sffoauth
sffoauth
Request a new access_token using an existing refresh_token
(note access_tokens are required to view/mod/zap data but are seldom valid for
more than 1 hour)
sffoauth -z wire/IMAP.GMAIL.OAUTH -c gmail_dotdot_feb17.json -t sff_dotdot -a
-D | tee /tmp/sffoAccess-x
Initial build - generate both refresh AND access (Manual process)
sffoauth -z wire/IMAP.GMAIL.OAUTH -c gmail_dotdot_feb17.json -t sff_dotdot -1
-D | tee /tmp/sffoInit-x
Just checking - not much
sffoauth -z wire/IMAP.GMAIL.OAUTH -c gmail_dotdot_feb17.json -t sff_dotdot -k
-D | tee /tmp/sffoChk-x
oauth parameters for imapwiressl webwiressl and ipbdcastssl
use-oauth: yes/no MUST be YES of course ! default: no
oauth-credentials-file: (file in tables/cert) default: none
oauth-token-file: (name of file to be stored in /fip/fix/goauth default: none
oauth-scope: (list of one or more scopes, space sep) default: none
oauth-scope:openid https://www.googleapis.com/auth/userinfo.email
https://www.googleapis.com/auth/cloud-platform
https://www.googleapis.com/auth/appengine.admin
https://www.googleapis.com/auth/sqlservice.login
https://www.googleapis.com/auth/compute
https://www.googleapis.com/auth/accounts.reauth
oauth-flavour:
or oauth-flavor:
O-Okta, G-Google, M-Microsoft, X-extra default: G
oauth-name: Name if flavour 'X'
oauth-refresh-script:
oauth-refresh-script:/fip/bin/sffoauth -z wire/IMAP.GMAIL.OAUTH -c
gmail_dotdot_2022mar7.json -t sff_dotdotmar7 -a -D
These never change ...
oauth-client-fiphdr (2 letter FipHdr code) default: IC
oauth-shared-fiphdr (2 letter FipHdr code) default: IS
oauth-access-fiphdr (2 letter FipHdr code) default: IA
oauth-refresh-fiphdr (2 letter FipHdr code) default: IR
oauth-expiry-fiphdr (2 letter FipHdr code) default: IX
oauth-tenant-fiphdr (2 letter FipHdr code) default: IT
oauth-scope-fiphdr (2 letter FipHdr code) default: IV
oauth-authhost-fiphdr (2 letter FipHdr code) default: IH
oauth-localhost-fiphdr (2 letter FipHdr code) default: IL
oauth-localport-fiphdr (2 letter FipHdr code) default: IP
While flavours Google (for Drive, Docs and Sheets) and Microsoft (for Office365
IMAP) are built in, you might need to tune for others
oauth-step1-host (FipSeq) hostname for initial handshake (to generate an
Access Token)
oauth-step1-uri (FipSeq) uri for initial handshake
oauth-http-ack (FipSeq) HTTP reply/ack for initial handshake
oauth-access-host (FipSeq) Host for Refresh token (or (re)generate an Access
token)
oauth-access-uri (FipSeq) URI for Refresh token (or (re)generate an Access
token)
oauth-access-payload (FipSeq) Payload to (re)generate an Access token
oauth-refresh-payload (FipSeq) Payload for Refresh token
oauth-json-expires Json tag for expires_in token (default 'expires_in')
These are just cosmetic as it is the other Fip programs which look for
access_token or refresh_token
oauth-json-access Json tag for access token (default 'access_token')
oauth-json-refresh Json tag for refresh token (default 'refresh_token')
oauth-json-id Json tag for refresh token (default 'id_token')
Use these for SSL versions - like OKTA
use-ssl: (yes/no)
use https (use-ssl: yes) or http (no, default) - BUT you cannot have both !
this overrides input switch -SSL
ssl-method: tls tls1 tls1.1 tls1.2 sslv2 sslv3 sslv2and3
Version number to use for TLS/SSL default: 999 for current default (2 or 3)
(only the digits are significant, so add other text to make it readable)
For 'modern' connection, pls do NOT use sslv2 ! as it is deemed insecure
If default it will check the available list and pick the highest.
The default is currently 23 which on a modern server is sslv3 and tls1_2 !)
ssl-password: (password)
ssl-passwd: (password) default: none
Optional password if the handshake requires a shared secret
ssl-cert: (name of a PEM certificate file) default: none
ssl-root-cert: (name of a root PEM certificate file) defaunt: none
Optional certificates - held in tables/ssl
ssl-key: (name of a PEM key file) default: none
ssl-verify: yes/no verify certificates default: yes
ssl-ciphers: (list) acceptable ciphers
(use 'openssl ciphers' to list)
default: "HIGH:!aNULL:!kRSA:!SRP:!PSK:!CAMELLIA:!RC4:!MD5:!DSS"
Input switches :
either
-1 : get an access token from scratch (normally expects some manual
interaction using a browser to accept authentication)
or
-a : get an access token using the refresh_token
others :
-D : display the transactions default: no
otherwise the result will be logged in Fip ALL
-n : name of a Parameter file in tables - you must specify subfolder and get
the case right eg wire/IMAPWIRE_GMAIL
-P : Utime/Epoch time in seconds for TESTING/matching only default: MUST use
current time
-w : flavor/flavour - Google (for Gmail) - default
or Microsoft (for Office365)
or OKTA
or X for Extras
or use parameter "oauth-flavour:microsoft" or "oauth-flavor:google"
-z : same as -n
-v : version and exit
Parameter file may have the same contents as an tables/wire/(IMAP) file or
tables/mail/(SMTP) file
Note that skip-balance-group and skip-balance-queue are used by 'sffoauth' to
balance any changes to the tokens
-- TROUBLE-SHOOTING
1. Google - refresh_token is zapped/disappears/is invalid
- log into the Google Console for the Logon
- second tab : https://myaccount.google.com/data-and-privacy
- scroll down to 3rd party apps with account access
REVOKE access to this particular App only
- Cmd window - follow the instructions for generating a new refresh-token
Version Control
0m-t ;mn timeout on thru_socks_proxy ;o 10oct23 okta ;p 15mar25 extra added
;qrst G-svceAccts added
0a-l 18jan22 chj original version ;i 21sep22 added balance ;jkl 20dec22 added
MS Office365 as a flavour
(copyright) 2025 and previous years FingerPost Ltd.