Bug in OAuth flow
I think we found a bug in MS OAuth Flow (it might also be in Gmail, see below).
Problem: During initial OAuth flow, my @outlook account will randomly work and not work. When it doesn't work, I get "Success. Please Close Browser" and no errors are reported. (I'm hooked in to the TppReport.OnEmailError event, and nothing fires).
From the GUI everything looks peachy, but no credentials are put in the INI or Registry.
So I used the browser network console to inspect requests during the OAuth flow and found a pattern. Every single time it "didn't work" There was a $ character at the end of the code:
BAD
GET http://localhost:65168/?code=M.C513_BAY.2.U.DlwN2k6U3asmVTJK!dREitr*EZRUM1zREMOVEDLQqsOgX4FUmcdFZG542*sxAMbGHteQ6hqNvW6VcbFEWA$
GOOD
GET http://localhost:64785/?code=M.C513_SN1.2.U.DtBnG1rBBUjTQH5lFV7LuUtHJlXblREMOVEDIj13RJ6QrVZO4*RRqFTUWqlwm5RiRULnfAZAx5tPWsoLe5LR3av96ckeScZiW
GOOD
GET http://localhost:65022/?code=M.C513_SN1.2.U.DtRCbCDVd6BC2A4G1cKWo0uZZSS1REMOVED2qe0KFYj!Qw30n6gGTZWm19925n5n37w5YRdE!gd3DAK5mAAJ*gyyvbw56GnBlO7lnd
BAD
GET M.C513_BL2.2.U.Do8UC!v!QOI3*yhrRMYVjcX!LZWZdHbuYV2kfDKrkcp8cgJ6151!isNnxREMOVED4m0vwCFbaY4uaRsewinIdVxdBv9VzDQVVGooi*zfTFDjkamTYDeEDWWuwKVgWVaJXJmTfhl1FbDY$
BAD
GET M.C513_SN1.2.U.DnM5qmutJqCzxj1Q1ZujPWINQ8LpVpGc2kI*C!iKBAt9REKxOzHzm1yCcMREMOVEDH3A2bmsEo0RdsMIXOJKIAvzq0rL0mtww6D4UlKutkdL!oO21NKLR2HOI!ZJg9pcpDF!6janz19c$
GOOD
GET http://localhost:53753/?code=M.C513_BAY.2.U.Dmvgs0UWV9FZlFufA3!v3YLWJIfCeREMOVEDGrVonjvbcTo9mhYPOlEpXntrY*HPi2qTSIW!Q8gWxaA*Sz!hpR8cag!6UVLjyOk9NG1dQ53ERxwO2J3gTXp88JmLk
GOOD
GET http://localhost:57752/?code=M.C513_SN1.2.U.DofcrT2i!niNxt*YTL2HViAf0XNQrREMOVEDs9!7wz91ERQ22fZplkEKFK*u75pvAZ2iEFltCGL7QT6UpPVI3brpAlKyrAFTF4A*ZAdo57AFh6dKANb3iF1foh8F42
BAD
GET http://localhost:57903/?code=M.C513_SN1.2.U.DpQWEhqMP*f24TnN3gCmVTKkCzOPVREMOVEDryi7DATKCZeIpwsk16oE4KgZrSGbcd0SggN6q8pH1LmN!q4dROkzAGbfSQ1N5oNuK*PWuHvphf0KprCJIA*BlIZTyI$
GOOD
GET http://localhost:58083/?code=M.C513_SN1.2.U.DjAt5p!2DtMiV5ndtOcsiX6ByqIREMOVED9K5MVqQRoX2TPr7hxxtA0xzZ3jYjB7BhDdE!aDWTA6LML4ce133EXqfJ8L5xse9i2DoTvndlqlqB!TH8j7YYnbJSGTzzbhPf0
GOOD
GET http://localhost:58289/?code=M.C513_SN1.2.U.DmMG5ssutOdKL3TRlMJ!FUZLD6Q!YREMOVED!oQ63tLEp1oMh9UCxOXN9Rd5AVnCYT6tK3yc2uoPfHNpdQ0FyenVva8xpzFCTe891VZQif*Bt8rkncagkgB!yk0X9bUJ
GOOD
GET http://localhost:62517/?code=M.C513_SN1.2.U.Dvgz!ILhtHdUGk4Y3ybO391rjtenvTREMOVEDYpKpuynhA4QB9zOhOjflYqvJr0ZDwKfXdD1TSeLNLJLM3mPe1vnrTZCBi*bpTWbvTksqs00SZXY1hxwWQbiyoE!D9RXrRDBCREMFUPohGJdVc8nkRiv*DcUSWFZ
BAD
GET http://localhost:62676/?code=M.C513_BAY.2.U.Dh6opE41qqz04LPSByvHdRzDncHjHHVREMOVED2gR8i7jl6lXQl79cMVkp8blOIcZhGra8HXl0k9an4FEFvgQwqeXMOAoDISEO5kbDZ3cUmWiuSs0GX5Uk$
I looked at the URL the browser was redirected to and it did properly encode there to %25. So there must be something up with the http server?
