feat: Implement OAuth Backend App Flow for Email Accounts (backport #27167) #27336
Conversation
![mergify[bot]](https://avatars.githubusercontent.com/in/10562?s=60&v=4){kind=small}
|
Cherry-pick of dde466b has failed: To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally |
github-actions
bot
added
the
add-test-cases
|
@alexleach could you check if this works as expected for your use case? |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed within 3 days if no further activity occurs, but it only takes a comment to keep a contribution alive :) Also, even if it is closed, you can always reopen the PR when you're ready. Thank you for contributing. |
* feat: Implement OAuth Backend App Flow for Email Accounts * chore: Reformat to satisfy linter * chore: format Signed-off-by: Akhil Narang <me@akhilnarang.dev> --------- Signed-off-by: Akhil Narang <me@akhilnarang.dev> Co-authored-by: Akhil Narang <me@akhilnarang.dev> (cherry picked from commit dde466b) # Conflicts: # frappe/email/doctype/email_account/email_account.json
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
akhilnarang
force-pushed
the
mergify/bp/version-15-hotfix/pr-27167
branch
from
036a7ab to
690a0be
Compare
|
🎉 This PR is included in version 15.48.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
Added a check-box to the Email Account doctype, labelled "Authenticate as Service Principal" (I'm open to suggestions on this one!). This then hides the "Connected User" text box, as the signing in user is the Email Account itself.
New function added to Connected App
get_backend_app_token, where it will request an OAuth Access Token, if one doesn't already exist, or if it is expired. Refresh Tokens aren't available for Service Principals, which authenticate just with the App'sclient_idandclient_secretEmail Accounts have until now required to be accessed as a User. We can't therefore use Shared Mailboxes dedicated to Frappe, as Full Access permissions would need to be granted to the user signing into Frappe.
This feature lets Frappe authenticate itself to e.g. Exchange Online, so it can send and receive emails from the Shared Mailbox, without having to delegate Full Access permissions to each user that accesses Frappe.
See #27148 for screenshots of the required setup in Entra ID.
Below are some screenshots of a successfully configured Email Account, that is pulling emails from the IMAP and can send out as the Shared Mailbox as well.
I'm sure some more work may be required before this can be merged. At this stage, I feel like it is now functional, but I'd of course appreciate some help in getting it up to the required standards! 🙂
This is an automatic backport of pull request #27167 done by Mergify.