SMTP Authentication with OAuth 2.0

Inside the Email settings of a realm (for sending registration emails etc.) you can use username/password to authenticate with the SMTP server. From the source code I think I can assume that Jakarta Mail is used to authenticate with the SMTP server by using BASIC AUTH.

Unfortunatly Microsoft with their Office 365 started to disable BASIC AUTH for some tennants and plan to disable it fully along the year.

So we have some clients that we need to send emails in their name and thus authenticate at the MS SMTP server by their secure “Modern authentication” - in the end it is just a token based authentication based on OAuth 2.0. In theory Jakarta Mail should be capable of authentication with this method (see OAuth2 Support).

So I think what is missing is the implementation in the keycloak email settings for this and the code in the backend.

Is there anything like that planned? Did anyone else had this problem? Are there perhaps any extensions for keycloak implementing this?


Did you find a solution? Microsoft is terminating basic authentication by the end of September 2022.

In the end I implemented a backend service with Python that uses OAuth 2.0 with the Microsoft Graph API and acts as a “normal” or “classic” SMTP server at the frontend. It just relays the incoming emails to the Microsoft Graph API. Thus I can use SMTP with Keycloak.

Hi @m.schoepe,

thats a nice workaround.
Do you have a github repo to share your implementation?


Microsoft says: We’re also disabling SMTP AUTH in all tenants in which it’s not being used. So my conclusion is that SMTP with authentication, which usually is serviced by port 587/tcp, is still available. Otherwise, if it’s disabled, you can enable it in the Exchange Admin Portal. It will be disabled for securoty improvement, but you can still keep using this. Multifunctionals with scan-to-email facility are still useable in this way, even in 2023 and up. So configuring port 587 as SMTP port fixes the issue.