trabajo-afectivo/lib/external_credential/microsoft365.rb

# Copyright (C) 2012-2022 Zammad Foundation, https://zammad-foundation.org/

class ExternalCredential::Microsoft365

  def self.app_verify(params)
    request_account_to_link(params, false)
    params
  end

  def self.request_account_to_link(credentials = {}, app_required = true)
    external_credential = ExternalCredential.find_by(name: 'microsoft365')
    raise Exceptions::UnprocessableEntity, __('No Microsoft365 app configured!') if !external_credential && app_required

    if external_credential
      if credentials[:client_id].blank?
        credentials[:client_id] = external_credential.credentials['client_id']
      end
      if credentials[:client_secret].blank?
        credentials[:client_secret] = external_credential.credentials['client_secret']
      end
      # client_tenant may be empty. Set only if key is nonexistant at all
      if !credentials.key? :client_tenant
        credentials[:client_tenant] = external_credential.credentials['client_tenant']
      end
    end

    raise Exceptions::UnprocessableEntity, __('No client_id param!') if credentials[:client_id].blank?
    raise Exceptions::UnprocessableEntity, __('No client_secret param!') if credentials[:client_secret].blank?

    authorize_url = generate_authorize_url(credentials)

    {
      authorize_url: authorize_url,
    }
  end

  def self.link_account(_request_token, params)
    external_credential = ExternalCredential.find_by(name: 'microsoft365')
    raise Exceptions::UnprocessableEntity, __('No Microsoft365 app configured!') if !external_credential
    raise Exceptions::UnprocessableEntity, __('No code for session found!') if !params[:code]

    response = authorize_tokens(external_credential.credentials, params[:code])
    %w[refresh_token access_token expires_in scope token_type id_token].each do |key|
      raise Exceptions::UnprocessableEntity, "No #{key} for authorization request found!" if response[key.to_sym].blank?
    end

    user_data = user_info(response[:id_token])
    raise Exceptions::UnprocessableEntity, __("The user's 'preferred_username' could not be extracted from 'id_token'.") if user_data[:preferred_username].blank?

    channel_options = {
      inbound:  {
        adapter: 'imap',
        options: {
          auth_type: 'XOAUTH2',
          host:      'outlook.office365.com',
          ssl:       'ssl',
          user:      user_data[:preferred_username],
        },
      },
      outbound: {
        adapter: 'smtp',
        options: {
          host:           'smtp.office365.com',
          port:           587,
          user:           user_data[:preferred_username],
          authentication: 'xoauth2',
        },
      },
      auth:     response.merge(
        provider:      'microsoft365',
        type:          'XOAUTH2',
        client_id:     external_credential.credentials[:client_id],
        client_secret: external_credential.credentials[:client_secret],
        client_tenant: external_credential.credentials[:client_tenant],
      ),
    }

    if params[:channel_id]
      existing_channel = Channel.where(area: 'Microsoft365::Account').find(params[:channel_id])

      existing_channel.update!(
        options: channel_options,
      )

      existing_channel.refresh_xoauth2!

      return existing_channel
    end

    migrate_channel = nil
    Channel.where(area: 'Email::Account').find_each do |channel|
      next if channel.options.dig(:inbound, :options, :host)&.downcase != 'outlook.office365.com'
      next if channel.options.dig(:outbound, :options, :host)&.downcase != 'smtp.office365.com'
      next if channel.options.dig(:outbound, :options, :user)&.downcase != user_data[:preferred_username].downcase && channel.options.dig(:outbound, :email)&.downcase != user_data[:preferred_username].downcase

      migrate_channel = channel

      break
    end

    if migrate_channel
      channel_options[:inbound][:options][:folder]         = migrate_channel.options[:inbound][:options][:folder]
      channel_options[:inbound][:options][:keep_on_server] = migrate_channel.options[:inbound][:options][:keep_on_server]

      backup = {
        attributes:  {
          area:         migrate_channel.area,
          options:      migrate_channel.options,
          last_log_in:  migrate_channel.last_log_in,
          last_log_out: migrate_channel.last_log_out,
          status_in:    migrate_channel.status_in,
          status_out:   migrate_channel.status_out,
        },
        migrated_at: Time.zone.now,
      }

      migrate_channel.update(
        area:         'Microsoft365::Account',
        options:      channel_options.merge(backup_imap_classic: backup),
        last_log_in:  nil,
        last_log_out: nil,
      )

      return migrate_channel
    end

    email_addresses = [
      {
        realname: "#{Setting.get('product_name')} Support",
        email:    user_data[:preferred_username],
      },
    ]

    email_addresses.each do |email|
      next if !EmailAddress.exists?(email: email[:email])

      raise Exceptions::UnprocessableEntity, "Duplicate email address or email alias #{email[:email]} found!"
    end