Other team mates couldn't get it to happen. So maybe it has something to do with my email, or it's time based, or it's just 50/50 and they got a good string.
This may be happening in Gmail, but we haven't seen it. Did not do any testing there.
Problem: During initial OAuth flow, my @outlook account will randomly work and not work. When it doesn't work, I get "Success. Please Close Browser" and no errors are reported. (I'm hooked in to the TppReport.OnEmailError event, and nothing fires).
From the GUI everything looks peachy, but no credentials are put in the INI or Registry.
So I used the browser network console to inspect requests during the OAuth flow and found a pattern. Every single time it "didn't work" There was a $ character at the end of the code:
BAD
GET http://localhost:65168/?code=M.C513_BAY.2.U.DlwN2k6U3asmVTJK!dREitr*EZRUM1zREMOVEDLQqsOgX4FUmcdFZG542*sxAMbGHteQ6hqNvW6VcbFEWA$
GOOD
GET http://localhost:64785/?code=M.C513_SN1.2.U.DtBnG1rBBUjTQH5lFV7LuUtHJlXblREMOVEDIj13RJ6QrVZO4*RRqFTUWqlwm5RiRULnfAZAx5tPWsoLe5LR3av96ckeScZiW
GOOD
GET http://localhost:65022/?code=M.C513_SN1.2.U.DtRCbCDVd6BC2A4G1cKWo0uZZSS1REMOVED2qe0KFYj!Qw30n6gGTZWm19925n5n37w5YRdE!gd3DAK5mAAJ*gyyvbw56GnBlO7lnd
BAD
GET M.C513_BL2.2.U.Do8UC!v!QOI3*yhrRMYVjcX!LZWZdHbuYV2kfDKrkcp8cgJ6151!isNnxREMOVED4m0vwCFbaY4uaRsewinIdVxdBv9VzDQVVGooi*zfTFDjkamTYDeEDWWuwKVgWVaJXJmTfhl1FbDY$
BAD
GET M.C513_SN1.2.U.DnM5qmutJqCzxj1Q1ZujPWINQ8LpVpGc2kI*C!iKBAt9REKxOzHzm1yCcMREMOVEDH3A2bmsEo0RdsMIXOJKIAvzq0rL0mtww6D4UlKutkdL!oO21NKLR2HOI!ZJg9pcpDF!6janz19c$
GOOD
GET http://localhost:53753/?code=M.C513_BAY.2.U.Dmvgs0UWV9FZlFufA3!v3YLWJIfCeREMOVEDGrVonjvbcTo9mhYPOlEpXntrY*HPi2qTSIW!Q8gWxaA*Sz!hpR8cag!6UVLjyOk9NG1dQ53ERxwO2J3gTXp88JmLk
GOOD
GET http://localhost:57752/?code=M.C513_SN1.2.U.DofcrT2i!niNxt*YTL2HViAf0XNQrREMOVEDs9!7wz91ERQ22fZplkEKFK*u75pvAZ2iEFltCGL7QT6UpPVI3brpAlKyrAFTF4A*ZAdo57AFh6dKANb3iF1foh8F42
BAD
GET http://localhost:57903/?code=M.C513_SN1.2.U.DpQWEhqMP*f24TnN3gCmVTKkCzOPVREMOVEDryi7DATKCZeIpwsk16oE4KgZrSGbcd0SggN6q8pH1LmN!q4dROkzAGbfSQ1N5oNuK*PWuHvphf0KprCJIA*BlIZTyI$
GOOD
GET http://localhost:58083/?code=M.C513_SN1.2.U.DjAt5p!2DtMiV5ndtOcsiX6ByqIREMOVED9K5MVqQRoX2TPr7hxxtA0xzZ3jYjB7BhDdE!aDWTA6LML4ce133EXqfJ8L5xse9i2DoTvndlqlqB!TH8j7YYnbJSGTzzbhPf0
GOOD
GET http://localhost:58289/?code=M.C513_SN1.2.U.DmMG5ssutOdKL3TRlMJ!FUZLD6Q!YREMOVED!oQ63tLEp1oMh9UCxOXN9Rd5AVnCYT6tK3yc2uoPfHNpdQ0FyenVva8xpzFCTe891VZQif*Bt8rkncagkgB!yk0X9bUJ
GOOD
GET http://localhost:62517/?code=M.C513_SN1.2.U.Dvgz!ILhtHdUGk4Y3ybO391rjtenvTREMOVEDYpKpuynhA4QB9zOhOjflYqvJr0ZDwKfXdD1TSeLNLJLM3mPe1vnrTZCBi*bpTWbvTksqs00SZXY1hxwWQbiyoE!D9RXrRDBCREMFUPohGJdVc8nkRiv*DcUSWFZ
BAD
GET http://localhost:62676/?code=M.C513_BAY.2.U.Dh6opE41qqz04LPSByvHdRzDncHjHHVREMOVED2gR8i7jl6lXQl79cMVkp8blOIcZhGra8HXl0k9an4FEFvgQwqeXMOAoDISEO5kbDZ3cUmWiuSs0GX5Uk$
I looked at the URL the browser was redirected to and it did properly encode there to %25. So there must be something up with the http server?
