KevinTheJedi yes, all configuration are correct... in a fresh ost (without data) works perfectly... I made a pre version upgrade (1.14 - 1.16) and from 1.16 to 1.17 and the OST with data works.. thanks a lot for the help
OAuth2 Microsoft Not Working
Is the scope of what is being worked on just generating the token? Is fetching and sending mail also implemented?
Of course. We completely changed the package for mail from PEAR to Laminas-Mail which supports Modern Auth.
Cheers.
I must be missing something. I'm on 1.17rc4 and this is what I'm seeing:
fyi for this issue, our organization was doing something weird with our firewall and SSL certs. After going around that everything worked. thanks
You have cURL issues on your server. Please follow the link displayed in the error to review the possible resolutions. this is outside the scope of osTicket software.
Cheers.
I have no idea why; I am unable to replicate this..
Are you using a test application? Are you sure you set the token expiration to a long period of time?
Cheers.
update: so the curl error was because of having "organizations" in the urls, changed them to "common" and now it appears to do nothing when saving the config, it just dumps me back to the login screen of the ticket system.
- Edited
Then that most likely needs you don’t have URL Rewriting enabled on your web server. Or maybe wrong endpoints. You need to go to app reg, click the app, click Overview, and click endpoints. You need to use the first two URLs (Authorization v2 and Token v2).
Cheers.
Hi,
We have a test app on 17 RC4
I didn't change token expiration yet, but today morning I noticed:
- mails from Inbox didn't fetch
- one of ticket had a time of 'last Update' about 02 AM
- token are valid IMAP and SMTP
So I made:
- go to AOuth2 MS Remote Mailbox, IdP config and click on 'Submit'
- and that same Remote Mailbox disable 'Email Fetching' and click 'Save Changes', next enable 'Email Fetching' and click 'Save Changes'
After that mails fetch from Inbox.
Conclusion,
- why mails won't fetch byt one of ticket was update
- witch my actions cause fetch emails from Inbox
Sounds like you need a cron job to automatically poll emails. Then each time it fetches it will update the tokens.
Cheers.
6 days later
Thanks for your suggestions!
The last bit of my puzzle was about fetching messages, which simply needed to be scheduled by a Cron job.
Running "RC4"
I made a cron job, before a problems with fetch. Anyway problems gone 
but I still I don't know what cause resolve problem.
I've got all 3 of my installations updated and working fine following the guides however when the ticket is created for or by a Gmail user the replies are being blocked.
Our system has detected that this message is not
RFC 550-5.7.1 5322 compliant: duplicate headers. To reduce the amount of
spam sent 550-5.7.1 to Gmail, this message has been blocked. Please review
550 5.7.1 RFC 5322 specifications for more information.
Any ideas whats wrong?
Thank you
I've found the issue... Outgoing settings were disabled, the old port setting was 25. Changed to 587 and enabled. All is good.
[insert comical abuse here]
- Edited
Can someone please help me to setup Oauth2. I can't figure out what am I doing wrong.
This is my setup:
After I request the approval, it sends me back to osTicket log in page. Request is approved by admin, but nothing changes in osTicket.
I get this error and if I try to submit again it is still asking to request approval for the same things that are already approved.
Any ideas what should I check or if I am missing something?
Please follow the exact steps listed in the documentation here:
Also, you'll probably have better luck registering the app as Multi-Tenant.
Cheers.
I have this error when try to configure authentication
Double checked all settings, seems the token can't be redeemed, first part of getting authorization code works.
Can I have a detailed log to know what is the server response??
Thanks
It looks like you either didn’t use the correct endpoints or your connection is being refused. Double check your endpoints and make sure you are using the v2 Authorization/Token Endpoints. If all else fails contact Microsoft.
Cheers.
- Edited
KevinTheJedi
Thank you for answering back to me,
I was using these instructions https://github.com/osTicket/docs/blob/3b6b623c026c15bb267e404a4afd72b19d29f035/OAuth2/Microsoft%20Authorization%20Guide.rst but they look the same like the one you gave me.
Although it is possible I have missed something (I will double check) and I will also try with multitenant option, I have noticed that in one step I differ from the instructions:
"Now with all the information filled in you can click Submit and you should be redirected to Microsoft to authorize the connection.
Here it is very important to login to the email you are trying to configure in the helpdesk. Once logged in as the system email you are trying to configure, you can opt to Consent on behalf of your organization, and then click Accept."
Here when I click submit, I do not get this page and option to consent on behalf of my organization:
Instead I get only option to Request approval (I am logging in with the email I am trying to configure in the helpdesk):
Afterwards, when admin log-in with his account on his PC he only has this option:
He accepts the request but that doesn't work, when I log-in to the osTicket I get the same error again and it is asking me to Request the same approval again... and I am stuck in the loop.
"Unable to update this email. Correct any errors below and try again.
Configure Authentication"
What should I change to get the option to consent on behalf of my organization and accept, instead of the requesting approval option that I am getting?
Does this helpdesk account needs to have admin rights for the organization? or there is another step I have missed?
Thank you
Sounds like you didn’t grant admin consent in the app registration for the API Permissions.
Cheers.
Okay so just encountered this today and actually came across a fix! So all you need to do is follow the below guide:
So apparently, with stricter org setups, you have to grant admin consent twice, once on the API Permissions and again under Enterprise Applications > click app > click Permissions > grant admin consent.
Cheers.
KevinTheJedi Thank you Kevin,
Option 3 did the trick for me.
