Setting up OAUTH2 Email Integration

Owned by Anthony George
Last updated: Aug 23, 2024 by Thomas Swindells
3 min read

Overview

Phixflow supports OAuth authentication required for accessing email common web email platforms such Office 365 and Google Developer.

In order to operate some initial configuration is required on the email platform and within PhixFlow.

Once the initial configuration is performed, 'Modeller' users can then create their own inbound Email accounts.

System Configuration Setup in PhixFlow

  1. Check the following
    1. Ensure that the System Configuration → System URL field is set to the public URL PhixFlow is accessed on by users.
      1. For example, http://phixflowhost.com/phixflow/
    2. Ensure the secure flag is set on cookies, see Install Tomcat

Host's Application Configuration

  1. Configure the application in Azure, Google Developer or similar.https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app
    1. https://learn.microsoft.com/en-us/power-platform/admin/connect-gmail-oauth2
  2. Configuration parameters
    1. The application type is Web.
    2. The redirect URL is yourPhixFlowInstance/receiveTokenAuthentication.htm
      1. For example, http://phixflowhost.com/phixflow/receiveTokenAuthentication.htm

O365 Application configuration

In order to allow PhixFlow to trigger OAuth authentication within an O365 environment an 'Application' has to be made within the O365 tenant. These steps must be performed by someone with at least the Cloud Application Administrator role.

  1. Login to https://entra.microsoft.com/
  2. Select Identity | Applications | App registrations
  3. Select New Registration
  4. Configure
    1. Give it a name,
    2. Account type of: Accounts in this organisation directory only
    3. Redirect URL type Web, url <Base Phixflow Url>/receiveTokenAuthentication.htm (https://example.phixflow.com/phixflow/receiveTokenAuthentication.htm)
    4. Press register
  5. Take a note of the “Application (client) ID”, this is the 'Client ID'
  6. Click “Add a certificate or secret” under Client Credentials and then click “new Client secret”
    1. Give the certificate a name
    2. Set the expires time after which the secret has to be refreshed. Either use the default 180 days, or pick an alternative value such as 730 days.
      1. Ensure you create a new the secret before it expires.
    3. Press Add
    4. Take a note of the 'value', this is the 'Client Secret'

Client Token Configuration in PhixFlow

As an Administrator

  1. In PhixFlow create a Client Token Configuration from the Full Repository.
  2. To allow a user to authenticate choose the User flow
  3. Set the Client ID to the value obtained from Azure/Google
  4. Client Secret to the value obtained from Azure/Google
  5. Google
    1. Auth URL https://accounts.google.com/o/oauth2/v2/auth?prompt=&access_type=offline
      1. For tokens to auto renew set access_type=offline as a parameter in the URL
    2. Token URL https://oauth2.googleapis.com/token
    3. Scopes https://mail.google.com/

    4. Google only sends a refresh token on the first authentication so if you don’t get a refresh token you have to delete the connection from Google and authenticate again.

  6. Microsoft
    1. Base URL https://login.microsoftonline.com/common/ or https://login.microsoftonline.com/{tenantId}
    2. Scopes, recommended setup:
      1. https://outlook.office.com/SMTP.Send https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/IMAP.AccessAsUser.All offline_access openid email

Create an Email Account in PhixFlow

These steps can be performed by a Modeller

  1. Create an Email Account in the Full Repository.
  2. Set Enabled
  3. Set Type to Inbound or Outbound depending on your requirements.
  4. Set Authorisation Type to OAuth2
  5. Select your client token configuration.
  6. Click Authenticate Email Account to perform the authentication process which provides access to your Google/Microsoft account.
    1. POP, IMAP, and SMTP settings for Outlook.com - Microsoft Support
    2. For POP Outlook add to the properties mail.pop3s.auth.xoauth2.two.line.authentication.format=true


O365 Email Account configuration

The following settings are recommended for an O365 email account:

  1. Name: as desired
  2. Enabled: true
  3. Type: as desired, only one outbound email account is supported.
  4. Host: outlook.office365.com
  5. Protocol: IMAP
  6. Encryption: SSL/TLS
  7. Use Default Port: true
  8. Authorisation Type: OAuth 2
  9. Login: Email address
  10. Token Configuration: The appropriate token configuration

Save and click Authenticate Email Account to complete configuration.

Conclusion

Once an initial inbound email account has been created and authenticated, subsequent email accounts can be created without requiring administrator support.