    # create channel
    channel = Channel.create!(
      area:          'Microsoft365::Account',
      group_id:      Group.first.id,
      options:       channel_options,
      active:        false,
      created_by_id: 1,
      updated_by_id: 1,
    )

    email_addresses.each do |user_alias|
      EmailAddress.create!(
        channel_id:    channel.id,
        realname:      user_alias[:realname],
        email:         user_alias[:email],
        active:        true,
        created_by_id: 1,
        updated_by_id: 1,
      )
    end

    channel
  end

  def self.generate_authorize_url(credentials, scope = 'https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send offline_access openid profile email')
    params = {
      'client_id'     => credentials[:client_id],
      'redirect_uri'  => ExternalCredential.callback_url('microsoft365'),
      'scope'         => scope,
      'response_type' => 'code',
      'access_type'   => 'offline',
      'prompt'        => 'consent',
    }

    tenant = credentials[:client_tenant].presence || 'common'

    uri = URI::HTTPS.build(
      host:  'login.microsoftonline.com',
      path:  "/#{tenant}/oauth2/v2.0/authorize",
      query: params.to_query
    )

    uri.to_s
  end

  def self.authorize_tokens(credentials, authorization_code)
    uri    = authorize_tokens_uri(credentials[:client_tenant])
    params = authorize_tokens_params(credentials, authorization_code)

    response = Net::HTTP.post_form(uri, params)
    if response.code != 200 && response.body.blank?
      Rails.logger.error "Request failed! (code: #{response.code})"
      raise "Request failed! (code: #{response.code})"
    end

    result = JSON.parse(response.body)
    if result['error'] && response.code != 200
      Rails.logger.error "Request failed! ERROR: #{result['error']} (#{result['error_description']}, params: #{params.to_json})"
      raise "Request failed! ERROR: #{result['error']} (#{result['error_description']})"
    end

    result[:created_at] = Time.zone.now

    result.symbolize_keys
  end

  def self.authorize_tokens_params(credentials, authorization_code)
    {
      client_secret: credentials[:client_secret],
      code:          authorization_code,
      grant_type:    'authorization_code',
      client_id:     credentials[:client_id],
      redirect_uri:  ExternalCredential.callback_url('microsoft365'),
    }
  end

  def self.authorize_tokens_uri(tenant)
    URI::HTTPS.build(
      host: 'login.microsoftonline.com',
      path: "/#{tenant.presence || 'common'}/oauth2/v2.0/token",
    )
  end

  def self.refresh_token(token)
    return token if token[:created_at] >= 50.minutes.ago

    params = refresh_token_params(token)
    uri    = refresh_token_uri(token)

    response = Net::HTTP.post_form(uri, params)
    if response.code != 200 && response.body.blank?
      Rails.logger.error "Request failed! (code: #{response.code})"
      raise "Request failed! (code: #{response.code})"
    end

    result = JSON.parse(response.body)
    if result['error'] && response.code != 200
      Rails.logger.error "Request failed! ERROR: #{result['error']} (#{result['error_description']}, params: #{params.to_json})"
      raise "Request failed! ERROR: #{result['error']} (#{result['error_description']})"
    end

    token.merge(result.symbolize_keys).merge(
      created_at: Time.zone.now,
    )
  end

  def self.refresh_token_params(credentials)
    {
      client_id:     credentials[:client_id],
      client_secret: credentials[:client_secret],
      refresh_token: credentials[:refresh_token],
      grant_type:    'refresh_token',
    }
  end

  def self.refresh_token_uri(credentials)
    tenant = credentials[:client_tenant].presence || 'common'

    URI::HTTPS.build(
      host: 'login.microsoftonline.com',
      path: "/#{tenant}/oauth2/v2.0/token",
    )
  end

  def self.user_info(id_token)
    split = id_token.split('.')[1]
    return if split.blank?

    JSON.parse(Base64.decode64(split)).symbolize_keys
  end

end
Maintenance: Update copyright header. 2022-01-01 13:38:12 +00:00			`# Copyright (C) 2012-2022 Zammad Foundation, https://zammad-foundation.org/`
Maintenance: Update copyright information and add a new rubocop cop to watch over it. 2021-06-01 12:20:20 +00:00
Follow up - db3f553140ef506f8d31815ec08651187a3a6e4f - Fixes #3215 - Renamed Office365 to Microsoft365. 2020-10-27 14:05:10 +00:00			`class ExternalCredential::Microsoft365`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00
			`def self.app_verify(params)`
			`request_account_to_link(params, false)`
			`params`
			`end`

			`def self.request_account_to_link(credentials = {}, app_required = true)`
Follow up - db3f553140ef506f8d31815ec08651187a3a6e4f - Fixes #3215 - Renamed Office365 to Microsoft365. 2020-10-27 14:05:10 +00:00			`external_credential = ExternalCredential.find_by(name: 'microsoft365')`
Fixes #2709, fixes #2666, fixes #2665, fixes #556, fixes #3275 - Refactoring: Implement new translation toolchain based on gettext. - Translations are no longer fetched from the cloud. - Instead, they are extracted from the codebase and stored in i18n/zammad.pot. - Translations will be managed via a public Weblate instance soon. - The translated .po files are fed to the database as before. - It is now possible to change "translation" strings for en-us locally via the admin GUI. - It is no longer possible to submit local changes. 2021-11-15 15:58:19 +00:00			`raise Exceptions::UnprocessableEntity, __('No Microsoft365 app configured!') if !external_credential && app_required`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00
			`if external_credential`
			`if credentials[:client_id].blank?`
			`credentials[:client_id] = external_credential.credentials['client_id']`
			`end`
			`if credentials[:client_secret].blank?`
			`credentials[:client_secret] = external_credential.credentials['client_secret']`
			`end`
Fixes #3515 - Allow single tenant only application in microsoft 2021-03-08 13:13:15 +00:00			`# client_tenant may be empty. Set only if key is nonexistant at all`
			`if !credentials.key? :client_tenant`
			`credentials[:client_tenant] = external_credential.credentials['client_tenant']`
			`end`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00			`end`

Fixes #2709, fixes #2666, fixes #2665, fixes #556, fixes #3275 - Refactoring: Implement new translation toolchain based on gettext. - Translations are no longer fetched from the cloud. - Instead, they are extracted from the codebase and stored in i18n/zammad.pot. - Translations will be managed via a public Weblate instance soon. - The translated .po files are fed to the database as before. - It is now possible to change "translation" strings for en-us locally via the admin GUI. - It is no longer possible to submit local changes. 2021-11-15 15:58:19 +00:00			`raise Exceptions::UnprocessableEntity, __('No client_id param!') if credentials[:client_id].blank?`
			`raise Exceptions::UnprocessableEntity, __('No client_secret param!') if credentials[:client_secret].blank?`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00
Fixes #3515 - Allow single tenant only application in microsoft 2021-03-08 13:13:15 +00:00			`authorize_url = generate_authorize_url(credentials)`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00
			`{`
			`authorize_url: authorize_url,`
			`}`
			`end`

			`def self.link_account(_request_token, params)`
Follow up - db3f553140ef506f8d31815ec08651187a3a6e4f - Fixes #3215 - Renamed Office365 to Microsoft365. 2020-10-27 14:05:10 +00:00			`external_credential = ExternalCredential.find_by(name: 'microsoft365')`
Fixes #2709, fixes #2666, fixes #2665, fixes #556, fixes #3275 - Refactoring: Implement new translation toolchain based on gettext. - Translations are no longer fetched from the cloud. - Instead, they are extracted from the codebase and stored in i18n/zammad.pot. - Translations will be managed via a public Weblate instance soon. - The translated .po files are fed to the database as before. - It is now possible to change "translation" strings for en-us locally via the admin GUI. - It is no longer possible to submit local changes. 2021-11-15 15:58:19 +00:00			`raise Exceptions::UnprocessableEntity, __('No Microsoft365 app configured!') if !external_credential`
			`raise Exceptions::UnprocessableEntity, __('No code for session found!') if !params[:code]`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00
Fixes #3515 - Allow single tenant only application in microsoft 2021-03-08 13:13:15 +00:00			`response = authorize_tokens(external_credential.credentials, params[:code])`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00			`%w[refresh_token access_token expires_in scope token_type id_token].each do \|key\|`
			`raise Exceptions::UnprocessableEntity, "No #{key} for authorization request found!" if response[key.to_sym].blank?`
			`end`

