github.com/mozilla/releases-comm-central/blob/master/mailnews/base/src/OAuth2Providers.jsm https://github.com/mozilla/releases-comm-central/blob/master/mailnews/base/src/OAuth2Module.jsm https://github.com/mozilla/releases-comm-central/blob/master/mailnews/base/src/OAuth2.jsm

The questions are:

"Does the application use OpenID Connect to authenticate the user? "

I believe this is yes but can’t see where this is explicitly stated


"Does the application validate signatures in tokens issues by the authorisation server? If the OpenID Connect id_token is used, make sure it is properly validated according to the JSON Web Signature, JSON Web Encryption, and OpenID specifications."


"Do you use a code library for you OpenID Connect implementation? If so, is it a certified OpenID Connect implementation?"

In the above .jsm files it states that it has been developed against the following RFC standards but again I can’t find where this is explicitly stated RFC 6749 Section 3.1 Section 3.2 Section 3.3 Section 2.3.1 section 2.3.1


"What is the grant type used? Resource Owner Password Credentials and Implicit Grant must not be used."

I’ve found the following in the above .jsm files but I’m not sure of the grant type this is:

if (aRefresh) {, this.log.info( `Making a refresh request to the token endpoint: ${this.tokenEndpoint}` ); data.append("grant_type", "refresh_token"); data.append("refresh_token", aCode); } else { this.log.info( `Making access token request to the token endpoint: ${this.tokenEndpoint}` ); data.append("grant_type", "authorization_code"); data.append("code", aCode); data.append("redirect_uri", this.redirectionEndpoint); }


"Does the application use an established library to provide the OAuth functionality? If a bespoke implementation of OAuth has been used, have the state and redirect_uri parameters been used correctly? The app must use the state parameter (even though it is not mandatory). This prevents improper validation of the authorization initiator. If the application does not verify that the received token or authorization code was generated in the process initiated by it, the token can be overridden (the state parameter in the authorization request is used to make sure that the obtained authorization code or token was generated for your application.) The app must send a redirect_uri parameter not only to the /authorization endpoint, but also to the /token endpoint."

All I’ve been able to find for this is a reference to localhost.


"If a bespoke implementation of OAuth uses the authorization_code flow, has this been done securely?"


"Does the application store tokens in cookies or localStorage?"

Is this stored in the Thunderbird Password Manager


"If tokens are stored in cookies, are best practices followed?"

If the Thunderbird Password Manager is used then this would be N/A


"Does the application validate tokens it receives? e.g. HMAC-based or RSA-based"



Apologies for such a list of very technical questions but I have really tried to find this information but haven’t been able to, I’m also not an application developer so it could be the case that I’ve been unable to interpret the information in the correct way.

Many thanks

Owain

Due to the up coming disablement of basic authentication for O365 Exchange Online by Microsoft on 01/10/2022 we need to enable the use of modern authentication for Thunderbird in our tenant. To do this we have a rather strict security process in regard to reviewing how applications have been developed for OAuth before they can be approved for use. So to be able authorise the Azure AD Enterprise App registration the is required for Thunderbird to connect to Exchange Online mailboxes using modern auth I need to answer the questions below. I’ve spent a number of hours searching for this information on line, including looking through the Thunderbird OAuth module files at the following location but haven’t been able to find the required information: https://github.com/mozilla/releases-comm-central/blob/master/mailnews/base/src/OAuth2Providers.jsm https://github.com/mozilla/releases-comm-central/blob/master/mailnews/base/src/OAuth2Module.jsm https://github.com/mozilla/releases-comm-central/blob/master/mailnews/base/src/OAuth2.jsm The questions are: '''''"Does the application use OpenID Connect to authenticate the user? "''''' I believe this is yes but can’t see where this is explicitly stated '''''"Does the application validate signatures in tokens issues by the authorisation server?''''' '''''If the OpenID Connect id_token is used, make sure it is properly validated according to the JSON Web Signature, JSON Web Encryption, and OpenID specifications."''''' '''''"Do you use a code library for you OpenID Connect implementation? If so, is it a certified OpenID Connect implementation?"''''' In the above .jsm files it states that it has been developed against the following RFC standards but again I can’t find where this is explicitly stated RFC 6749 Section 3.1 Section 3.2 Section 3.3 Section 2.3.1 section 2.3.1 '''''"What is the grant type used? Resource Owner Password Credentials and Implicit Grant must not be used."''''' I’ve found the following in the above .jsm files but I’m not sure of the grant type this is: if (aRefresh) {, this.log.info( `Making a refresh request to the token endpoint: ${this.tokenEndpoint}` ); data.append("grant_type", "refresh_token"); data.append("refresh_token", aCode); } else { this.log.info( `Making access token request to the token endpoint: ${this.tokenEndpoint}` ); data.append("grant_type", "authorization_code"); data.append("code", aCode); data.append("redirect_uri", this.redirectionEndpoint); } '''''"Does the application use an established library to provide the OAuth functionality?''''' '''''If a bespoke implementation of OAuth has been used, have the state and redirect_uri parameters been used correctly? ''''' '''''The app must use the state parameter (even though it is not mandatory). This prevents improper validation of the authorization initiator. If the application does not verify that the received token or authorization code was generated in the process initiated by it, the token can be overridden (the state parameter in the authorization request is used to make sure that the obtained authorization code or token was generated for your application.) ''''' '''''The app must send a redirect_uri parameter not only to the /authorization endpoint, but also to the /token endpoint."''''' All I’ve been able to find for this is a reference to localhost. '''''"If a bespoke implementation of OAuth uses the authorization_code flow, has this been done securely?"''''' '''''"Does the application store tokens in cookies or localStorage?"''''' Is this stored in the Thunderbird Password Manager '''''"If tokens are stored in cookies, are best practices followed?"''''' If the Thunderbird Password Manager is used then this would be N/A '''''"Does the application validate tokens it receives?''''' '''''e.g. HMAC-based or RSA-based"''''' Apologies for such a list of very technical questions but I have really tried to find this information but haven’t been able to, I’m also not an application developer so it could be the case that I’ve been unable to interpret the information in the correct way. Many thanks Owain

由owainwinterbone于修改

所有回复 (1)

more options

You have seen the source code. How the Microsoft proprietary authentication works I have no idea. I actually doubt most folk at Microsoft do either given the wide variety of comments I have seen in the implementation bug. https://bugzilla.mozilla.org/show_bug.cgi?id=1528136

I have been unable to anything with this because Microsoft have chosen to only release this to paying business customers. As this is a peer support forum, you will need to find a peer that is paying for the Microsoft business package, that is aware of what you are talking about and has access to the appropriate information. A fairly tall order for this forum given all I have ever seen here is business folk asking questions, beyond the general consumer support type things.

You might get a response on the enterprise list. https://thunderbird.topicbox.com/groups/enterprise or perhaps an offer to consult over your questions.