Configure Kofax Import ConnectorConnections TasksAdd connectionsConfigure mailboxesOAuth settings

OAuth settings

Use the following fields to configure the OAuth settings for your mailbox. User name and Protocol fields are populated from the Mailbox settings window.

  1. If the computer on which KC Plug-In is installed is running under a proxy, configure the Proxy settings.

    When using MS Graph with Resource Owner Password Credentials grant type, configure these in the Message Connector Configuration tool.

    Field name Description
    Proxy server address

    IP address or host name of the local proxy server. If this field is empty, local proxy server will not be considered to contact the OAuth authorization server. For Microsoft Exchange Online, this is Microsoft Azure Active Directory.

    User name

    User name of the proxy server.

    Password

    Password to connect to the proxy server.

  2. Configure the following OAuth settings.

    Setting Description
    Authorization server

    Select the required OAuth authorization server.

    For MS Graph, authorization server is always MICROSOFT.

    Manage Click this to add, edit or delete authorization servers using the Manage authorization servers window.
    Grant type

    Select the required grant type:

    • Resource Owner Password Credentials: This option is only available for MS Graph.

    • Authorization Code: This is available for IMAP, POP3 and MS Graph.

    • Client Credentials: This is available for MS Graph.

    Authorization endpoint URL

    The URL to get an authorization code from the authorization server.

    When you select an authorization server, this field is populated from the authorization server settings configured using the Manage authorization servers screen.

    This is not required when Grant type is Client Credentials.

    Token endpoint URL

    The URL to get the OAuth tokens, such as, access token, its expiry time.

    When you select an authorization server, this field is populated from the authorization server settings configured using the Manage authorization servers screen.

    Scopes

    Scopes are the access permissions to access specific resources. For example read access to user’s mailbox, read/write access to user’s mailbox.

    When you select an authorization server, this field is populated from the authorization server settings configured using the Manage authorization servers screen.

    Tenant ID Enter the directory/tenant ID which is generated while creating the tenant in Microsoft Azure Active Directory.
    Client ID or Application ID Enter the Client ID or Application ID which is generated after registering the application in Microsoft Azure Active Directory.
    Authentication Mode Select the required authentication mode:

    Client Secret: This option is available for Client Credentials, Authorization Code, and Resource Owner Password Credentials grant types.

    Certificate Based: This option is available for Client Credentials and Authorization Code grant types.

    Certificate Thumbprint Enter the certificate thumbprint of the client application. As a prerequisite, this client certificate must be installed first on the local machine certificate store (under Local Machine location or Current User location) where the plug-in is installed. Also, the certificate must be uploaded to the cloud client application.
    Client secret Enter the secret string which is generated in the Certificates and secrets section of your application in Microsoft Azure Active Directory. KC Plug-In uses this secret string to prove its identity at the Azure application level when requesting a token.
    Redirect URI

    Enter the redirect URI configured in your Azure Active Directory of your application. The redirect URI specified here must be the one selected in your application in Microsoft Azure Active Directory. You can also specify a custom URI created in Microsoft Azure Active Directory application.

    • This field is applicable only for Authorization code grant.

    • If you want to provide Redirect URI created for Web platform inside Azure portal, then it is mandatory to provide Client Secret.

    • If you want to provide Redirect URI created for Mobile/Desktop platform inside Azure portal, then Client Secret must be left blank.

    Authorization code

    If the authorization server is configured to redirect URI, you must copy the entire URL from the address bar of the browser and paste it into the Authorization code field.

    This field is enabled only for non-Microsoft authorization servers, such as Google.

    Authorize

    Click this button to send all the configured input values to the OAuth authorization server and receive the respective OAuth tokens from it.

    Note the following

    • Resource Owner Password Credentials: This option is not available.

    • Authorization code: Clicking the Authorize button displays a custom browser pop-up for specifying the mailbox user credentials. On a successful validation, server returns the respective OAuth tokens. A successful login message is displayed.

    • Client Credentials: Clicking the Authorize button sends all the configured input values to the OAuth authorization server. On a successful validation, server returns the respective OAuth tokens. A successful login message is displayed.

Following table summarizes the grant types and their respective configuration.

Client Credentials grant Authorization Code grant Resource Owner Password Credentials grant
MS Graph Supported Supported Supported
IMAP over OAuth Not Supported Supported Not Supported
POP3 over OAuth Not supported Supported Not Supported
Authorization endpoint URL NA Mandatory NA
Token endpoint URL Mandatory Mandatory NA
Scopes value in Configure OAuth screen Mandatory Mandatory NA
Configuration of API permissions in Azure portal Mandatory Mandatory Mandatory
Tenant ID Mandatory Mandatory Recommended
Client ID Mandatory Mandatory Mandatory
Client Secret Mandatory Optional (based on Redirect URI Platform) Optional

If Allow public client flows is set to YES, then do not specify the Client secret. Else, Client secret is mandatory. See c_allowpublicclient.html#c_allowpubliclient.

Certificate Thumbprint Mandatory for certificate based authentication mode. Mandatory for certificate based authentication mode. NA
Redirect URI NA Mandatory NA
Username Mandatory Mandatory Mandatory
Password value in KC Plug-In NA NA Mandatory
Mailbox password change impact NA Authorize again in KC Plug-In Update new password in KC Plug-In
Login using a popup window NA Mandatory NA
Authorization level Application level User level User level
Proxy Supported Supported Supported
Polling shared mailboxes Supported Supported Supported
Federation Security Supported only with MS Graph protocol. Supported with MS Graph, IMAP and POP3 protocols. Not Supported