			`user_data = user_info(response[:id_token])`
Maintenance: Improved translatable source strings. 2022-01-19 13:59:52 +00:00			`raise Exceptions::UnprocessableEntity, __("The user's 'preferred_username' could not be extracted from 'id_token'.") if user_data[:preferred_username].blank?`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00
			`channel_options = {`
			`inbound: {`
			`adapter: 'imap',`
			`options: {`
			`auth_type: 'XOAUTH2',`
			`host: 'outlook.office365.com',`
Fixes #3964 - Selecting custom ports for mail channel ends in 'host not reachable'. 2022-03-03 09:04:12 +00:00			`ssl: 'ssl',`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00			`user: user_data[:preferred_username],`
			`},`
			`},`
			`outbound: {`
			`adapter: 'smtp',`
			`options: {`
			`host: 'smtp.office365.com',`
			`port: 587,`
			`user: user_data[:preferred_username],`
			`authentication: 'xoauth2',`
			`},`
			`},`
			`auth: response.merge(`
Follow up - db3f553140ef506f8d31815ec08651187a3a6e4f - Fixes #3215 - Renamed Office365 to Microsoft365. 2020-10-27 14:05:10 +00:00			`provider: 'microsoft365',`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00			`type: 'XOAUTH2',`
			`client_id: external_credential.credentials[:client_id],`
			`client_secret: external_credential.credentials[:client_secret],`
Fixes #3515 - Allow single tenant only application in microsoft 2021-03-08 13:13:15 +00:00			`client_tenant: external_credential.credentials[:client_tenant],`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00			`),`
			`}`

Fixes #3240 - Allow reauthentication of Google / Microsoft365 accounts. 2020-11-20 13:58:57 +00:00			`if params[:channel_id]`
			`existing_channel = Channel.where(area: 'Microsoft365::Account').find(params[:channel_id])`

			`existing_channel.update!(`
			`options: channel_options,`
			`)`

			`existing_channel.refresh_xoauth2!`

			`return existing_channel`
			`end`

			`migrate_channel = nil`
			`Channel.where(area: 'Email::Account').find_each do \|channel\|`
Fixes #3956 - Migration of the MS365 account fails by upper and lower case differences in email address. 2022-02-10 11:38:31 +00:00			`next if channel.options.dig(:inbound, :options, :host)&.downcase != 'outlook.office365.com'`
			`next if channel.options.dig(:outbound, :options, :host)&.downcase != 'smtp.office365.com'`
Follow up b930827b77736948cf4cb4e82b8f2296d3e014e1 - Fixes #3240 - Fixed key for microsoft migration. 2022-03-28 13:14:52 +00:00			`next if channel.options.dig(:outbound, :options, :user)&.downcase != user_data[:preferred_username].downcase && channel.options.dig(:outbound, :email)&.downcase != user_data[:preferred_username].downcase`
Fixes #3240 - Allow reauthentication of Google / Microsoft365 accounts. 2020-11-20 13:58:57 +00:00
			`migrate_channel = channel`

			`break`
			`end`

Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00			`if migrate_channel`
			`channel_options[:inbound][:options][:folder] = migrate_channel.options[:inbound][:options][:folder]`
			`channel_options[:inbound][:options][:keep_on_server] = migrate_channel.options[:inbound][:options][:keep_on_server]`

			`backup = {`
			`attributes: {`
			`area: migrate_channel.area,`
			`options: migrate_channel.options,`
			`last_log_in: migrate_channel.last_log_in,`
			`last_log_out: migrate_channel.last_log_out,`
			`status_in: migrate_channel.status_in,`
			`status_out: migrate_channel.status_out,`
			`},`
			`migrated_at: Time.zone.now,`
			`}`

			`migrate_channel.update(`
Follow up - db3f553140ef506f8d31815ec08651187a3a6e4f - Fixes #3215 - Renamed Office365 to Microsoft365. 2020-10-27 14:05:10 +00:00			`area: 'Microsoft365::Account',`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00			`options: channel_options.merge(backup_imap_classic: backup),`
			`last_log_in: nil,`
			`last_log_out: nil,`
			`)`

