Client Credentials Flow does not work with encrypt_client_secret_on_first_use #213
Description
Thank you for adding support for the Client Credentials grant flow which makes our life much easier.
I tried to protect the password that is used between the proxy and the client. If a user enters a wrong password the access token is dropped and a new one is retrieved. When I activated the option encrypt_client_secret_on_first_use some nasty things happen:
At first it is possible to authenticate and use the proxy as before. When a wrong password is used the access token is deleted and the proxy starts to loop. Restarting the application helps but the encrypted client secret cannot be used and so the account configuration becomes unusable.
The log file looks like this:
2023-12-14 14:26:23,046: New incoming connection to POP server at 127.0.0.1:1995 (unsecured) proxying outlook.office365.com:995 (SSL/TLS)
2023-12-14 14:26:23,047: Ignoring incoming connection to POP server at 127.0.0.1:1995 (unsecured) proxying outlook.office365.com:995 (SSL/TLS) - no connection information
2023-12-14 14:26:23,101: POP (127.0.0.1:50250-{127.0.0.1:1995}-outlook.office365.com:995) --> [ Client connected ]
2023-12-14 14:26:23,138: POP (127.0.0.1:50250-{127.0.0.1:1995}-outlook.office365.com:995) <-> [ Starting TLS handshake ]
2023-12-14 14:26:23,156: POP (127.0.0.1:50250-{127.0.0.1:1995}-outlook.office365.com:995) <-> [ TLSv1.2 handshake complete ]
2023-12-14 14:26:23,202: POP (127.0.0.1:50250-{127.0.0.1:1995}-outlook.office365.com:995) <-- b'+OK The Microsoft Exchange POP3 service is ready. [...]\r\n'
2023-12-14 14:26:23,202: POP (127.0.0.1:50250-{127.0.0.1:1995}-outlook.office365.com:995) <-- b'+OK The Microsoft Exchange POP3 service is ready. [...]\r\n'
2023-12-14 14:26:31,824: POP (127.0.0.1:50250-{127.0.0.1:1995}-outlook.office365.com:995) --> b'user mail.address@company.com\r\n'
2023-12-14 14:26:31,824: POP (127.0.0.1:50250-{127.0.0.1:1995}-outlook.office365.com:995) <-- b'+OK\r\n'
2023-12-14 14:26:36,215: POP (127.0.0.1:50250-{127.0.0.1:1995}-outlook.office365.com:995) --> b'pass [[ Credentials removed from proxy log ]]\r\n'
2023-12-14 14:26:36,215: POP (127.0.0.1:50250-{127.0.0.1:1995}-outlook.office365.com:995) --> b'AUTH XOAUTH2\r\n'
2023-12-14 14:26:36,230: POP (127.0.0.1:50250-{127.0.0.1:1995}-outlook.office365.com:995) <-- b'+ \r\n'
2023-12-14 14:26:37,542: Retrying login due to exception while decrypting OAuth 2.0 credentials for mail.address@company.com (invalid password): InvalidToken()
2023-12-14 14:26:38,593: Retrying login due to exception while decrypting OAuth 2.0 credentials for mail.address@company.com (invalid password): InvalidToken()
2023-12-14 14:26:40,073: Retrying login due to exception while decrypting OAuth 2.0 credentials for mail.address@company.com (invalid password): InvalidToken()
2023-12-14 14:26:41,137: Retrying login due to exception while decrypting OAuth 2.0 credentials for mail.address@company.com (invalid password): InvalidToken()
This continues forever - even after closing the connection.
Do you have any idea how I could get a local password which is checked by the proxy? (and still use the client credentials flow)
Thank you
tom