Unfortunately I cannot keep those settings due to our company policy.
Hopefully if will continue working now after initial approvals have been granted.
ranved82 Just to confirm, I did migrate our test server to 1.17 using OAuth yesterday and noticed this. It was all sorted after allowing users to grant consent to apps, and I did turn it back to admin approval required afterwards and everything is still working. It should be fine without having to change this setting again unless the app itself is replaced.
KevinTheJedi
Thank you for reply. I solved. I discovered the problem was related to PHP.ini that not have openssl extension enabled.
So Endpoint refused connections because were not requested with the correct transport protocol.
BR
5 days later
I also had the Auth Failed error and found that the default scopes in the Add on are not correct.
I added the following and everything is good to go.
https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send
You don't really need those as the scopes in the osTicket config. In the osTicket config the scopes should just be offline_access https://outlook.office.com/Mail.ReadWrite. But you do still need to enable those scopes in the API Permissions.
Cheers.
I wish I could say the same worked for me. I have followed the guide verbatim, and also ensured I granted admin consent to the enterprise app as well as the app registration. However, I still cannot for the life of me get a token. The closest I have gotten is getting redirected back to my end user portal. I am not seeing the green banner and going back into the email authentication config does not show the token tab as expected.
I know this is on the line between osTicket and a MS issue, so I am willing to open a ticket with MS if needed. Thank you for all your work on this.
- Edited
If you go back to the client portal then URL Rewriting is not enabled on your web server (or if you are using IIS it may be due to web.config not being loaded properly or at all) and if you get errors when redirecting back you need to investigate the errors or post them here.
Cheers.
We are having problems as well, both in our production environment and in a freshly installed test environment. I have followed the official instructions to the letter: https://docs.osticket.com/en/latest/OAuth2/Microsoft%20Authentication%20(SSO)%20Guide.html
But when I try to log in as an agent, authentication is successfull (it shows up in our Azure portal logs) and I'm redirected back to the default osTicket homepage. When I try to access the admin panel, I'm not signed in.
We are running the latest osTicket version and OAuth2 plugin on a freshly installed IIS on a fresh Windows Server 2019, php version 8 and MySQL version 8 aswell.
KevinTheJedi
Thank you, we are using IIS and URL rewrite is active (we are doing something with URL shortening via YouRLs on the site, though the person that set all that up has since departed). Could there be a rewrite rule we need to configure? I don't get an error on the redirect, it just loads the customer portal as if I was going to open a ticket.
I will also be opening a ticket with MS as I did find the enterprise app logs in Azure and see the following:
- Edited
Good day all
I have installed and been operational on nginx with the correct redirects etc, however after successful authentication, redirect I get this error:
File not found.
Error log indicates: 2022/10/13 16:15:04 [error] 716270#716270: *7043 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream
You do not have URL Rewriting enabled on your server. Since you are using NGINX you may not have the correct configuration either. You can look for the other threads on this. A community member posted their working NGINX config.
Cheers.
i have a problem with configuring remote mail box , after submitting all my entries the application keeps loading endlessly .
SMTP is working pretty great can you please hint me what mistake might be happened ?
- Edited
Hi All,
I configured OAuth2 with osTicket 1.17 (1d8b790) with Microsoft AzureAD per the osTicket documentation Documentation
The logs within AD was indicating that the end-user was successfully authenticating, however it kept redirecting back to the login page! It turns out that the cURL SSL certificate for PHP was missing. After installing the certificates, the authentication worked fine!
Try these steps, hopefully it'll save someone an headache!
- Open up your PHP.ini configuration.
- Ensure you have your CA cert installed for cURL. You can also use this one for testing Certificate
- Place the certificate within a directory which PHP has READ access to.
- Edit your PHP.ini configuration and point to the .PEM certificate files (see entry below).
curl.cainfo = "C:\PHP\v8_1_11\certs\cacert.pem"
openssl.cafile= "C:\PHP\v8_1_11\certs\cacert.pem"- Restart Internet Information Services (IIS).
Staging Server Configuration:
osTicket Version: v1.17 (1d8b790)
Web Server: Microsoft-IIS/10.0
MySql: 5.7.17
PHP version: 8.1.11DvDaf Thx mate! That did it! I had added CA cert file and edited php.ini file, adding line
curl.cainfo = "C:\PHP\v8_1_11\certs\cacert.pem"
but I was missing the second one,
openssl.cafile= "C:\PHP\v8_1_11\certs\cacert.pem"
I also thought I was editing the right .ini file, but after double checking I realized it was using a different .ini since our server is full of PHP folders of older installations. Now everything seems to be working properly.
Hi,
I have managed to get this to work fine when users can consent, however, when the admin consent request is enabled i keep getting the following after it's been approved and redirected. (Rewrite is correct on Apache2 and working)
This is returned from Azure.
=AADSTS65004%3a+User+declined+to+consent+to+access+the+app.
Ive tried the fixes mentioned above:
- grant admin consent twice, once on the API Permissions and again under Enterprise Applications > click app > click Permissions > grant admin consent.
However, the same occurs.
I've just tried this on a separate tenancy's with the same admin flow to replicate the issues and I see the same.
Has anyone else seen this or have any insight to get this to work?
I can of course give that user admin rights and it succeeds but I cannot do this in a production environment.
Thanks.
SC
User+declined+to+consent+to+access+the+app. as the error states a User denied the consent to the app. You will need to consent in order to get a Token.
Cheers.