Other team mates couldn't get it to happen. So maybe it has something to do with my email, or it's time based, or it's just 50/50 and they got a good string.
This may be happening in Gmail, but we haven't seen it. Did not do any testing there.
Comments
This is not a known issue. In my tests with our Outlook account, I was unable to recreate this behavior.
For the test, I performed an authorization over 15 times in a row in the timespan of about 5 minutes, all with the successful sending of an email.
It is interesting that you are receiving a "success" message even though the authorization code is incorrect. I assume you are eventually receiving an error when trying to send an email? Are using the latest version of RB (patched) and the latest version of Delphi?
As a test, try turning on the status window to see the live progress of each send operation. This could give some insight to what is actually happening.
Nico Cizik
Digital Metaphors
http://www.digital-metaphors.com
So when there is a $ in the code it returns:
GET
http://localhost:51050/?code=M.C513_BAY.2.U.DurjSFDAvrZAtXJXZz!fCIyhuJoED*x4y9fvlxU7T927tiLeiVX5afj4Z!n9IYnL1L0i!Dqjk8AhGsik4nggE9toSojCzef522k6bzH1gddln4X!pE8qtXXC!!HnB!BqklpZSdNRVJdlPuD03P0lK9y8bNeK6pqaAJKJ4ScYDhMYS1GSA05bohYSkFlyTeS9tLS3h5kjXMJLAqjOGoU3DgDPDLH2MGUDxfyBTZEOXsgIwREMOVED*LKyNQWTUZmAUjLKrlYelpZpC6ku0U1yVvfe8UAyGvPM7SGKVRZfzCi3U!PVAX5fJMH09FmBjnQo$
The status window shows:
Generating Report...
Retrieving Authorization Code...
Authorization Code Received
Error: {"error":"invalid_grant","error_description":"AADSTS70000: The provided value for the 'code' parameter is not valid. Trace ID: bddb96b5-3433-4382-8032-3c50e70c6e01 Correlation ID: 86457adf-8244-4dc4-9eb0-40573987bed6 Timestamp: 2026-05-08 18:55:57Z","error_codes":[70000],"timestamp":"2026-05-08 18:55:57Z","trace_id":"bddb96b5-3433-4382-8032-3c50e70c6e01","correlation_id":"86457adf-8244-4dc4-9eb0-40573987bed6","error_uri":"https://login.microsoftonline.com/error?code=70000"}
Makes sense right? If the $ is not being encoded/decoded properly, the code will not be valid.
You tried it tons of times, did any of your codes contain a $ character?
Could it be my email account is unique in some way? There is a number and a period which is somewhat rare: q7frontline.software@outlook.com.
I have a team member who has never gotten the "bug" so I know where you're coming from.
Today I'm getting WAY more failures than success, but after a good 15 I got a good one:
Code:
GET
http://localhost:51222/?code=M.C513_SN1.2.U.Dh9X*5i93QaCBWUyDSv6uoM81vl8HGk0WwcOz8mbS7pZsV*wCG0WHie*qqq5Dyj6vAKBUF3QrlN5dJo*ESOKxgpYRFjrDbGR5hqRhHq5PKEYU5hy8K9nyKCBW520AU*2AYT75deCP5TNyevgUL!hvFhzluEh4iXOedClYug8yXbREMOVED79vtzy*rsX8CnsYt7bn2wzQbQ4WbDa*3Wh8vaPqum4wZ6BMqKOtqAo4ewsqKeEZKzncIT3MBkzULMBEqxtpD6qXIRpzo5zhyiqYipH3km8frZCSLPI7
Response:
Generating Report...
Retrieving Authorization Code...
Authorization Code Received
Connected: Logged in: Frontline Software q7frontline.software@outlook.com
Sending...
Encoding Message...
Email Sent Successfully
So really there's 2 problems. The $ maybe, but also RB sometimes does not pickup on the "The provided value for the 'code' parameter is not valid."
We have a handful of our outlook users happily using the oauth, so it does work. I'm just thinking this will become a wider problem once MS puts SMTP Auth in the grave.
Please upgrade to the latest version of ReportBuilder and re-test to ensure we are using the same code-base. The patch for RB 23.03 only applies to Delphi 13.1 so this is not needed in your case.
ReportBuilder does not encode/decode the access code. My guess is it is being cut off in some way and the dollar sign is an indicator of this. I will keep working to try and see this in action to verify my theory.
Nico Cizik
Digital Metaphors
http://www.digital-metaphors.com
This isn't hard data - but it seems much more likely to get the $ when we click "Stay Signed In" = NO.
IOW - Many more successes when we tell MS we want to stay signed in.
Registered RB users with a current software subscription can email support@ to receive the patch.
Nico Cizik
Digital Metaphors
http://www.digital-metaphors.com