rblake

Do you have to "grant admin consent" if you are adding delegated API permissions? All of the permissions I have added have stated that I do not need that option. Or did you add those permissions as Application permissions and not Delegated permissions?

    KevinTheJedi

    With Graph API the mail attribute would be correct. Unfortunately we can't use that API. I would like to know how you are getting that attribute with https://outlook.office.com/api/v2.0/me πŸ˜ƒ

    There are couple bugs with the OAuth2 instance/email settings:

    • If you have a valid token, making changes to email/oauth2 settings doesn't trigger re-authorization.
    • Editing the attributes via the instance doesn't work at the moment, these gets overwritten back to defaults when you save email/oauth settings.

    RevAdmin You have to "grant admin consent" unless your tenant has "user consent" allowed for all applications/permissions (which you absolutely should not have for security reasons): https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent?tabs=azure-portal

    I am getting the same error AUTHENTICATE failed, I have confirmed I received the token from Azure, and can see the successful sign-in in Azure. Any solutions for this?

    I feel so stupid. I dug into the log files in Azure to figure out why the hell this account was not being added.

    I was using the client secret's ID, not the actual value. 4 years into a sysadmin role and I am embarassed lol.

    Everything is working as far as I can tell right now and I didn't even have to "grant admin consent!" I'm going to test a little bit and write some steps up since I configured my Azure OAuth app a bit differently than above.

      nerdyviking88

      I see you are using the default /common/ urls where you need to change those to the urls with your /tenant-id/ or /organizations/ in them. If you go to App Registrations (or Enterprise Applications - can’t remember off the top of my head), click on the app, and click Endpoints at the top you should see the correct endpoints to use.

      Cheers.

        KevinTheJedi

        Updated those to remove the 'common/ and put in our tenant ID. No change. I save, submit, it redirects to a 404.

        EDIT:

        I attempted to load up my url we're using as a callback endpoint, the https://url.com/api/auth/oauth2 . I get a 404. If I go into my root apache directory and open the api folder, I see no auth folder, nor oauth2. This is a fresh install, so I may be missing something or screwed something up.

          KevinTheJedi

          Well that definately did something. Now getting the following message:

          array ( 'code' => 'InvalidAudience', 'message' => 'The audience claim value is invalid \'aud\'.', 'innerError' => array ( 'oAuthEventOperationId' => 'd5f3e02e-68f0-46b2-af33-6b6ec98807ce', 'oAuthEventcV' => '9u7DvOydWvDsiE6wCe89Zg.1.1', 'errorUrl' => 'https://aka.ms/autherrors#error-InvalidResource', 'requestId' => 'bcc3eef6-9dec-f05a-ec88-4eb009ef3d66', 'date' => '2022-08-03T21:23:06', ), )

          14 days later

          rblake you can see other details at https://forum.osticket.com/d/101392-oauth2-microsoft-setup/34

          I started fresh and followed all the steps, but still not working @KevinTheJedi do you think something changed on RC3 vs. RC2? Yesterday, I got it to successful get Token, but not able to enable Fech IMAP or SMTP
          It lets me log in to Azure to verify my user/password, then I get an error:

          .com/api/auth/oauth2?code=0.AXgA2fAVo4Vd60CnyrQF14356.... etc.
          Not Found
          The requested URL was not found on this server.

          If using the hybrid flow (e.g ASP.NET Core, ASP.NET web apps), enable ID tokens in the implicit grant flow.

          I gave access to: ID tokens (used for implicit and hybrid flows)

          Implicit grant and hybrid flows
          Request a token directly from the authorization endpoint. If the application has a single-page architecture (SPA) and doesn't use the authorization code flow, or if it invokes a web API via JavaScript, select both access tokens and ID tokens. For ASP.NET Core web apps and other web apps that use hybrid authentication, select only ID tokens. Learn more about tokens.

          Select the tokens you would like to be issued by the authorization endpoint:
          Access tokens (used for implicit flows)
          ID tokens (used for implicit and hybrid flows)

          If hit back, I get error:
          AADSTS900561: The endpoint only accepts POST requests. Received a GET request.

          Request Id: a91c0c8e-a915-4dfa-a1b6-10b2b4591200
          Correlation Id: 1bbf5fd1-3cac-45f7-becf-752d20277320
          Timestamp: 2022-08-17T13:13:16Z
          Message: AADSTS900561: The endpoint only accepts POST requests. Received a GET request.

          Any pointer would be great
          There is a YouTube Video on How to connect to Office 365 with IMAP, Oauth2, and Client Credential Grant Flow, which requires doing some PowerShell commands
          https://youtu.be/bMYA-146dmM

            ramrajone

            Not Found
            The requested URL was not found on this server.

            This is due to you not having URL Rewriting enabled for the webserver you are using. Please review your webserver's documentation on how to enable URL Rewriting. Once you get that working you should be fine.

            I started fresh and followed all the steps, but still not working KevinTheJedi do you think something changed on RC3 vs. RC2?

            I don't get what you're asking here. Of course there were changes between RC2 and RC3 as we wouldn't release a new RC with no changes. Can you please clarify or provide more details on what you are asking?

            Cheers.

              KevinTheJedi
              Rewrite is enabled, I have installed 1.16 and able to get it working fine with basic authentication

              What I mean about changes RC3 vs RC2 is that some people got it working, which posted here might be using RC2 version

              I will try again later

                ramrajone

                Rewrite is enabled, I have installed 1.16 and able to get it working fine with basic authentication

                This has nothing to do with URL Rewriting. Basic Auth does not use anything that requires URL Rewriting.

                What I mean about changes RC3 vs RC2 is that some people got it working, which posted here might be using RC2 version

                Nothing that should affect that has changed. We only made things editable and provided better defaults.

                Cheers.

                  KevinTheJedi
                  oops I forgot to change from AllowOverride none to AllowOverride all
                  Thanks

                  <Directory /var/www/>
                  Options Indexes FollowSymLinks
                  AllowOverride all
                  Require all granted
                  </Directory>

                  Now I am back to where I was yesterday:
                  Unable to update this email. Correct any errors below and try again.
                  AUTHENTICATE failed.

                  when I try to enable Email Fetching or SMTP
                  URL shows: /scp/emails.php?id=1#mailbox

                    ramrajone I'm also getting the AUTHENTICATE failed too. It gave me the false hope before because it showed as successful but later when I received an e-mail, it failed and wouldn't download the message.

                    5 days later

                    Hi Guys,
                    found the issue for the email mismatch
                    Cookies from the browser. πŸ˜…

                      4 days later

                      any working instructions for setting up OAuth2 Microsoft ? (running v1.17-rc3)