Troubleshooting OAuth 2.0 compliant Email Listener

*products versions - {webMethods Integration Server version: 10.3 and above}

Introduction:

webMethods Integration Server supports OAuth 2.0 in Email Listener from 10.3 onwards. Since with Microsoft announcement related to disabling of Basic Authentication for Outlook, EWS, RPS, POP, IMAP, and EAS protocols in Exchange Online from Oct 1 2022 onwards, many users are now configuring Email listener with OAuth 2.0 to comply with the new Microsoft guidelines.

NOTE: In the Microsoft announcement, they are not disabling or changing any settings for SMTP AUTH, so Basic authentication will be working for sending mails (SMTP).

In this process of moving to OAuth 2.0 , user might encounter issues when trying to enable the Email listener. This article highlights the things that needs to be check in order to successfully enable a Email listener with OAuth settings.

Pre-requisite

  1. User has an account and setup application correctly in the Microsoft Azure. Please follow the article Setting up OAuth 2.0 compliant email listener in Integration Server using Microsoft Azure Active Directory (Azure AD) - Knowledge base - webMethods - Software AG Tech Community & Forums
  2. Latest IS core fixes are applied on the environment.

Troubleshooting Tips:

If Email listener with OAuth settings is not enabled, then please check:

  1. "0068 Email Listener " component logging is set to TRACE in the Settings > Logging > View Server Logger Details

  2. The β€œAuth URL” and β€œAccess Token URL” in the Email listener is in below format.
    Auth URL :https://login.microsoftonline.com/{TenantID}/oauth2/v2.0/authorize
    Access Token URL: https://login.microsoftonline.com/{TenantID}/oauth2/v2.0/token

  3. User has specified correct secret in the β€œClient Secret” field. Note: Secret ID is different from Client Secret.

  4. Scope is defined correctly and must be β€œoffline_access https://outlook.office365.com/IMAP.AccessAsUser.All”

  5. β€œTransport Layer Security” is set to β€œImplicit”

  6. The Truststore configured in the β€œTruststore Alias (optional)” field has the certificates of the Microsoft server. Generally JVM truststore (cacerts) have certificates from the popular sites including Microsoft .

  7. If β€œAccess Token Expiry Time” is empty, it means Integration Server has not yet received the Access token from the Microsoft. So, please enter the β€œClient Secret” field and click on β€œGet Authorization Code” link again to get a new Authorization code and access token.

  8. Once the Email listener is enabled but the service mentioned in the listener is not invoked, then please check below mentioned configurations. This information is already there in Online Help/Integration Server Administrator guide.

  9. Check the β€œAccess Mode” of the port. It should be β€œAllow by Default” or the service is part of allowed list.

  10. A user is specified in β€œRun services as user” field in the Email Port. Otherwise the authentication details needs to be part of the Email message.

  11. If β€œSend reply email with service output” , β€œSend reply email on error” are set to β€œYes” in the Email port, then make sure that β€œEmail Notification” under "Settings > Resources " is configured correctly as those settings are used by Integration Server to send mails.

Additonal Notes:

  1. Integration Server support OAuth 2.0 for IMAP and SMTP (pub.client:smtp) only. Support of OAuth 2.0 for POP and β€œEmail Notification” is planned and might be available in future fixes.

Useful links | Relevant resources

  1. Microsoft identity platform and OAuth 2.0 authorization code flow - Microsoft Entra | Microsoft Docs
  2. Setting up OAuth 2.0 compliant email listener in Integration Server using Microsoft Azure Active Directory (Azure AD) - Knowledge base - webMethods - Software AG Tech Community & Forums
  3. POP, IMAP, and SMTP settings (microsoft.com)
  4. Basic Authentication Deprecation in Exchange Online – September 2022 Update - Microsoft Tech Community
3 Likes