This is a generalization and adaptation of the fork of UvA-FNWI to get oauth imap working on my machine with the McGill email server. I've added multi-configuration and encryption support. Furthermore token expiration is now being taken into account. This has been hacked together in an afternoon and works for me. No guarantees provided :).
If you want to see this in action with mbsync + msmtp head over
here
The tool is configured by ~/.o365-auth-config.toml (see
config.toml) in this repo. The [security] section has only one
setting, namely the PasswordPath which can point to an optional
password file which is then used to decrypt the stored refresh and
access tokens. The expectation is, that a tool like
agenix provides this file while
the computer is running.
The [default] section contains the OAuth ClientId, the
ClientSecret and the Scopes. I really don't have a clear idea what
those mean, but the values provided by default are taken from
Thunderbird. For a better explanation see the work this is based
on.
For each account one wishes to set up on can optionally add a section
[<account name>] which can override the above values.
The script get_token.py (accessible as o365-get-token if the
home-manager module is enabled) takes an argument <account name> and
launches the authentication flow. Once this has been done, the script
refresh_token.py (accessible as o365-refresh-token) can be called
with the same argument to obtain the currently valid access key. It
automatically refreshes said key upon its expiration. The access key
is printed to stdout and may be fed into mbsync or msmtp.
The flake provides a package which makes the above commands available. It also provides a very basic and ugly home-manager module that allows you to configure those scripts using, who'd have thought it, home-manager.
Simply a add the o365-auth.homeManagerModules.default to your home-manager modules an
programs.o365-auth.enable = true;
programs.o365-auth.passwordPath = config.age.secrets.mail_token_storage_pw.path;should get you started.