# OAuth IMAP ## Sources | Download | Sources | | --------------------------------------------------- | ------------------------------------------ | | | | {% hint style="info" %} Microsoft is gradually removing the TLS 1.0 and 1.1 protocols for all Microsoft 365 applications. In order to keep your collector running, you need to add the **Oauth IMAP** plugin, which is available in the marketplace. {% endhint %} {% hint style="info" %} The Oauth tokens for the collector, retrieved during authentication with Azure by the OauthIMAP plugin, are "offline" tokens that delegate authorisation to a third-party application (GLPI). These tokens provide a renewal code that will be used by the application to renew them automatically without user intervention. You will therefore not be asked to re-authenticate after the 1st authorisation request. {% endhint %} *** ## Requirements (self-hosted) | GLPI Version | Minimum PHP | Recommended | | ------------ | ----------- | ----------- | | 10.0.x | 8.1 | 8.2 | | 11.0.x | 8.2 | 8.4 | {% hint style="info" %} This plugin is available without a [GLPI Network](https://services.glpi-network.com/#offers) subscription. It is also available on [GLPI Cloud](https://glpi-network.cloud). {% endhint %} *** ## Supported mail services OAuth IMAP support : * Gmail : * Entra : *** ## Install the plugin * Go to the marketplace. Download **Oauth IMAP** and enable it

* Open the [Azure Portal](https://portal.azure.com/#home) for your tenant * In the search box type **registration** * then select **App registrations**

Here are the configuration steps including configuration phases on the Entra side. *** ## Receiver with Entra ### Register your Entra application #### Create the application * Click on **New registration** * Enter the desired name, select the type of account supported then enter the redirection URL (present in the configuration of the plugin from your GLPI interface: ) specifying the **Web** option * Then click on **Register**.

#### Add a secret * In the **Certificates and secrets** tab * Click on **Client secrets** * Then **New client secret**

* Enter a description and then an expiration date * A secret **value** is then generated. Keep this value well because once you have left this page, it will no longer be recoverable

* Return to the **Overview** tab and **copy** the following values and the secret seen above

#### Add API permissions * In the **API Permissions** tab * Click on **your API** (Microsoft Graph in this case) * Then select **Delegated permission** * Select : * email * offline\_access * openid * profile * IMAP.AccessAsUser.All

*** ### Setup GLPI * Now go back to your GLPI interface **Setup > Application Aouth IMAP** and indicate the information collected previously :

* Click **Add** * Now in the **Oauth authorization** tab, click **Create an authorization**

* When you click on **Create authorization**, you will be redirected to the Microsoft services sign-in page * Enter the email address and password of the account that will be used for the collector * You will also need to accept the necessary permissions related to the plugin.

*** ## Receiver with Google ### Creating a project * From your [Google console](https://console.cloud.google.com/) (administrator access is required), go to your organisation then new project ![New project creation](/files/mm8e3Fgrs5F9QcObAmHj) * Enter the name of your project * Click on **`Create`**

* Return to your organisation, * Select your project ![Select the new project](/files/R7k1kFrBRbd9kIUKb5YH) *** ### Setting up Oauth access * From the menu, click on **`APIs & Services`**. * Then **`OAuth consent screen`**

#### Application Information * From the preview, click **`Get started`** * Enter the application name and the user support email (users will be able to contact you with questions regarding their consent)

#### Audience * Indicate what type of audience will be able to use this application (here internal because the user who will be using the imap services is a user of the organization)

#### Contact information * Enter the contact name (this contact is notified of changes made to the application)

*** ### Google API Services User Data Policy * Accept the Google API Services User Data Policy and click **`Continue`** and **`Create`**

*** ### Creating a Client #### Application Type \ You now need to create an application client that will connect Google to your GLPI instance using an application ID and a client secret. * In the **Clients** tab, click **`Create a client`**. * Select **Web Application** as the application type. * Enter a name for your application.

#### Authorised redirect URIs \ The return URL must be specified in this section. This URL is found in GLPI under **`Setup`** > **`OAuth IMAP`** > **`+ Add`**

* Enter this URL in the **Authorised redirect URIs** section of your application.

* Click **`Create`** to validate your application *** ### Application information {% hint style="warning" %} In the next step, the **client secret** will be displayed. Once you leave this screen, it will no longer be available. Remember to save it in a safe place. {% endhint %} The application is now created. The screen displays the application ID and the client secret, which you will need to enter in GLPI.

*** ### Finalizing GLPI configuration Once your application information is listed in GLPI, and your application is active, you can click on **`+ Add`**

#### OAuth Authorization OAuth authorization is required for GLPI to use the IMAP services for the mailbox in question. * From the **OAuth Authorization** tab, click **`+ Create authorization`**. * Specify the account authorized to use the IMAP services.

*** ### Receiver configuration * From **`Configuration`** > **`Receivers`** > **`+ Add`** * Specify the server **`imap.google.com`** * In **Connection options**, select the previously created **IMAP OAuth** application * In Username, select the user with OAuth permissions

*** ## FAQ If you have any questions about using the plugin, please consult our FAQ Go to FAQ --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.glpi-project.org/doc-plugins/plugins-glpi/oauthimap.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.