[#47669] - [6.2] Add SMTP OAuth2 mailer support in Global Configuration (Microsoft/Google/Custom) / Replacement for #47656 (correct head branch)
- Pending
- Medium
- Build: 6.2-dev
- # 47669
- Diff
- dawe78:feature/oauth2-mail-6.2
- Failure continuous-integration/drone/pr Build is failing Details
User tests: Successful: Unsuccessful:
Summary of Changes
This PR adds SMTP OAuth2 support in Global Configuration for outgoing mail on 6.2-dev.
Implemented changes:
- New mailer value:
smtpoauth2 - OAuth2 token issue/check flow in
com_config - Provider support: Microsoft, Google, Custom
- Microsoft tenant mode:
commonand tenant-specific - XOAUTH2 SMTP integration in mail factory
- PHPCS/CS fixes in touched files
Important Clarification (Review Feedback)
The previous provider-specific legacy wrappers (m365auth, m365callback, m365checktoken) were removed/adjusted because there was no real historical route contract to preserve in core.
Security / Callback Flow Notes
- OAuth flow is initiated from authenticated administrator context (
com_config). - Callback state is validated against session (
com_config.oauth2_state) usinghash_equals. - If state/session is missing or invalid, callback exits with invalid token error.
- Token persistence requires admin privileges (
core.admincheck) before writing config.
Testing Instructions
- Login to Administrator.
- Open Global Configuration -> Server/Mail settings.
- Set mailer to
smtpoauth2. - Configure provider credentials for one provider:
- Microsoft (common tenant)
- Microsoft (specific tenant)
- Custom
- Click token issue button and complete provider consent.
- Verify redirect returns to admin config and token timestamp is set.
- Run token validation action.
- Send test mail from Global Configuration.
- Repeat for at least one additional provider profile.
Expected Result
- OAuth flow completes only with valid admin session + valid state.
- Refresh token is saved successfully.
- Token check reports valid access token response.
- SMTP test mail works with XOAUTH2 configuration.
- CI style checks pass.
Actual Result
- Behavior matches expected result for tested provider configurations.
- 6.2 PR now uses correct head branch and updated formatting/documentation.
Documentation Changes
This PR description now documents:
- callback auth/session assumptions
- state validation behavior
- required test flow for provider scenarios
AI Disclosure
AI assistance was used to help draft/refine parts of implementation and PR text.
All code, behavior, and security assumptions were manually reviewed and tested by the author before submission.
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Administration com_config Language & Strings Libraries |
Please fill out the PR form correctly, especially the AI disclaimer. Also please format your text correctly. Right now the description is hardly readable.
Okay, done. Code changes will be pulled soon
| Labels |
Added:
Language Change
PR-6.2-dev
|
||
Addressed in latest commit; thread outdated.
| Category | Administration com_config Language & Strings Libraries | ⇒ | Administration com_config Language & Strings Layout Libraries |
Added layout file for oauth2token field
All review points addressed, CI green, ready for merge.
![avatar github-actions[bot]](/images/avatars/github-actions[bot].png)
This pull request has conflicts, please resolve those before we can evaluate the pull request.
| Labels |
Added:
Conflicting Files
|
||
| Labels |
Removed:
Conflicting Files
|
||
System tests failed broadly across unrelated areas (Cypress, 36/156). Re-running CI as likely infra/flaky failure.
Missing language strings.
Missing language strings.
numerous codestyle issues with the xml have been marked as resolved but they have not been
Fixed — added COM_CONFIG_MAIL_OAUTH2_BUTTON_CHECK, _BUTTON_ISSUE, _BUTTON_REISSUE, COM_CONFIG_OAUTH2_TENANT_MODE_COMMON and _TENANT.
numerous codestyle issues with the xml have been marked as resolved but they have not been
Fixed — the closing > on oauth2_provider, oauth2_tenant_mode and oauth2_smtp_secure fields now uses 3-tab indentation consistent with the surrounding code.
@Hackwar @brianteeman All review findings have been addressed in the latest commits. Could you please take another look?
Summary of changes since last review:
Added missing language strings (BUTTON_CHECK, BUTTON_ISSUE, BUTTON_REISSUE, OAUTH2_TENANT_MODE_COMMON/TENANT)
Reverted accidental re-sorting of existing language keys; restored accidentally deleted WEBSERVICES_CORS_OFF_* strings
Fixed XML closing > indentation (3 tabs) on the 3 new list fields
Replaced hardcoded Uri::root().'administrator/' with Uri::base() in ConfigHelper
Removed unused $params variable and replaced Factory::getApplication() with $this->app
All CI checks pass (Windows integration test flakiness re-triggered via empty commit)
Please fill out the PR form correctly, especially the AI disclaimer. Also please format your text correctly. Right now the description is hardly readable.
Why do you have custom routes for the different providers as legacy fallback, when they never existed in the first place? Your docblocks are incomplete. How do those callbacks against the admin com_config work, when the calling provider is not an authorised user? Seems to me as if that would fail. This needs at least documentation on how to use and test in this PR.