284313f908
Some checks are pending
Bidi Control Character Guard / bidi-control-guard (push) Waiting to run
Circular Dependency Check / Check for new circular dependencies (push) Waiting to run
Citus Migration Smoke / Combined migrations on single-node Citus (push) Waiting to run
E2E Fresh Install Tests / fresh-install-e2e (push) Waiting to run
ext-v2 guardrails / Run ext-v2 guard and ESLint (push) Waiting to run
Integration Tests / Check for relevant changes (push) Waiting to run
Integration Tests / ${{ (github.event_name == 'schedule' || github.event.inputs.suite == 'full') && 'Full integration suite' || 'Tier-1 integration subset' }} (push) Blocked by required conditions
Mobile checks / Mobile lint + typecheck (push) Waiting to run
Mobile checks / Mobile unit tests (push) Waiting to run
Mobile checks / Mobile dependency audit (report) (push) Waiting to run
Mobile checks / Mobile reproducibility checks (push) Waiting to run
Secrets guard (env backups) / Ensure no tracked env backup files (push) Waiting to run
Temporal Readiness / fast-readiness (push) Waiting to run
Temporal Readiness / docker-parity (push) Waiting to run
TypeScript Type Check / Nx affected typecheck (push) Waiting to run
Unit Tests / Skipped-test budget (push) Waiting to run
Unit Tests / Nx affected unit tests (push) Waiting to run
Unit Tests / Server unit coverage (informational) (push) Waiting to run
Validate Tenant Management Schema / Check for relevant changes (push) Waiting to run
Validate Tenant Management Schema / Validate Tenant Management Schema (push) Blocked by required conditions
EE Workflows Build Guard / ee-workflows-build-guard (push) Waiting to run
Excluded: .git, node_modules, secrets/, compose.env, assemblyscript tgz Source: /opt/alga-psa on psa.joliet.tech
34 lines
2.1 KiB
Markdown
34 lines
2.1 KiB
Markdown
# Microsoft Email Hosted OAuth Fallback
|
|
|
|
## Problem
|
|
|
|
Microsoft 365 inbound email OAuth currently requires a tenant Microsoft profile bound to the `email` consumer. Tenants that only configure or revoke MSP SSO login domains cannot use the included Nine Minds hosted Microsoft OAuth application, even though inbound email historically supported hosted/app-level credentials.
|
|
|
|
## Goals
|
|
|
|
- Restore the hosted Nine Minds Microsoft OAuth path for inbound email when no explicit Email Microsoft profile binding exists.
|
|
- Preserve explicit tenant-owned Microsoft email bindings when configured and ready.
|
|
- Keep MSP SSO login-domain claim state independent from inbound email OAuth behavior.
|
|
- Avoid falling back silently when an explicit Email binding exists but points to an invalid or incomplete profile.
|
|
|
|
## Non-goals
|
|
|
|
- Add/delete UI for MSP SSO login-domain claims.
|
|
- Change MSP SSO discovery behavior.
|
|
- Change calendar or Teams Microsoft profile resolution.
|
|
- Migrate existing Microsoft profiles or consumer bindings.
|
|
|
|
## Desired Behavior
|
|
|
|
1. Microsoft inbound email OAuth resolves credentials from the tenant's ready `email` Microsoft profile binding when present.
|
|
2. If no `email` binding exists, the resolver uses app-level hosted Microsoft email credentials from `MICROSOFT_CLIENT_ID`, `MICROSOFT_CLIENT_SECRET`, and optional `MICROSOFT_TENANT_ID` app secrets or environment variables.
|
|
3. If an explicit binding exists but is invalid/archived/missing required secrets, the resolver fails with the binding error instead of hiding the misconfiguration.
|
|
4. Existing OAuth initiation, callback token exchange, and refresh-token flows all use the same resolver behavior.
|
|
|
|
## Acceptance Criteria
|
|
|
|
- A tenant without an Email Microsoft profile binding can initiate Microsoft inbound email OAuth when app-level hosted credentials are configured.
|
|
- A tenant with a ready Email Microsoft profile binding still uses that bound profile.
|
|
- A tenant with an invalid Email binding gets an invalid-profile error rather than fallback.
|
|
- Existing contract tests continue to prove runtime callers use the shared resolver and do not read Microsoft env vars directly.
|