OAuth for Mail Server

OAuth for Mail Server

Role Required: SDAdmin

OAuth is a standard authorization protocol designed to provide secure access to protected resources by using web tokens instead of passwords. Using OAuth, resource owners can configure separate permissions for different clients who request access to the same resource and can also modify or revoke the access as needed.

OAuth authentication involves the following entities:
  1. Resource Owner: The user who owns the protected resource.
  2. Resource Server: The server that hosts the protected resource.
  3. Client: An end-user or an application requesting access to the protected resource.
  4. Authorization Server: The server that generates access tokens for the client with the resource owner's approval.
To access a protected resource, the client should obtain an authorization grant from the resource owner and then submit it to the authorization server. The authorization server validates the authorization grant and generates an access token. The client can use this token to access the protected resource hosted by the resource server.  
 
The OAuth authentication process is explained in the flowchart below:

In this scenario, AssetExplorer functions as the Client requesting access to the mail server (Resource Owner) and obtains the authorization grant. This authorization grant is processed through the authorization server associated with the specific mail service (G Suite for Gmail and Microsoft Azure for O365). Following the approval of the resource owner, the authorization server generates an access token. Using this access token, AssetExplorer can establish secure access to the mail server.
 

Configuring Azure as the Authorization Server      

To configure Azure as the authentication server,
  1. Log in to portal.azure.com.

  1. Under Azure services, go to App registrations > New registration.

  1. In the displayed page, enter a Name of your choice and choose the Supported account types.
  2. Under Redirect URI, copy-paste the Redirect URL of AssetExplorer.

  1. In the next page, you will find the application details. Copy the Client ID to AssetExplorer.

  1. Click Endpoints to open the right panel containing all endpoints.
  2. Copy OAuth 2.0 authorization endpoint (v2) and OAuth 2.0 token endpoint (v2) to Authorization URL and Token URL in AssetExplorer respectively.

  1. From the left panel, click Certificates & secrets > New client secret.
  2. In the displayed page, provide a Description for the client secret.
  3. Under Expires, choose the validity of the client secret and click Add.

  1. You will find the client secret generated. Copy the string displayed under Value to the Client Secret in AssetExplorer.
  1. In the left panel, click API Permission > Add a permission.
  2. In the displayed right panel, click APIs my organization uses. Enter Office 365 in the search bar and select Office 365 Exchange Online from the displayed list of APIs.

  1. Choose Delegated Permissions > EWS and enable the check box to add the corresponding permission.

  1. SMTP Configuration:
    1. To configure SMTP, click API permissions > Add a permission in the left panel.
    2. In the displayed right panel, click Microsoft Graph.
    1. Choose Delegated Permissions > SMTP and enable the check box to add the corresponding permission.
    2. Click Add permissions.
  1. Mail Configuration: You can configure outgoing mail by clicking Microsoft Graph under Configured Permissions and making the necessary changes within Mail permissions.

  1. User Consent Settings: If the user consent for the application is configured as Do not allow user consent in the User Consent Settings page in Azure, you need to grant admin consent for the configured application.

  1. Click Grant admin consent for <application name>. A confirmation window will be displayed. Click Yes to proceed.

  1. Under Mail Server Settings in AssetExplorer, type the Scope based on your configuration. Click here to know more about scopes.
  2. Click Save.
Please ensure that you have not blocked pop-ups and redirects in your browser to view the user consent window. 


  1. Provide your login credentials (if required) and submit your consent for permission. The login credential should be the same as the username configured in the mail server settings.
You have now configured Microsoft Azure as the authentication server for your organization using Microsoft Outlook as the mail server.

Configuring G Suite as the Authentication Server     

To configure G Suite as the authentication server:
  1. Log in to console.developers.google.com.
  2. In the displayed window, click Select a project > New Project.

  1. Enter the Project Name.
  2. Under Location, click Browse and select the parent organization.
  3. Click Create.

  1. In the left panel of the project details page, click APIs & Services > Library.

  1. From the available list of APIs, select Gmail API and click Enable. You can use the search option for quicker results.

  1. In the left panel, click OAuth consent screen and choose User Type.
  2. Click Create.

  1. Click Add Scope and choose Gmail API.
  2. Click Add.

  1. The scope will be displayed as shown in the below screenshot. Click Save and continue.

  1. In the left panel, click Credentials > Create Credentials > OAuth Client ID.

  1. In the displayed page, select Application type as Web Application and provide a name.
  2. Under Authorised redirect URIs, enter the Redirect URL of AssetExplorer.
  3. Click Create.
 
  1. A pop-up displaying the Client ID and Client Secret will be displayed. Copy these details to Client Details in AssetExplorer.
  2. Click DOWNLOAD JSON to download the file containing the authorization server details.
  3. Click OK.


You have now configured G Suite as the authorization server for your organization using Gmail as the mail server.
 

Troubleshooting & FAQs 

If you're having trouble setting up OAuth authentication for your mail server, we suggest taking a look at our FAQs. Additionally, you can explore troubleshooting to resolve issues in the configuration process.

    • Related Articles

    • FAQs on OAuth for Mail Server

      Role Required: SDAdmin Quick Links: OAuth Troubleshoot What are the supported mail servers in OAuth? We have tested OAuth authentication with Microsoft Outlook (office365) and Gmail (Gsuite). Click the respective links to learn how to generate access ...
    • Outgoing Mail Server Settings

      Role Required: SDAdmin Configure your organization's mail server to send emails and trigger notifications through AssetExplorer. You can use email protocols (SMTP/SMTPS), Exchange Web Services (EWS), or Microsoft Graph to connect to the external ...
    • Default Mail Server Configurations

      Role Required: SDAdmin The following table lists the default configurations of mail servers supported by AssetExplorer: SMTP EWS Microsoft Graph Office365 Host: smtp.office365.com Port: 587 Protocol: SMTP TLS: Enabled Scope for OAuth: ...
    • Troubleshoot Mail Server Settings

      Role Required: SDAdmin To check mail server connectivity, send a sample email by entering a mail address and clicking on the Send a sample mail button in the outgoing tab. If the settings are configured right and the connection is successful, a ...
    • Remote AssetExplorer Server Functionalities

      Role Required: SDAdmin When using AssetExplorer as a remote server, certain functions will be limited. Only the Home, Assets, Scan, and Community tabs will be accessible. We recommend using the remote server solely for inventory purposes and not ...