Login with Office 365: Email not verified

Hi there

I’ve created a new Social Login Key for Office 365, and also registered a new app on Azure Portal.

When I try to login to my ERPNext instance using Office 365, it allows me to enter my Office 365 username and password, but after this, I get the error “ValidationError: Email not verified with Office_365”.

I can see in oauth.py that it tries to get a “verified_email” or “verified” property from the session info, but doesn’t:

info = session.get(api_endpoint, params=api_endpoint_args).json()

if not (info.get(“verified_email”) or info.get(“verified”)):
frappe.throw(_(“Email not verified with {0}”).format(provider.title()))

Does this mean I need to somehow verify my email on the Office365 side?

I know @revant_one did fantastic work on the Social Login Keys, thank you! Sorry for the ping, but you’ll probably know the answer to this in seconds.

Full error Traceback:

Traceback (most recent call last):
File “/home/frappe/frappe-bench/apps/frappe/frappe/app.py”, line 66, in application
response = frappe.api.handle()
File “/home/frappe/frappe-bench/apps/frappe/frappe/api.py”, line 56, in handle
return frappe.handler.handle()
File “/home/frappe/frappe-bench/apps/frappe/frappe/handler.py”, line 21, in handle
data = execute_cmd(cmd)
File “/home/frappe/frappe-bench/apps/frappe/frappe/handler.py”, line 56, in execute_cmd
return frappe.call(method, **frappe.form_dict)
File “/home/frappe/frappe-bench/apps/frappe/frappe/init.py”, line 1027, in call
return fn(*args, **newargs)
File “/home/frappe/frappe-bench/apps/frappe/frappe/integrations/oauth2_logins.py”, line 28, in login_via_office365
login_via_oauth2_id_token(“office_365”, code, state, decoder=json.loads)
File “/home/frappe/frappe-bench/apps/frappe/frappe/utils/oauth.py”, line 114, in login_via_oauth2_id_token
info = get_info_via_oauth(provider, code, decoder, id_token=True)
File “/home/frappe/frappe-bench/apps/frappe/frappe/utils/oauth.py”, line 146, in get_info_via_oauth
frappe.throw(_(“Email not verified with {0}”).format(provider.title()))
File “/home/frappe/frappe-bench/apps/frappe/frappe/init.py”, line 352, in throw
msgprint(msg, raise_exception=exc, title=title, indicator=‘red’)
File “/home/frappe/frappe-bench/apps/frappe/frappe/init.py”, line 338, in msgprint
_raise_exception()
File “/home/frappe/frappe-bench/apps/frappe/frappe/init.py”, line 311, in _raise_exception
raise raise_exception(msg)
ValidationError: Email not verified with Office_365

I think others have had problems with getting emails to work with office 365.

Check the forums in case there are any ideas or solutions.

Signing in with Office 365 works if I comment out these lines from frappe/frappe/utils/oauth.py

if not (info.get("verified_email") or info.get("verified")):
	frappe.throw(_("Email not verified with {0}").format(provider.title()))

After further investigation, it doesn’t seem that Microsoft sends a claim called “verified_email” or “verified” in their ID Token:
https://docs.microsoft.com/en-au/azure/active-directory/develop/id-tokens#payload-claims

If I print out the ID Token during the sign in process to my ERPNext instance, I see the following:

{
“upn”:“dirk@xxxxx.co.za”,
“family_name”:“van der Laarse”,
“sub”:“xxxxxxxxxxxxxxxxxxxxxxxxxx”,
“uti”:“xxxxxxxxxxxxxxx-xxxxx”,
“ver”:“1.0”,
“aud”:“xxxx-xxx-xxxx-xxxx-xxxxxxxx”,
“iss”:“https://sts.windows.net/xxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxx/”,
“oid”:“xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx”,
“ipaddr”:“xxx.x.x.xxx”,
“unique_name”:“dirk@xxxx.co.za”,
“given_name”:“xxxx”,
“exp”:1554844213,
“tid”:“xxxxxxxx-xxxx-xxx-xxxx-xxxxx”,
“iat”:1554840313,
“amr”:[
“pwd”
],
“nbf”:xxxxxxxxx,
“name”:“xxxxxxxxxxxxxx”
}

Which confirms that there isn’t a “verified” key to check. I’ll raise an issue for this

3 Likes

Hi @dirkvdl16,

Found and resolved this issue. You need to add an optional claim in the Azure settings.

Go to App Registrations → Token Configuration Preview → add the “email” optional claim in that menu. Not sure which of the 3 types (SAML, Access, ID) were actually necessary, but we added all 3 and it works.

Good luck!
James

6 Likes

Awesome, thanks @JamesE!
@marynvdl FYI

Hi, is it possible to describe this a little bit better with screenshots? I have the same problem but cannot find this option in Azure. Thank you.

Have a look at this link @Curt.Beck: https://developer.microsoft.com/en-us/graph/blogs/now-available-azure-ad-app-registrations-token-configuration-preview-simplifies-management-of-optional-claims/

Thank you for the link. I have no Litware HR app, and I don’t think it’s responsible to get emails with office 365 work. I’m no professional software developer. I just want to use ERPNext! Already the installtion was a mess for me :hot_face:. Please can you post some screenshots with all options necessary to set? I think Office 365 is used from a lot of users. So maybe we can create a guide for all people out there.

Thank you.

Well, that was just an example put out by Microsoft. In order to connect Azure to ERPNext, you need to create an app to connect the two.

Please can you describe it in detail? What is the name off the app? I don’t find ERPNext under ERP.

https://frappe.io/docs/user/en/guides/deployment/how-to-enable-social-logins#office-365

The app is not at ERPNext end. It has to be created at Azure end

This works if your Office email is your primary email. If you’re using an organisational account and have a primary email linked, it will use that instead.

I found commenting out if not (info.get("verified_email") or info.get("verified")): frappe.throw(_("Email not verified with {0}").format(provider.title()))

as suggested by @dirkvdl16 is sufficient, not a security risk as you need to verify your email before you can use O365 in the first place

1 Like

Worked for me. Thanks !