OAUTH

One of RSI's processes is monitoring a primary email address for a client and performing various operations on incoming messages, including scanning attachments. A primary crux of the process is the authorization protocol used to provide process access to incoming messages.  Recently RSI updated to OAUTH 2.0, the industry standard for online authorization.
Written by myrsi
posted on October 30th 2023

One of Realized Solutions processes is monitoring a primary email address for a client and performing various operations on incoming messages, including scanning attachments. A primary crux of the process is the authorization protocol used to provide process access to incoming messages.  Recently RSI updated to OAUTH 2.0, the industry standard for online authorization. Previously, our authorization had only served as a method that passed a user login to the exchange server. OAUTH 2.0 utilizes access tokens and authorization codes established ahead of time with the server needed to make the connection, in our case the email address. The codes are supplied to the process so the access token can be returned to the process by the authorization server, a connection can be made appropriately, and the messages are completed. The token is an undefined format of data the process sends back to the server with the appropriate credentials to gain access.

There are several OAUTH credentials that can be used to gain access to the token associated with the email account, a value associated with the authorization established with the server, and a unique client ID to identify the generic user gaining access. Also, authorization codes are used with or without a Proof key based on how secure the connection is required to be. Implicit grants exist with OAUTH that allow for the access token to be passed directly to the process we run from the email server, along with an authorization in which a resource owner can pass their specific credentials to the server.

The OAUTH acts as its own server between the process requesting access to the emails and the email Exchange server that holds the emails in question. To establish the OAUTH server, RSI established an application within Microsoft Azure that could both have the inherent permission to access the email Exchange server and could be used to create other applicable codes. The process is reworked to ask the application for permission by passing the token and client ID’s back to the server along with the email address we wish to access.