Thunderbird Oauth Configuration for Azure AD
Due to the up coming disablement of basic authentication for O365 Exchange Online by Microsoft on 01/10/2022 we need to enable the use of modern authentication for Thunderbird in our tenant. To do this we have a rather strict security process in regard to reviewing how applications have been developed for OAuth before they can be approved for use. So to be able authorise the Azure AD Enterprise App registration the is required for Thunderbird to connect to Exchange Online mailboxes using modern auth I need to answer the questions below. I’ve spent a number of hours searching for this information on line, including looking through the Thunderbird OAuth module files at the following location but haven’t been able to find the required information:
https://github.com/mozilla/releases-comm-central/blob/master/mailnews/base/src/OAuth2Providers.jsm https://github.com/mozilla/releases-comm-central/blob/master/mailnews/base/src/OAuth2Module.jsm https://github.com/mozilla/releases-comm-central/blob/master/mailnews/base/src/OAuth2.jsm
The questions are:
"Does the application use OpenID Connect to authenticate the user? "
I believe this is yes but can’t see where this is explicitly stated
"Does the application validate signatures in tokens issues by the authorisation server? If the OpenID Connect id_token is used, make sure it is properly validated according to the JSON Web Signature, JSON Web Encryption, and OpenID specifications."
"Do you use a code library for you OpenID Connect implementation? If so, is it a certified OpenID Connect implementation?"
In the above .jsm files it states that it has been developed against the following RFC standards but again I can’t find where this is explicitly stated RFC 6749 Section 3.1 Section 3.2 Section 3.3 Section 2.3.1 section 2.3.1
"What is the grant type used? Resource Owner Password Credentials and Implicit Grant must not be used."
I’ve found the following in the above .jsm files but I’m not sure of the grant type this is:
if (aRefresh) {, this.log.info( `Making a refresh request to the token endpoint: ${this.tokenEndpoint}` ); data.append("grant_type", "refresh_token"); data.append("refresh_token", aCode); } else { this.log.info( `Making access token request to the token endpoint: ${this.tokenEndpoint}` ); data.append("grant_type", "authorization_code"); data.append("code", aCode); data.append("redirect_uri", this.redirectionEndpoint); }
"Does the application use an established library to provide the OAuth functionality? If a bespoke implementation of OAuth has been used, have the state and redirect_uri parameters been used correctly? The app must use the state parameter (even though it is not mandatory). This prevents improper validation of the authorization initiator. If the application does not verify that the received token or authorization code was generated in the process initiated by it, the token can be overridden (the state parameter in the authorization request is used to make sure that the obtained authorization code or token was generated for your application.) The app must send a redirect_uri parameter not only to the /authorization endpoint, but also to the /token endpoint."
All I’ve been able to find for this is a reference to localhost.
"If a bespoke implementation of OAuth uses the authorization_code flow, has this been done securely?"
"Does the application store tokens in cookies or localStorage?"
Is this stored in the Thunderbird Password Manager
"If tokens are stored in cookies, are best practices followed?"
If the Thunderbird Password Manager is used then this would be N/A
"Does the application validate tokens it receives? e.g. HMAC-based or RSA-based"
Apologies for such a list of very technical questions but I have really tried to find this information but haven’t been able to, I’m also not an application developer so it could be the case that I’ve been unable to interpret the information in the correct way.
Many thanks
Owain
Bewurke troch owainwinterbone op
Alle antwurden (1)
You have seen the source code. How the Microsoft proprietary authentication works I have no idea. I actually doubt most folk at Microsoft do either given the wide variety of comments I have seen in the implementation bug. https://bugzilla.mozilla.org/show_bug.cgi?id=1528136
I have been unable to anything with this because Microsoft have chosen to only release this to paying business customers. As this is a peer support forum, you will need to find a peer that is paying for the Microsoft business package, that is aware of what you are talking about and has access to the appropriate information. A fairly tall order for this forum given all I have ever seen here is business folk asking questions, beyond the general consumer support type things.
You might get a response on the enterprise list. https://thunderbird.topicbox.com/groups/enterprise or perhaps an offer to consult over your questions.