Why is the Outlook plugin asking for Sugar password repeatedly?

Hi Adam (and three other people so far)

This is an interesting item. The Outlook Plug In (OPI) does not store the password by design. This was determined to be a security risk as that is a static secret and storing static secrets in a completely zero-interaction manner is insecure by nature. As a result, the credentials provided are used to log in and acquire the OAuth2 tokens, then are discarded as is standard for security. When both access and refresh tokens are invalid when presented, OPI will prompt for the user's password.

Several things can cause the tokens to become invalid.Common issues based on normal events and configurations:

• Changing IP if IP validation is turned on (Such as when a laptop migrates networks or moves from wireless to wired).
• Short durations or improper durations set for the token expirations. The default expire time for a refresh token is two weeks. Settings shorter than an hour especially have a strong potential to impact OPI.
• Third party token reissue (Another OPI logging in as the same user)

Other items that cause the end result of "OPI presents its access token and is denied, then presents its refresh token and is denied" will also cause the password prompt and none of these are encountered in common or normal situations, but can be found in a limitless supply of potential edge cases that nobody has ever thought of before. In those situations, working with our wonderful support team might be called for to track down the cause of the behavior.

So check the three things above and see what you find. Remember the "end result" that triggers it if those three don't pan out.

Hi Adam (and three other people so far)

This is an interesting item. The Outlook Plug In (OPI) does not store the password by design. This was determined to be a security risk as that is a static secret and storing static secrets in a completely zero-interaction manner is insecure by nature. As a result, the credentials provided are used to log in and acquire the OAuth2 tokens, then are discarded as is standard for security. When both access and refresh tokens are invalid when presented, OPI will prompt for the user's password.

Several things can cause the tokens to become invalid.Common issues based on normal events and configurations:

• Changing IP if IP validation is turned on (Such as when a laptop migrates networks or moves from wireless to wired).
• Short durations or improper durations set for the token expirations. The default expire time for a refresh token is two weeks. Settings shorter than an hour especially have a strong potential to impact OPI.
• Third party token reissue (Another OPI logging in as the same user)

Other items that cause the end result of "OPI presents its access token and is denied, then presents its refresh token and is denied" will also cause the password prompt and none of these are encountered in common or normal situations, but can be found in a limitless supply of potential edge cases that nobody has ever thought of before. In those situations, working with our wonderful support team might be called for to track down the cause of the behavior.

So check the three things above and see what you find. Remember the "end result" that triggers it if those three don't pan out.