Problem with Outlook.com

[silas229]

It seems that Basic Authentication is generally disabled, and I couldn't get it to work with app passwords either, despite following the instructions here.

So, I created an Entra ID app (with signInAudience AzureADandPersonalMicrosoftAccount) for OAuth2. This is my configuration:

email = "example@outlook.com"

backend.type = "imap"
backend.host = "outlook.office365.com"
backend.port = 993
backend.login = "example@outlook.com"
backend.encryption.type = "tls"
backend.auth.type = "oauth2"
backend.auth.method = "xoauth2"
backend.auth.client-id = "*****"
backend.auth.auth-url = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
backend.auth.token-url = "https://login.microsoftonline.com/common/oauth2/v2.0/token"
backend.auth.pkce = true
backend.auth.redirect-scheme = "http"
backend.auth.redirect-host = "localhost"
backend.auth.redirect-port = 49152
backend.auth.scopes = ["IMAP.AccessAsUser.All", "offline_access"]
backend.auth.client-secret.keyring = "outlook-imap-oauth2-client-secret"
backend.auth.access-token.keyring = "outlook-imap-oauth2-access-token"
backend.auth.refresh-token.keyring = "outlook-imap-oauth2-refresh-token"

message.send.backend.type = "smtp"
message.send.backend.host = "smtp-mail.outlook.com"
message.send.backend.port = 587
message.send.backend.login = "example@outlook.com"
message.send.backend.encryption.type = "start-tls"
message.send.backend.auth.type = "oauth2"
message.send.backend.auth.method = "xoauth2"
message.send.backend.auth.client-id = "*****"
message.send.backend.auth.auth-url = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
message.send.backend.auth.token-url = "https://login.microsoftonline.com/common/oauth2/v2.0/token"
message.send.backend.auth.pkce = true
message.send.backend.auth.redirect-scheme = "http"
message.send.backend.auth.redirect-host = "localhost"
message.send.backend.auth.redirect-port = 49152
message.send.backend.auth.scopes = ["SMTP.Send", "offline_access"]
message.send.backend.auth.client-secret.keyring = "outlook-smtp-oauth2-client-secret"
message.send.backend.auth.access-token.keyring = "outlook-smtp-oauth2-access-token"
message.send.backend.auth.refresh-token.keyring = "outlook-smtp-oauth2-refresh-token"

Please note that I had to adjust the scopes. Without offline_access, no refresh token is generated. You might want to reflect this in the docs.

WARN email::imap: authentication failed, refreshing access token and retrying…
Error:
   0: cannot build IMAP client
   1: cannot authenticate to IMAP server using SASL XOAUTH2 mechanism
   2: cannot resolve IMAP task
   3: unexpected NO response: AUTHENTICATE failed.

