WSGI script at /home/dav/wsgi/wsgi_get_pop_refresh_token.py (repo: ~/py/popit3/wsgi_get_pop_refresh_token.py). Runs the Microsoft OAuth2 authorization code flow to obtain a POP refresh token for Outlook/Hotmail, then writes it to a file in netrc format.
1. Bare GET request → MSAL initiates auth code flow, stores flow dict in gdbm, redirects browser to Microsoft login.
2. Microsoft redirects back with ?code=...&state=... (GET mode) or POSTs it (POST mode). Script exchanges code for token.
3. Refresh token written to output file (mode 600). Browser redirected to ?done=1&state=... which shows a confirmation page.
Uses gdbm (via gd.py in the same directory) to share MSAL flow state across Apache worker processes. Keys: wsgi_pop_flow:<state> and wsgi_pop_result:<state>.
• CLIENT_ID — MSAL app client ID (default: 60da67f7-5fde-4e85-baf3-ab28d0c8e034)
• AUTH_OUTPUT — output file path (default: /home/dav/private/creds/auth.txt)
• REDIRECT_URI — override auto-detected callback URL (recommended: set in Apache vhost)
• GDATA_FILE — gdbm session file (default: /tmp/wsgi_pop_sessions.gdbm)
• GDATA_URL — use a gdata HTTP server instead of local gdbm (overrides GDATA_FILE)
• POST — set to yes to use response_mode=form_post (Microsoft POSTs code back rather than GET redirect)
• auth_user=... — email address recorded in the netrc output (default: jsr_critchley@hotmail.com)
machine outlook.office365.com
login jsr_critchley@hotmail.com
account MSAL:60da67f7-5fde-4e85-baf3-ab28d0c8e034
password <refresh_token>App: Popit2 (60da67f7-5fde-4e85-baf3-ab28d0c8e034) in Microsoft Entra admin center. Redirect URI https://www.critchley.biz/msauth must be registered under platform type Mobile and desktop applications (not Web). Allow public client flows must be enabled.
WSGIScriptAlias /msauth /usr/local/www/wsgi-scripts/msauth.wsgi
<Location /msauth>
SetEnv REDIRECT_URI https://www.critchley.biz/msauth
SetEnv AUTH_OUTPUT /home/dav/private/creds/auth.txt
</Location>The actual script is loaded via a proxy shim — see msauth-proxy