-
-
Notifications
You must be signed in to change notification settings - Fork 101
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'client_credentials_password'
- Loading branch information
Showing
2 changed files
with
24 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -83,9 +83,9 @@ local_address = 127.0.0.1 | |
[Account setup] | ||
documentation = Accounts are specified using your email address as the section heading (e.g., [[email protected]], | ||
etc, below). Account usernames (i.e., email addresses) must be unique - only one entry per account is permitted. | ||
Each account section must provide values for `permission_url`, `token_url`, `oauth2_scope` and `redirect_uri`. If | ||
you are adding an account for a service other than the examples shown below then the provider's documentation should | ||
provide these details. | ||
Each account section must provide values for at least `token_url`, `oauth2_scope` and `client_id`. Depending on the | ||
OAuth 2.0 flow you are using, other values may also be required (see examples below). If you are adding an account | ||
for a service other than the examples shown below then the provider's documentation should provide these details. | ||
|
||
You will also need to add your own `client_id` and `client_secret` values as indicated below. These can either be | ||
reused from an existing source (such as another email client that supports OAuth 2.0), or you can register and use | ||
|
@@ -228,7 +228,6 @@ documentation = *** note: this is an advanced O365 account example; in most case | |
token_url = https://login.microsoftonline.com/*** your tenant id here ***/oauth2/v2.0/token | ||
oauth2_scope = https://outlook.office365.com/.default | ||
oauth2_flow = client_credentials | ||
redirect_uri = http://localhost | ||
client_id = *** your client id here *** | ||
client_secret = *** your client secret here *** | ||
|
||
|
@@ -237,7 +236,6 @@ documentation = *** note: this is an advanced O365 account example; in most case | |
token_url = https://login.microsoftonline.com/*** your tenant id here ***/oauth2/v2.0/token | ||
oauth2_scope = https://outlook.office365.com/IMAP.AccessAsUser.All https://outlook.office365.com/POP.AccessAsUser.All https://outlook.office365.com/SMTP.Send offline_access | ||
oauth2_flow = password | ||
redirect_uri = http://localhost | ||
client_id = *** your client id here *** | ||
client_secret = *** your client secret here *** | ||
|
||
|
@@ -246,7 +244,6 @@ documentation = *** note: this is an advanced Google account example; in most ca | |
token_url = https://oauth2.googleapis.com/token | ||
oauth2_scope = https://mail.google.com/ | ||
oauth2_flow = service_account | ||
redirect_uri = http://localhost | ||
client_id = file | ||
client_secret = *** your /path/to/service-account-key.json here *** | ||
|
||
|
@@ -255,7 +252,6 @@ documentation = *** note: this is an advanced Google account example; in most ca | |
token_url = https://oauth2.googleapis.com/token | ||
oauth2_scope = https://mail.google.com/ | ||
oauth2_flow = service_account | ||
redirect_uri = http://localhost | ||
client_id = key | ||
client_secret = *** your pasted service account JSON key file contents here, | ||
making sure to indent all lines by at least one space *** | ||
|
@@ -292,6 +288,15 @@ documentation = The parameters below control advanced options for the proxy. In | |
using catch-all accounts or the proxy's `--cache-store` parameter you must manually remove unencrypted secrets from | ||
the local configuration file after the encrypted secret has been created (i.e., this will not be automatic). | ||
|
||
- use_login_password_as_client_credentials_secret (default = False): When using the O365 client credentials grant | ||
(CCG) flow, rather than encrypting the client secret (see above), the proxy can be instructed to use the given | ||
IMAP/POP/SMTP login password as the client secret. This approach removes the risk of storing the unencrypted client | ||
secret in the proxy's configuration file, and also means there is no risk of unauthorised account access when using | ||
the O365 CCG flow in conjunction with the proxy's catch-all mode (see below). To enable this option, set | ||
`use_login_password_as_client_credentials_secret` to True. Note that if a `client_secret` value is present in your | ||
account's configuration entry, that value will be used instead of the given IMAP/POP/SMTP login password even if | ||
this option is enabled. To avoid this, remove the entire `client_secret` line from the configuration entry. | ||
|
||
- allow_catch_all_accounts (default = False): The default behaviour of the proxy is to require a full separate | ||
configuration file entry for each account. However, when proxying multiple accounts from the same domain it can be | ||
cumbersome to have to create multiple near-identical configuration profiles. To simplify this the proxy supports | ||
|
@@ -308,4 +313,5 @@ documentation = The parameters below control advanced options for the proxy. In | |
[emailproxy] | ||
delete_account_token_on_password_error = True | ||
encrypt_client_secret_on_first_use = False | ||
use_login_password_as_client_credentials_secret = False | ||
allow_catch_all_accounts = False |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters