Support

Akeeba Ticket System

#36356 Microsoft deprecation of basic authentication

Posted in ‘Akeeba Ticket System’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Akeeba Ticket System version
n/a

SatIntAKB

Over the holiday period ATS stopped fetching emails from our support mailbox (which runs on Microsoft 365 exchange). After some investigation I found that Microsoft had disabled Basic Authentication for our accounts on December 26th. There is more information about this available in the link below but from October 1st 2022 basic authentication for IMAP will be permanently disabled worldwide. 

https://docs.microsoft.com/en-gb/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online 

Luckily Microsoft has provided an option to temporarily re-enable basic authentication and once I did this ATS began fetching emails successfully again. 

Microsoft's recommendation is that applications move over to using OAuth 2 for IMAP. I wanted to check if you are aware of this issue and if you have any plans for ATS to support OAuth 2?

Thank you in advance for your help!

nicholas
Akeeba Staff
Manager

ATS 4 for Joomla 3 will NOT be migrated to OAuth2 for Microsoft accounts.

We are currently evaluating whether it is possible to implement OAuth2 for Microsoft accounts on ATS 5 for Joomla 4 and whether this makes sense as a long term commitment.

There are two major concerns with OAuth2 for email authentication.

The first one is that using OAuth2 to authenticate with email providers is not standardised and not supported natively in PHP. We can only offer support if the email provider supports XOAUTH2 and the only third party PHP library which implements this authentication method (Horde) continues to be maintained. This may restrict our ability to support this feature on newer versions of PHP or, if Horde is not updated, drop this feature completely. To give you a better idea of the current situation, we are currently using an obsolete version of PHP (7.2) and Composer (1.10) to get Horde through its PEAR repository (PEAR has been abandoned, Composer 1.10 is end of life and PHP 7.2 is also end of life). Horde itself does not support PHP newer than 7.3 so we are patching it using Rector to make it support PHP 8.0. We do not think this is a solution that can be maintained in the long run. Eventually there will be no environment capable of running the toolkit necessary to install the Horde library and we expect that the changes slated for PHP 9 will make this kind of hot patching completely impossible.

The second problem is that OAuth2 requires having a hosted service. Our experience with Google nearly two years ago is that the email providers WILL NOT authorise the creation of a generic hosted service (OAuth2 application) whose purpose is to relay credentials to a client like ATS — even though they have done exactly that for email applications like Thunderbird. This necessitates that the user (you) create an OAuth2 application and set it up correctly for your email account or, more generally, email accounts for your organisation.

Our recommendation is to forward your emails to a different mailbox which can be accessed with regular authentication over the IMAP or POP3 protocol. This will allow you to retrieve emails without having to go through the complicated OAuth2 setup and without risking losing support for it if you upgrade PHP. 

We will continue monitoring the situation of email retrieval through PHP —an issue which affects the entire PHP ecosystem, not just our software— and re–evaluate the viability of the email fetch feature as a result.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

SatIntAKB

Thank you very much for the detailed reply. I understand it's a complicated situation and will go ahead with your recommendation to forward emails to a different mailbox which supports basic authentication over IMAP. 

Support Information

Working hours: Typically we work Monday to Friday, 9am to 7pm Cyprus timezone (EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets, but we cannot respond to them, outside of our working hours.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!