Authentication Issues with XOAuth2 in Office 365

[Suchiman]

Describe the bug
When using OAuth2 with Office365, some users receive JWT Tokens in excess of 4096 characters. Trying to use this token makes the server respond with a protocol error. As far as we can tell, this behavior is new and only started happening starting from the 2025-07-16 so it is quite likely that Mailkit itself is not at fault, but i've figured, you might be able to do something about it 😁. We've also engaged microsoft support but we're stuck in deflection hell (Case 2509091410000307).

Platform (please complete the following information):

• OS: Windows 11
• .NET Runtime: .NET 9
• MailKit Version: 4.13.0

To Reproduce
Steps to reproduce the behavior:

1. Execute this code

var oauth2 = new SaslMechanismOAuth2 ("example@example.com", "<valid token with a string.Length of over 4096 characters");

using (var client = new Pop3Client()) {
    await client.ConnectAsync ("outlook.office365.com", 995, SecureSocketOptions.SslOnConnect);
    await client.AuthenticateAsync (oauth2);
    await client.DisconnectAsync (true);
}

2. Receive Protocol error

Expected behavior
Authentication always works reliably

Protocol Logs

Connected to pops://outlook.office365.com:995/
S: +OK Microsoft Exchange POP3 server ready (tcpproxy/15.20.9137.005). [RgBSADAAUAAyADgAMQBDAEEAMAAyADUAMgAuAEQARQBVAFAAMgA4ADEALgBQAFIATwBEAC4ATwBVAFQATABPAE8ASwAuAEMATwBNAA==]
C: CAPA
S: +OK Capacity follows
S: TOP
S: UIDL
S: SASL PLAIN XOAUTH2
S: USER
S: .
C: AUTH XOAUTH2
S: + 
C: ****************
S: -ERR Protocol error. Connection is closed. 10

[jstedfast]

I just talked to the guy that works on this for SMTP and he told me they just fixed this issue there but it sounds like, from your experience, POP3 (and maybe IMAP) also need to be fixed.

He's getting me some contact info so I can poke the guys that own POP3 and IMAP about this.

[jstedfast]

Reached out to the POP3/IMAP team and they have created a work item.