SaslMechanismOAuthBearer Class

The OAuth Bearer SASL mechanism.

Inheritance Hierarchy

SystemObject
MailKit.SecuritySaslMechanism
MailKit.SecuritySaslMechanismOAuthBearer

Namespace: MailKit.Security
Assembly: MailKit (in MailKit.dll) Version: 4.3.0

Syntax

Copy

public class SaslMechanismOAuthBearer : SaslMechanism

The SaslMechanismOAuthBearer type exposes the following members.

Constructors

	Name	Description
	SaslMechanismOAuthBearer(NetworkCredential)	Initializes a new instance of the SaslMechanismOAuthBearer class.
	SaslMechanismOAuthBearer(String, String)	Initializes a new instance of the SaslMechanismOAuthBearer class.

Top

Properties

	Name	Description
	Credentials	Get the user's credentials. (Inherited from SaslMechanism)
	IsAuthenticated	Get or set whether the SASL mechanism has finished authenticating. (Inherited from SaslMechanism)
	MechanismName	Get the name of the SASL mechanism. (Overrides SaslMechanismMechanismName)
	NegotiatedChannelBinding	Get whether or not channel-binding was negotiated by the SASL mechanism. (Inherited from SaslMechanism)
	NegotiatedSecurityLayer	Get whether or not a security layer was negotiated by the SASL mechanism. (Inherited from SaslMechanism)
	SupportsChannelBinding	Get whether or not the SASL mechanism supports channel binding. (Inherited from SaslMechanism)
	SupportsInitialResponse	Get whether or not the mechanism supports an initial response (SASL-IR). (Overrides SaslMechanismSupportsInitialResponse)

Top

Methods

	Name	Description
	Challenge(String, CancellationToken)	Decode the base64-encoded server challenge and return the next challenge response encoded in base64. (Inherited from SaslMechanism)
	Challenge(Byte, Int32, Int32, CancellationToken)	Parse the server's challenge token and return the next challenge response. (Overrides SaslMechanismChallenge(Byte, Int32, Int32, CancellationToken))
	ChallengeAsync(String, CancellationToken)	Asynchronously decode the base64-encoded server challenge and return the next challenge response encoded in base64. (Inherited from SaslMechanism)
	ChallengeAsync(Byte, Int32, Int32, CancellationToken)	Asynchronously parse the server's challenge token and return the next challenge response. (Inherited from SaslMechanism)
	Equals	(Inherited from Object)
	Finalize	(Inherited from Object)
	GetHashCode	(Inherited from Object)
	GetType	(Inherited from Object)
	MemberwiseClone	(Inherited from Object)
	Reset	Reset the state of the SASL mechanism. (Inherited from SaslMechanism)
	ToString	(Inherited from Object)
	TryGetChannelBindingToken	Try to get a channel-binding token. (Inherited from SaslMechanism)

Top

Remarks

A SASL mechanism that makes use of a short-lived OAuth Bearer access tokens.

Example

Copy

using System;
using System.Threading;
using System.Threading.Tasks;

using Google.Apis.Util;
using Google.Apis.Util.Store;
using Google.Apis.Auth.OAuth2;
using Google.Apis.Auth.OAuth2.Flows;

using MailKit;
using MailKit.Net.Imap;
using MailKit.Security;

namespace OAuth2GMailExample {
    class Program
    {
        const string GMailAccount = "username@gmail.com";

        public static void Main (string[] args)
        {
            using (var client = new ImapClient ()) {
                client.Connect ("imap.gmail.com", 993, SecureSocketOptions.SslOnConnect);
                if (client.AuthenticationMechanisms.Contains ("OAUTHBEARER") || client.AuthenticationMechanisms.Contains ("XOAUTH2"))
                    OAuthAsync (client).GetAwaiter ().GetResult ();
                client.Disconnect (true);
            }
        }

        static async Task OAuthAsync (ImapClient client)
        {
            var clientSecrets = new ClientSecrets {
                ClientId = "XXX.apps.googleusercontent.com",
                ClientSecret = "XXX"
            };

            var codeFlow = new GoogleAuthorizationCodeFlow (new GoogleAuthorizationCodeFlow.Initializer {
                DataStore = new FileDataStore ("CredentialCacheFolder", false),
                Scopes = new [] { "https://mail.google.com/" },
                ClientSecrets = clientSecrets
            });

            // Note: For a web app, you'll want to use AuthorizationCodeWebApp instead.
            var codeReceiver = new LocalServerCodeReceiver ();
            var authCode = new AuthorizationCodeInstalledApp (codeFlow, codeReceiver);

            var credential = await authCode.AuthorizeAsync (GMailAccount, CancellationToken.None);

            if (credential.Token.IsExpired (SystemClock.Default))
                await credential.RefreshTokenAsync (CancellationToken.None);

            // Note: We use credential.UserId here instead of GMailAccount because the user *may* have chosen a
            // different GMail account when presented with the browser window during the authentication process.
            SaslMechanism oauth2;

            if (client.AuthenticationMechanisms.Contains ("OAUTHBEARER"))
                oauth2 = new SaslMechanismOAuthBearer (credential.UserId, credential.Token.AccessToken);
            else
                oauth2 = new SaslMechanismOAuth2 (credential.UserId, credential.Token.AccessToken);

            await client.AuthenticateAsync (oauth2);
        }
    }
}

Copy

using System;
using System.Threading;
using System.Threading.Tasks;

using MailKit;
using MailKit.Net.Imap;
using MailKit.Security;

using Microsoft.Identity.Client;

namespace OAuth2ExchangeExample {
    class Program
    {
        const string ExchangeAccount = "username@office365.com";

        public static void Main (string[] args)
        {
            using (var client = new ImapClient ()) {
                client.Connect ("outlook.office365.com", 993, SecureSocketOptions.SslOnConnect);
                if (client.AuthenticationMechanisms.Contains ("OAUTHBEARER") || client.AuthenticationMechanisms.Contains ("XOAUTH2"))
                    AuthenticateAsync (client).GetAwaiter ().GetResult ();
                client.Disconnect (true);
            }
        }

        static async Task AuthenticateAsync (ImapClient client)
        {
            var options = new PublicClientApplicationOptions {
                ClientId = "Application (client) ID",
                TenantId = "Directory (tenant) ID",
                RedirectUri = "https://login.microsoftonline.com/common/oauth2/nativeclient"
            };

            var publicClientApplication = PublicClientApplicationBuilder
                .CreateWithApplicationOptions (options)
                .Build ();

            var scopes = new string[] {
                "email",
                "offline_access",
                "https://outlook.office.com/IMAP.AccessAsUser.All", // Only needed for IMAP
                //"https://outlook.office.com/POP.AccessAsUser.All",  // Only needed for POP
                //"https://outlook.office.com/SMTP.AccessAsUser.All", // Only needed for SMTP
            };

            var authToken = await publicClientApplication.AcquireTokenInteractive (scopes).WithLoginHint (ExchangeAccount).ExecuteAsync (cancellationToken);
            await publicClientApplication.AcquireTokenSilent (scopes, authToken.Account).ExecuteAsync (cancellationToken);

            // Note: We use authToken.Account.Username here instead of ExchangeAccount because the user *may* have chosen a
            // different Microsoft Exchange account when presented with the browser window during the authentication process.
            SaslMechanism oauth2;

            if (client.AuthenticationMechanisms.Contains ("OAUTHBEARER"))
                oauth2 = new SaslMechanismOAuthBearer (authToken.Account.Username, authToken.AccessToken);
            else
                oauth2 = new SaslMechanismOAuth2 (authToken.Account.Username, authToken.AccessToken);

            await client.AuthenticateAsync (oauth2);
        }
    }
}

Reference

MailKit.Security Namespace