			`return migrate_channel`
			`end`

Follow up - db3f553140ef506f8d31815ec08651187a3a6e4f - Office365 and Google channel: - Enhancement: Refresh Google and Office365 page every 30 seconds to display possible errors. - Refactoring: Removed unused method `ExternalCredentials::Office365.user_aliases`. - Fixes: Technical incompatibility between Google and Office365 causes Google view to break. - Fixes: Broken duplicate Email detection. 2020-10-07 13:21:21 +00:00			`email_addresses = [`
			`{`
			`realname: "#{Setting.get('product_name')} Support",`
			`email: user_data[:preferred_username],`
			`},`
			`]`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00
			`email_addresses.each do \|email\|`
Follow up - db3f553140ef506f8d31815ec08651187a3a6e4f - Office365 and Google channel: - Enhancement: Refresh Google and Office365 page every 30 seconds to display possible errors. - Refactoring: Removed unused method `ExternalCredentials::Office365.user_aliases`. - Fixes: Technical incompatibility between Google and Office365 causes Google view to break. - Fixes: Broken duplicate Email detection. 2020-10-07 13:21:21 +00:00			`next if !EmailAddress.exists?(email: email[:email])`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00
Follow up - db3f553140ef506f8d31815ec08651187a3a6e4f - Office365 and Google channel: - Enhancement: Refresh Google and Office365 page every 30 seconds to display possible errors. - Refactoring: Removed unused method `ExternalCredentials::Office365.user_aliases`. - Fixes: Technical incompatibility between Google and Office365 causes Google view to break. - Fixes: Broken duplicate Email detection. 2020-10-07 13:21:21 +00:00			`raise Exceptions::UnprocessableEntity, "Duplicate email address or email alias #{email[:email]} found!"`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00			`end`

			`# create channel`
			`channel = Channel.create!(`
Follow up - db3f553140ef506f8d31815ec08651187a3a6e4f - Fixes #3215 - Renamed Office365 to Microsoft365. 2020-10-27 14:05:10 +00:00			`area: 'Microsoft365::Account',`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00			`group_id: Group.first.id,`
			`options: channel_options,`
			`active: false,`
			`created_by_id: 1,`
			`updated_by_id: 1,`
			`)`

			`email_addresses.each do \|user_alias\|`
			`EmailAddress.create!(`
			`channel_id: channel.id,`
			`realname: user_alias[:realname],`
			`email: user_alias[:email],`
			`active: true,`
			`created_by_id: 1,`
			`updated_by_id: 1,`
			`)`
			`end`

			`channel`
			`end`

Fixes #3515 - Allow single tenant only application in microsoft 2021-03-08 13:13:15 +00:00			`def self.generate_authorize_url(credentials, scope = 'https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send offline_access openid profile email')`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00			`params = {`
Fixes #3515 - Allow single tenant only application in microsoft 2021-03-08 13:13:15 +00:00			`'client_id' => credentials[:client_id],`
Follow up - db3f553140ef506f8d31815ec08651187a3a6e4f - Fixes #3215 - Renamed Office365 to Microsoft365. 2020-10-27 14:05:10 +00:00			`'redirect_uri' => ExternalCredential.callback_url('microsoft365'),`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00			`'scope' => scope,`
			`'response_type' => 'code',`
			`'access_type' => 'offline',`
			`'prompt' => 'consent',`
			`}`

Fixes #3515 - Allow single tenant only application in microsoft 2021-03-08 13:13:15 +00:00			`tenant = credentials[:client_tenant].presence \|\| 'common'`

Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00			`uri = URI::HTTPS.build(`
			`host: 'login.microsoftonline.com',`
Fixes #3515 - Allow single tenant only application in microsoft 2021-03-08 13:13:15 +00:00			`path: "/#{tenant}/oauth2/v2.0/authorize",`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00			`query: params.to_query`
			`)`

			`uri.to_s`
			`end`

Fixes #3515 - Allow single tenant only application in microsoft 2021-03-08 13:13:15 +00:00			`def self.authorize_tokens(credentials, authorization_code)`
			`uri = authorize_tokens_uri(credentials[:client_tenant])`
			`params = authorize_tokens_params(credentials, authorization_code)`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00
			`response = Net::HTTP.post_form(uri, params)`
			`if response.code != 200 && response.body.blank?`
			`Rails.logger.error "Request failed! (code: #{response.code})"`
			`raise "Request failed! (code: #{response.code})"`
			`end`

