Evolution EWS OATH2 not authenticating and giving an error

My organization uses Outlook EWS for email, with separate servers for medical center and general use. At home, I access it from my machine running MX Linux 23 and Evolution 3.50.4 (from Flathub) Most of the email access works fine, however I have recurring requests for authentication asking for my login & password. It seems to associated with adding a co-workers calendar or attempting to use the address book. It opens a small browser window for entering the login info, then does the 2-factor authentication.

At that point, it gives the following error message:
Failed to obtain access token from address “https://login.microsoftonline.com/common/oauth2/token”: Bad Request ({“error”:“invalid_grant”,“error_description”:“AADSTS9002313: Invalid request. Request is malformed or invalid. Trace ID: a3757d35-581f-40d4-8ad4-4d7fed460b00 Correlation ID: c1b7a437-2eab-4eaa-8d98-3341c96ef845 Timestamp: 2024-11-20 09:12:26Z”,“error_codes”:[9002313],“timestamp”:“2024-11-20 09:12:26Z”,“trace_id”:“a3757d35-581f-40d4-8ad4-4d7fed460b00”,“correlation_id”:“c1b7a437-2eab-4eaa-8d98-3341c96ef845”,“error_uri”:“https://login.microsoftonline.com/error?code=9002313”})

I can log in to other applications, so I know the login info and 2-factor are correct. How can I correct this error?

At home, I access it from my machine running MX Linux 23 and
Evolution 3.50.4 (from Flathub)

Hi,

the Flathub.org provides a newer Evolution for some time, the 3.52.x
series. That does not have an influence on your issue, I’m only
mentioning it.

“
https://login.microsoftonline.com/common/oauth2/token”: Bad Request
({“error”:“invalid_grant”,“error_description”:“AADSTS9002313: Invalid
request. Request is malformed or invalid.

If I recall correctly, these “invalid_grant” errors are related to the
Application ID used for the OAuth2. It can be the app tries to access
some part on the server for which is was not granted, for which it did
not ask with a proper scope. It sometimes shows up for the Global
Address List, depending on the company settings.

When you open the EWS account Properties->Receiving Email tab, then you
can change the Application ID. There is a link from this tab to a wiki
page, where are listed three different application IDs. Could you try
with the third, please? Read carefully on the wiki page what there
should be done with the app ID.

Changing the app ID can be tricky, or rather convincing all the parts
to use the new app ID, especially when the token is saved and when it
works for the other parts. Maybe it’ll not be that hard in your case,
when you are asked for the (OAuth2) credentials often. The app you
allow access to should be different from the Evolution, when you’ll use
the third app ID.

Thinking of it, the wiki page moved recently. I do not know whether it
was before the 3.50.4, thus here’s the link:

though the GNOME GitLab instance is not in a good shape in the past
days/weeks. You might try to refresh the page several times to get to
the content, if it’ll not show up on the first open. I see the original
page still works, it’s here:
https://wiki.gnome.org/Apps/Evolution/EWS/OAuth2#Available_application_ID

Bye,
Milan

Currently testing it with the second ApplicationID for the Medical Center account. It did not give the error immediately, which is a good sign. I am still using the default settings for my main account.

Error has recurred when requesting the global address list.

Also, it seems like I can’t save the user name and password. Even when the login works, I have to retype it every time, and go through two factor every time. I understand entering credentials on startup or after making changes, but this is ridiculous.

Error has recurred when requesting the global address list.

Hi,

there is a bug filled about the GAL password re-prompt (I cannot
provide you with a link to it, because GNOME GitLab is useless these
days). I agree it’s ridiculous, though I cannot reproduce it, thus it’s
really hard to diagnose and fix the problem on my side. Thinking of it,
at least the problem with the bug, because the “invalid_grant” error
can be a different problem. I’m not sure.

Also, it seems like I can’t save the user name and password.

The OAuth2 is not about user name and password, the wizard you go
through is completely provided by the OAuth2 vendor, not by the
Evolution. Each site has its own web wizard. Sniffing in the web page
for probably “as expected” names of the web form elements is not good,
neither anything what could be done and maintainable long term by the
app. The URL contains your user name (as a login_hint), but the web
page may or may not use it, it’s up to it.

As an ugly workaround, disable the GAL for the autocompletion, in
Edit->Preferences->Contacts. You won’t be able to get the contacts from
it, though I guess it did not work either, did it?

Alternatively, when you open the corresponding mail account Properties,
does it show in the Receiving Options tab that an offline GAL is used?
It’s the last thing on that tab. Try to flip the option, and if it’ll
be checked, then click the “Fetch List” button and pick the GAL to be
synchronized (there is usually only one, but it’s possible to have
more). If it’ll be unchecked, it’ll not access the GAL directly, but it
will still be able to search for the contacts in it, only not in that
detail as with the offline GAL. To make sure these changes take effect,
run evolution --force-shutdown from a terminal, once the changes are
saved.

Bye,
Milan
1 Like

Clicking fetch list gave me this error:
Failed to locate offline address books.

The reported error was “2000008;reason=“The V1AppActAs token doesn’t contain the permissions required by the target API for calling app ‘20460e5d-ce91-49af-a3a5-70b6be7486d1’.”;error_category=“invalid_grant””.

Hi,
was the option to use offline GAL on or off when you opened the
Properties, please?

The error itself is the same as with the address book, which makes
sense, because it accesses the same resource. From that I guess the
option was on, but I’d like your confirmation. As I mentioned earlier,
you can turn off the option to use the offline GAL, in which case there
will be done online lookups with less detailed information, but at
least at the same URL as the rest of the plugin uses, thus this time
without the error.

Bye,
Milan

The option for the offline GAL was checked on

Hi,
I see, good. Then when you flip it, aka uncheck it, and then
evolution --force-shutdown then you can search the GAL and it’ll not
produce the “invalid_grant” error. At least it’s what I would expect.

The “invalid_grant” means you did not agree for the app to access that
particular part. It’s achieved by the proper scope to be used in the
OAuth2 requests, which is missing here. I do not know what scope they
require for the offline GAL, though the last time I searched for it I
could not find it (it can be I’ve not been searching properly).

Bye,
Milan