Support Support PRONOTE

  • Send e-mail using the OAuth protocol

The OAuth protocol allows you not to give an application a username and password that allows it to do everything when accessing a service, but to give it just the authorizations it needs to do what it's supposed to do.
These authorizations are granted in the form of two "tokens":
  • an access token, valid for a very short time, usually one hour,
  • a refresh token, which is valid for a much longer period of time, and which enables the access token to be renewed without having to constantly ask for the user's intervention.
To obtain the tokens, the user is invited to authenticate in a web browser separate from the application (so that the latter does not intercept the identifiers).
This authentication phase is driven entirely by the service in question, not by the application.
This can be a multi-factor authentication, for example with a verification code sent by SMS or e-mail.
Only once the user is authenticated and has agreed to the requested authorizations are the tokens communicated to the application.

The user can reconnect directly to his service at any time to consult or invalidate authorizations already granted.
Every effort is made to ensure that neither usernames nor passwords are compromised.

Identification of the application with the service

Authorizations are only granted for known applications. A prior declaration is therefore required to obtain:
  • an identifier (client ID) to identify the application,
  • a secret (client secret) which must be masked to prevent one application masquerading as another.


For the SMTP server of Microsoft smtp.office365.com, you'll be offered the use of an application predefined by Index Education. So you don't have to worry about this step.
Otherwise, you'll have to declare the application yourself to obtain an identifier and a secret. You can consult these two sections further down in this document:
  • Register your application with a Google service;
  • Register your application with a Microsoft service.
Important parameter: Index Education applications use the redirection URI

Service identification with the application

The application needs several URLs called endpoints to initiate exchanges with the service. You can obtain these endpoints in the interface in which you have declared the application.

In the case of the application predefined by Index Education, these end points are pre-filled.

Self-declare the application with a Google service

On the service side:

To get started, log on to https://console.cloud.google.com/home/dashboard, then click on the left on API and services.
  1. Create a new project, give it a name (without accent marks), and make sure the new project is selected. This is not the name the user will see.
  2. Then click on Library and click on Gmail API. Activate the API Gmail.
  3. At the top left, click on the parameter menu (burger menu) and return to API and services.
  4. Then click to the left in the OAuth consent screen and complete the information.
  5. In the second screen Access levels, click on the button ADD OR DELETE APPLICATION FIELDS. Under Manually add the access levels, paste https://mail.google.com/, click on ADD TO THE TABLE, then on UPDATE.
  6. For the question Which features will you use, choose Messaging client.
  7. Terminate the configuration.
  8. Then click on Identifiers, then on + CREATE IDENTIFIERS, OAuth client IDs.
    • Type of application: Web application
    • Name: execonnect.index-education.com
    • Authorized redirect URI: https://execonnect.index-education.com/callback
  9. A window then appears with an identifier and a secret: these two parameters must be retained for entry into the application.

On the application side:

In the application, enter the following elements:
  • Identifier, Secret: paste the previously saved values here
  • Endpoint authorization: https://accounts.google.com/o/oauth2/v2/auth?prompt=consent&access_type=offline
  • Token endpoint: https://oauth2.googleapis.com/token
  • Authorization requests: https://mail.google.com/
You can then obtain OAuth tokens.

Note:
  • The parameters prompt=consent&access_type=offline are required to obtain an access token and update token.
  • The authorization https://www.googleapis.com/auth/gmail.send (Sending e-mails in your name) is not enough to send an e-mail via an SMTP server, you need https://mail.google.com/ (full mailbox access). See OAuth 2.0 Mechanism

Self-declare the application with a Microsoft service

On the service side:
To get started, log on to https://portal.azure.com/, then click on Azure Active Directory.
  1. On the left, click on Application registration, then at the top on + New registration. Select the type of accounts you want to handle, then in the section URI redirection, choose Client public/native (mobile & desktop) with the URI https://execonnect.index-education.com/callback.
  2. Once the application has been added, to the left click on Customization and properties, complete the fields and click on Save.
  3. On the left, click on Authentication, then at the bottom under Authorize public customer flows, tick Yes. Click on Save.
  4. On the left, click on Authorized API, then on + Add an authorization, Microsoft Graph, Delegated authorizations. Under User, un-tick User.Read, then under SMTP,tick SMTP.Send. Then at the very bottom, click on Add the authorizations.
  5. On the left, click on Overview.
  6. Copy the value in front of Application ID (client), and keep it for use in the application.
  7. Click at the top on Endpoints and copy the first two values, OAuth 2.0 authorization endpoint (v2) and OAuth 2.0 token endpoint (v2) to enter them into the application.
On the application side:
In the application, enter the following elements:
  • Identifier: paste the first value saved previously
  • Secret: leave this field empty, public applications are allowed
  • Authorization and token endpoint: paste the two previously saved values
  • Authorization requests: https://outlook.office.com/SMTP.Send offline_access
You can then obtain OAuth tokens.

Note:
  • The authorization https://outlook.office.com/SMTP.Send differs from that declared in the application (SMTP.Send in Microsoft Graph), but only a token obtained with the authorization https://outlook.office.com/SMTP.Send allows you to send an e-mail via an SMTP server. See Authenticate an IMAP, POP or SMTP connection using OAuth
  • The authorization offline_access is required to obtain an access token and update token.

The use of the OAuth protocol for limited-entry devices

There is a variant of the OAuth protocol that allows a limited-entry device (such as a connected TV) to request an OAuth token, it concerns the Device Authorization Grant. If you're having problems with the default OAuth scenario, you can use this protocol variant, which also works for desktop applications.

In the application, hold down the keys Ctrl and Shift when you click on the button to enter in the window Configuration OAuth: this leaves you free to switch to the scenario Device Authorization Grant. In this scenario, the authorization endpoint is replaced by a device endpoint.

Note that this doesn't work with Google services, as you can't ask for authorization https://mail.google.com/. See Authorized ranges

On the other hand, it works with Microsoft services.
Just be aware that the device endpoint is deduced from the authorization endpoint by changing at the end authorize by devicecode :
  • https://login.microsoftonline.com/common/oauth2/v2.0/authorize becomes https://login.microsoftonline.com/common/oauth2/v2.0/devicecode
  • https://login.microsoftonline.com/{xxx}/oauth2/v2.0/authorize becomes
  • https://login.microsoftonline.com/{xxx}/oauth2/v2.0/devicecode
Was this content useful to you?
https://docs.index-education.com/docs_en/en-pronote-support-page-308-2879-send-e-mail-using-the-oauth-protocol.php

Can't find an answer to your question ?

Contact our support

INDEX ÉDUCATION | © 2025 - C