			`result = JSON.parse(response.body)`
			`if result['error'] && response.code != 200`
			`Rails.logger.error "Request failed! ERROR: #{result['error']} (#{result['error_description']}, params: #{params.to_json})"`
			`raise "Request failed! ERROR: #{result['error']} (#{result['error_description']})"`
			`end`

			`result[:created_at] = Time.zone.now`

			`result.symbolize_keys`
			`end`

Fixes #3515 - Allow single tenant only application in microsoft 2021-03-08 13:13:15 +00:00			`def self.authorize_tokens_params(credentials, authorization_code)`
			`{`
Followup #3515 - Allow single tenant only application in microsoft 2021-05-18 11:27:02 +00:00			`client_secret: credentials[:client_secret],`
			`code: authorization_code,`
			`grant_type: 'authorization_code',`
			`client_id: credentials[:client_id],`
			`redirect_uri: ExternalCredential.callback_url('microsoft365'),`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00			`}`
Fixes #3515 - Allow single tenant only application in microsoft 2021-03-08 13:13:15 +00:00			`end`

			`def self.authorize_tokens_uri(tenant)`
			`URI::HTTPS.build(`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00			`host: 'login.microsoftonline.com',`
Fixes #3515 - Allow single tenant only application in microsoft 2021-03-08 13:13:15 +00:00			`path: "/#{tenant.presence \|\| 'common'}/oauth2/v2.0/token",`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00			`)`
Fixes #3515 - Allow single tenant only application in microsoft 2021-03-08 13:13:15 +00:00			`end`

			`def self.refresh_token(token)`
Maintenance: Bump rubocop-rails from 2.12.4 to 2.13.0 Bumps [rubocop-rails](https://github.com/rubocop/rubocop-rails) from 2.12.4 to 2.13.0. - [Release notes](https://github.com/rubocop/rubocop-rails/releases) - [Changelog](https://github.com/rubocop/rubocop-rails/blob/master/CHANGELOG.md) - [Commits](https://github.com/rubocop/rubocop-rails/compare/v2.12.4...v2.13.0) 2022-01-03 09:47:32 +00:00			`return token if token[:created_at] >= 50.minutes.ago`
Fixes #3515 - Allow single tenant only application in microsoft 2021-03-08 13:13:15 +00:00
			`params = refresh_token_params(token)`
			`uri = refresh_token_uri(token)`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00
			`response = Net::HTTP.post_form(uri, params)`
			`if response.code != 200 && response.body.blank?`
			`Rails.logger.error "Request failed! (code: #{response.code})"`
			`raise "Request failed! (code: #{response.code})"`
			`end`

			`result = JSON.parse(response.body)`
			`if result['error'] && response.code != 200`
			`Rails.logger.error "Request failed! ERROR: #{result['error']} (#{result['error_description']}, params: #{params.to_json})"`
			`raise "Request failed! ERROR: #{result['error']} (#{result['error_description']})"`
			`end`

Fixes #3411 - Microsoft 365: The refresh token has expired due to inactivity. The token was issued on 2020-11-17T13:30:55.3656422Z and was inactive for 90.00:00:00. 2021-02-25 17:46:39 +00:00			`token.merge(result.symbolize_keys).merge(`
			`created_at: Time.zone.now,`
			`)`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00			`end`

Fixes #3515 - Allow single tenant only application in microsoft 2021-03-08 13:13:15 +00:00			`def self.refresh_token_params(credentials)`
			`{`
Followup #3515 - Allow single tenant only application in microsoft 2021-05-18 11:27:02 +00:00			`client_id: credentials[:client_id],`
			`client_secret: credentials[:client_secret],`
			`refresh_token: credentials[:refresh_token],`
			`grant_type: 'refresh_token',`
Fixes #3515 - Allow single tenant only application in microsoft 2021-03-08 13:13:15 +00:00			`}`
			`end`

			`def self.refresh_token_uri(credentials)`
			`tenant = credentials[:client_tenant].presence \|\| 'common'`

			`URI::HTTPS.build(`
			`host: 'login.microsoftonline.com',`
			`path: "/#{tenant}/oauth2/v2.0/token",`
			`)`
			`end`

Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00			`def self.user_info(id_token)`
			`split = id_token.split('.')[1]`
			`return if split.blank?`

			`JSON.parse(Base64.decode64(split)).symbolize_keys`
			`end`

			`end`