Verbose log

2026-01-30T20:50:52.354213Z DEBUG keyring::service: define global service name name="himalaya-cli"
2026-01-30T20:50:52.364594Z DEBUG keyring: creating entry with service himalaya-cli, user outlook-imap-oauth2-client-secret, and no target
2026-01-30T20:50:52.364614Z DEBUG keyring: created entry MacCredential { domain: User, service: "himalaya-cli", account: "outlook-imap-oauth2-client-secret" }
2026-01-30T20:50:52.364618Z DEBUG keyring: creating entry with service himalaya-cli, user outlook-imap-oauth2-access-token, and no target
2026-01-30T20:50:52.364621Z DEBUG keyring: created entry MacCredential { domain: User, service: "himalaya-cli", account: "outlook-imap-oauth2-access-token" }
2026-01-30T20:50:52.364623Z DEBUG keyring: creating entry with service himalaya-cli, user outlook-imap-oauth2-refresh-token, and no target
2026-01-30T20:50:52.364625Z DEBUG keyring: created entry MacCredential { domain: User, service: "himalaya-cli", account: "outlook-imap-oauth2-refresh-token" }
2026-01-30T20:50:52.364770Z DEBUG keyring: creating entry with service himalaya-cli, user outlook-smtp-oauth2-client-secret, and no target
2026-01-30T20:50:52.364780Z DEBUG keyring: created entry MacCredential { domain: User, service: "himalaya-cli", account: "outlook-smtp-oauth2-client-secret" }
2026-01-30T20:50:52.364784Z DEBUG keyring: creating entry with service himalaya-cli, user outlook-smtp-oauth2-access-token, and no target
2026-01-30T20:50:52.364786Z DEBUG keyring: created entry MacCredential { domain: User, service: "himalaya-cli", account: "outlook-smtp-oauth2-access-token" }
2026-01-30T20:50:52.364789Z DEBUG keyring: creating entry with service himalaya-cli, user outlook-smtp-oauth2-refresh-token, and no target
2026-01-30T20:50:52.364791Z DEBUG keyring: created entry MacCredential { domain: User, service: "himalaya-cli", account: "outlook-smtp-oauth2-refresh-token" }
2026-01-30T20:50:52.365214Z  INFO himalaya::email::envelope::command::list: executing list envelopes command
2026-01-30T20:50:52.368302Z DEBUG email::imap: building 1 IMAP clients
2026-01-30T20:50:52.560913Z DEBUG client::build: rustls::client::hs: No cached session for DnsName("outlook.office365.com")
2026-01-30T20:50:52.562479Z DEBUG client::build: rustls::client::hs: Not resuming any session
2026-01-30T20:50:52.672789Z DEBUG client::build: rustls::client::hs: ALPN protocol is None
2026-01-30T20:50:52.672841Z DEBUG client::build: rustls::client::hs: Using ciphersuite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
2026-01-30T20:50:52.673121Z DEBUG client::build: rustls::client::tls12::server_hello: Server may staple OCSP response
2026-01-30T20:50:52.673487Z DEBUG client::build: rustls::client::tls12: ECDHE curve is EcParameters { curve_type: NamedCurve, named_group: secp384r1 }
2026-01-30T20:50:52.673677Z DEBUG client::build: rustls::client::tls12: Server DNS name is DnsName("outlook.office365.com")
2026-01-30T20:50:52.907120Z DEBUG client::build: email::imap: using OAuth 2.0 authentication
2026-01-30T20:50:52.907213Z DEBUG client::build: email::imap: using XOAUTH2 auth mechanism
2026-01-30T20:50:52.907349Z DEBUG client::build: keyring: get keyring secret key="outlook-imap-oauth2-access-token"
2026-01-30T20:50:52.908210Z DEBUG keyring: get password from entry MacCredential { domain: User, service: "himalaya-cli", account: "outlook-imap-oauth2-access-token" }
2026-01-30T20:50:53.571256Z  WARN client::build: email::imap: authentication failed, refreshing access token and retrying…
2026-01-30T20:50:53.571320Z DEBUG client::build: keyring: get keyring secret key="outlook-imap-oauth2-client-secret"
2026-01-30T20:50:53.571394Z DEBUG keyring: get password from entry MacCredential { domain: User, service: "himalaya-cli", account: "outlook-imap-oauth2-client-secret" }
2026-01-30T20:50:53.577308Z DEBUG client::build: keyring: get keyring secret key="outlook-imap-oauth2-refresh-token"
2026-01-30T20:50:53.577353Z DEBUG keyring: get password from entry MacCredential { domain: User, service: "himalaya-cli", account: "outlook-imap-oauth2-refresh-token" }
2026-01-30T20:50:53.582901Z DEBUG ureq_proto::client::flow: Flow
2026-01-30T20:50:53.583013Z  INFO ureq::run: POST https://login.microsoftonline.com/common/oauth2/v2.0/token
2026-01-30T20:50:53.751348Z DEBUG ureq::unversioned::resolver: Resolved: ArrayVec { len: 16, arr: […] }
2026-01-30T20:50:53.788037Z DEBUG ureq::unversioned::transport::tcp: Connected TcpStream to […]:443
2026-01-30T20:50:53.788191Z DEBUG rustls::client::hs: No cached session for DnsName("login.microsoftonline.com")
2026-01-30T20:50:53.788304Z DEBUG rustls::client::hs: Not resuming any session
2026-01-30T20:50:53.788374Z DEBUG ureq::tls::rustls: Wrapped TLS
2026-01-30T20:50:53.788398Z DEBUG ureq_proto::client::flow: Flow
2026-01-30T20:50:53.788427Z  INFO ureq::run: Request { method: POST, uri: https://login.microsoftonline.com/common/oauth2/v2.0/token, version: HTTP/1.1, headers: {"accept-encoding": "gzip", "content-length": "533", "user-agent": "ureq/3.0.0-rc5", "host": "login.microsoftonline.com", "accept": "application/json", "content-type": "application/x-www-form-urlencoded", "": "1 HEADERS ARE REDACTED"} }
2026-01-30T20:50:54.104638Z DEBUG rustls::client::hs: Using ciphersuite TLS13_AES_256_GCM_SHA384
2026-01-30T20:50:54.104685Z DEBUG rustls::client::tls13: Not resuming
2026-01-30T20:50:54.107041Z DEBUG rustls::client::tls13: TLS1.3 encrypted extensions: [ServerNameAck]
2026-01-30T20:50:54.107070Z DEBUG rustls::client::hs: ALPN protocol is None
2026-01-30T20:50:54.129932Z DEBUG ureq_proto::client::flow: Flow
2026-01-30T20:50:54.130036Z DEBUG ureq_proto::client::flow: Flow
2026-01-30T20:50:54.616619Z DEBUG ureq_proto::client::flow: Flow
2026-01-30T20:50:54.616666Z  INFO ureq::run: Response { status: 200, version: HTTP/1.1, headers: {"content-type": "application/json; charset=utf-8", "date": "Fri, 30 Jan 2026 20:50:54 GMT", "content-length": "2094", "": "14 HEADERS ARE REDACTED"} }
2026-01-30T20:50:54.619140Z DEBUG client::build: ureq_proto::client::flow: Flow
2026-01-30T20:50:54.619200Z DEBUG client::build: ureq::pool: Return to pool: PoolKey { scheme: "https", authority: login.microsoftonline.com, proxy: None }
2026-01-30T20:50:54.621774Z DEBUG client::build: keyring: set keyring secret key="outlook-imap-oauth2-access-token"
2026-01-30T20:50:54.621868Z DEBUG keyring: set password for entry MacCredential { domain: User, service: "himalaya-cli", account: "outlook-imap-oauth2-access-token" }
2026-01-30T20:50:54.654082Z DEBUG client::build: keyring: set keyring secret key="outlook-imap-oauth2-refresh-token"
2026-01-30T20:50:54.654131Z DEBUG keyring: set password for entry MacCredential { domain: User, service: "himalaya-cli", account: "outlook-imap-oauth2-refresh-token" }
Error:
   0: cannot build IMAP client
   1: cannot authenticate to IMAP server using SASL XOAUTH2 mechanism
   2: cannot resolve IMAP task
   3: unexpected NO response: AUTHENTICATE failed.

