Asi utoronto-outlook
Headless University of Toronto Outlook email access via IMAP/SMTP with OAuth2. Uses Thunderbird's pre-authorized client ID to bypass admin consent requirements (AADSTS65002). Device code flow for initial auth, macOS Keychain for token cache.
install
source · Clone the upstream repo
git clone https://github.com/plurigrid/asi
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/plurigrid/asi "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/utoronto-outlook" ~/.claude/skills/plurigrid-asi-utoronto-outlook && rm -rf "$T"
manifest:
skills/utoronto-outlook/SKILL.mdsource content
UofT Outlook Skill
Headless access to University of Toronto alumni/student Outlook via IMAP/SMTP with OAuth2.
Trit: -1 (MINUS - validator/consumer)
Principle: Thunderbird Client ID → Device Code Auth → Keychain Cache → IMAP/SMTP
Implementation: IMAP OAuth2 (XOAUTH2) + Thunderbird Pre-Authorized Client ID
The AADSTS65002 Problem
University tenants block third-party OAuth apps:
AADSTS65002: Consent between first party application and first party resource must be configured via preauthorization
Solution: Use Thunderbird's pre-authorized client ID
9e5f94bc-e8a4-4e73-b8be-63364c29d753Authentication Architecture
┌─────────────────────────────────────────────────────────────────────┐ │ THUNDERBIRD CLIENT ID BYPASS │ ├─────────────────────────────────────────────────────────────────────┤ │ │ │ [Problem: Graph API blocked] │ │ ┌──────────┐ Graph API ┌───────────────┐ │ │ │ Agent │ ────────────────▶ │ MS Entra ID │ │ │ └──────────┘ └───────────────┘ │ │ │ │ │ │ │ ▼ │ │ │ ❌ AADSTS65002 Error │ │ │ "Admin consent required" │ │ │ │ [Solution: Thunderbird IMAP] │ │ ┌──────────┐ Thunderbird ID ┌───────────────┐ │ │ │ Agent │ ─────────────────▶ │ MS Entra ID │ │ │ └──────────┘ 9e5f94bc-... └───────────────┘ │ │ │ │ │ │ │ Device code flow │ Pre-authorized ✓ │ │ ▼ ▼ │ │ "Enter code XXXXXX at microsoft.com/devicelogin" │ │ │ │ │ │ User authenticates (one-time) │ │ ▼ │ │ ┌──────────────────────────────────────────────────┐ │ │ │ macOS Keychain (secure storage) │ │ │ │ outlook-university: access + refresh tokens │ │ │ └──────────────────────────────────────────────────┘ │ │ │ │ │ │ XOAUTH2 authentication │ │ ▼ │ │ ┌───────────────────────────────────────────────┐ │ │ │ outlook.office365.com:993 (IMAP) │ │ │ │ smtp.office365.com:587 (SMTP) │ │ │ └───────────────────────────────────────────────┘ │ └─────────────────────────────────────────────────────────────────────┘
Key Constants
# Thunderbird's pre-authorized client ID (public, safe to commit) THUNDERBIRD_CLIENT_ID = "9e5f94bc-e8a4-4e73-b8be-63364c29d753" # IMAP OAuth2 scopes (NOT Graph API scopes!) IMAP_SCOPES = [ "https://outlook.office.com/IMAP.AccessAsUser.All", "https://outlook.office.com/SMTP.Send", "offline_access", "openid", "profile", "email" ] # Servers IMAP_SERVER = "outlook.office365.com" # Port 993 SSL SMTP_SERVER = "smtp.office365.com" # Port 587 STARTTLS
Usage
Initial Authentication (One-Time)
cd ~/.claude/skills/utoronto-outlook uv run python outlook_university.py auth # Output: # ============================================================ # OUTLOOK UNIVERSITY - DEVICE CODE AUTHENTICATION # ============================================================ # Code: XXXXXXXXX # Go to: https://microsoft.com/devicelogin # (Uses Thunderbird's pre-authorized client ID) # ============================================================
Headless Operations
# Check login uv run python outlook_university.py whoami # Logged in as: yulia.zubak@alumni.utoronto.ca # List messages uv run python outlook_university.py list 10 # Read message uv run python outlook_university.py read 42 # Search uv run python outlook_university.py search "professor" # List folders uv run python outlook_university.py folders
Python API
from outlook_university import OutlookClient client = OutlookClient() # List recent emails messages = client.list_messages(limit=10) # Get unread unread = client.get_unread() # Read full message (body truncated to 2000 chars for context safety) msg = client.get_message("42") # Search results = client.search("grades") # Send email client.send( to=["recipient@example.com"], subject="Test", body="Hello from headless Outlook!" ) client.close()
XOAUTH2 Authentication
The critical implementation detail for IMAP OAuth2:
# Build XOAUTH2 string per RFC 7628 auth_string = f"user={email}\x01auth=Bearer {access_token}\x01\x01" # IMAP authenticate callback returns raw bytes conn.authenticate("XOAUTH2", lambda x: auth_string.encode())
GF(3) Verb Typing
| Operation | Trit | Description |
|---|---|---|
| -1 | Consume/read inbox (MINUS) |
| -1 | Read specific message (MINUS) |
| -1 | Query unread (MINUS) |
| -1 | Query messages (MINUS) |
| 0 | Metadata access (ERGODIC) |
| +1 | Generate output (PLUS) |
Security Notes
- Thunderbird Client ID: Public, safe to commit (used by Mozilla Thunderbird)
- Tokens: Stored in macOS Keychain (encrypted), never in files
- Body Truncation: Email bodies truncated to 2000 chars to prevent context overflow
- No Credentials: No passwords stored; OAuth2 refresh tokens only
- Terminal Sanitization: ANSI escape codes stripped from output