From a5e5415ac73f65f81bc3c8d9282cd1bf6037eb50 Mon Sep 17 00:00:00 2001 From: Simon Robinson Date: Wed, 5 Jun 2024 08:56:37 +0100 Subject: [PATCH] Explain alternative scope values for O365 via regional providers --- emailproxy.config | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/emailproxy.config b/emailproxy.config index e4d55a8..4740d3a 100644 --- a/emailproxy.config +++ b/emailproxy.config @@ -109,6 +109,13 @@ documentation = Accounts are specified using your email address as the section h in the example below) in order to allow the proxy to refresh its access token on your behalf. The proxy will still work if this parameter is not included, but you will need to re-authenticate extremely often (about once per hour). + - The example Office 365 configuration entries below use an OAuth 2.0 scope that clearly specifies IMAP, POP and + SMTP permission. If you do not require one or more of these protocols, you may remove the relevant values to ensure + the access tokens obtained on your behalf are as precisely-targeted as possible. Conversely, it is also possible to + replace these specific scopes with the more generic `https://outlook.office365.com/.default`. Switching to a broader + scope value may also be needed if you are using a version of O365 delivered by a regional provider (e.g., 21Vianet). + See: https://github.com/simonrob/email-oauth2-proxy/issues/255 for more details and discussion. + - By default, new Entra (Azure AD) clients are accessible only within your own tenant. If you are registering a new client to use with the proxy (and do not want to make it available outside your own organisation) you will need to replace `common` with your tenant ID in the Office 365 `permission_url` and `token_url` values below. Alternatively,