I also tried oauthbearer as auth method instead of xoauth2 but then I get this error:

Error:
   0: cannot build IMAP client
   1: OAuthBearer authentication not supported (available: {XOAuth2, Plain})

My system: macOS Tahoe 26.1
Installed using cargo install himalaya --locked --features oauth2

Do you know what could be the problem?

[soywod]

OAuth is in the process of moving away from Himalaya. Could you please try Ortie and see if auth succeed? Meanwhile I try to see how to be able to use Ortie with Himalaya.

[soywod]

Ideally I would like to know if this would work:

backend.auth.access-token.cmd = "ortie token show"

[silas229]

Ortie works but I couldn't get it to work with Himalaya.
Just replacing access-token.keyring with access-token.cmd will trigger an authorization flow like before and removing several parts of the oauth config wasn't successful, too.

ortie.toml

[accounts.outlook]

default = true

client-id = "*****"
client-secret.keyring = "ortie-outlook-client-secret"

endpoints.authorization = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
endpoints.token = "https://login.microsoftonline.com/common/oauth2/v2.0/token"
endpoints.redirection = "http://localhost:49152"

scopes = ["IMAP.AccessAsUser.All", "SMTP.Send", "offline_access"]

pkce = true

auto-refresh = true

storage.read.keyring = "ortie-outlook"
storage.write.keyring = "ortie-outlook"

himalaya's config.toml

email = "example@outlook.com"

backend.type = "imap"
backend.host = "outlook.office365.com"
backend.port = 993
backend.login = "example@outlook.com"
backend.encryption.type = "tls"
backend.auth.type = "oauth2"
backend.auth.method = "xoauth2"
backend.auth.client-id = "*****"
backend.auth.auth-url = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
backend.auth.token-url = "https://login.microsoftonline.com/common/oauth2/v2.0/token"
backend.auth.pkce = true
backend.auth.redirect-scheme = "http"
backend.auth.redirect-host = "localhost"
backend.auth.redirect-port = 49152
backend.auth.scopes = ["IMAP.AccessAsUser.All", "offline_access"]
backend.auth.client-secret.keyring = "outlook-imap-oauth2-client-secret"
backend.auth.access-token.cmd = "ortie token show -c ~/.config/ortie.toml -a outlook"

message.send.backend.type = "smtp"
message.send.backend.host = "smtp-mail.outlook.com"
message.send.backend.port = 587
message.send.backend.login = "example@outlook.com"
message.send.backend.encryption.type = "start-tls"
message.send.backend.auth.type = "oauth2"
message.send.backend.auth.method = "xoauth2"
message.send.backend.auth.client-id = "*****"
message.send.backend.auth.auth-url = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
message.send.backend.auth.token-url = "https://login.microsoftonline.com/common/oauth2/v2.0/token"
message.send.backend.auth.pkce = true
message.send.backend.auth.redirect-scheme = "http"
message.send.backend.auth.redirect-host = "localhost"
message.send.backend.auth.redirect-port = 49152
message.send.backend.auth.scopes = ["SMTP.Send", "offline_access"]
message.send.backend.auth.client-secret.keyring = "outlook-smtp-oauth2-client-secret"
backend.auth.access-token.cmd = "ortie token show -c ~/.config/ortie.toml -a outlook"

[soywod]

Thanks for the feedback. The problem is that the OAuth logic still remains inside Himalaya. Ideally it should work like Cardamum or Calendula: https://github.com/pimalaya/cardamum/blob/c4aaba733e367a854f22775fc75138d2623e60ce/config.sample.toml#L74-L78

But I cannot for the moment due to the ongoing libs refactor. Let me see if I can change a bit the Himalaya config to accept tokens for other sources than Himalaya itself. As a temporary solution.

[soywod]

I cannot reproduce your issue. I was able to refresh the token with both Himalaya's OAuth and Ortie methods.

1. Let the wizard create my account, or use himalaya account configure

   Here the config generated by the wizard (just the IMAP section):

   backend.type = "imap"
   backend.host = "outlook.office365.com"
   backend.port = 993
   backend.login = "pimalaya.org@outlook.com"
   backend.encryption.type = "tls"
   backend.auth.type = "oauth2"
   backend.auth.method = "xoauth2"
   backend.auth.client-id = "*****"
   backend.auth.auth-url = "https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize"
   backend.auth.token-url = "https://login.microsoftonline.com/consumers/oauth2/v2.0/token"
   backend.auth.pkce = true
   backend.auth.redirect-scheme = "http"
   backend.auth.redirect-host = "localhost"
   backend.auth.redirect-port = 1234
   backend.auth.scopes = ["offline_access", "https://outlook.office.com/IMAP.AccessAsUser.All"]
   backend.auth.client-secret.keyring = "outlook-imap-oauth2-client-secret"
   backend.auth.access-token.keyring = "outlook-imap-oauth2-access-token"
   backend.auth.refresh-token.keyring = "outlook-imap-oauth2-refresh-token"

   After clicking on the validating link, himalaya env list works as expected.

   When the token expires, it is automatically refreshed.

2. Use Ortie CLI inside Himalaya

   The actual Himalaya OAuth config expects mandatory fields, but they are not used if an access token is available. Since Ortie CLI can refresh automatically the token (via arg --auto-refresh or config auto-refresh = true), sth like this works for me as well:

   backend.auth.type = "oauth2"
   backend.auth.method = "xoauth2"
   backend.auth.client-id = ""
   backend.auth.auth-url = ""
   backend.auth.token-url = ""
   backend.auth.pkce = true
   backend.auth.scopes = []
   backend.auth.client-secret.raw = ""
   backend.auth.access-token.cmd = "ortie --account outlook token show --auto-refresh"

---

Is your initial OAuth flow properly validated when you click on the validation link? Do you get the Authentication successful! message?

Do you have the same behaviour when using directly the MacOS security tool?

[zerog0]

@silas229

I had exactly the same error while trying to connect himalaya to my outlook.com personal adress for the last few days.

I just fixed it by changing the type of redirect URI on my azure application from Desktop application to Web. After that, I could connect.

This Azure setup is a nightmare to manage 😅 (but it's not better on other providers anyway)