jswope

You don't really need those as the scopes in the osTicket config. In the osTicket config the scopes should just be offline_access https://outlook.office.com/Mail.ReadWrite. But you do still need to enable those scopes in the API Permissions.

Cheers.

    KevinTheJedi

    I wish I could say the same worked for me. I have followed the guide verbatim, and also ensured I granted admin consent to the enterprise app as well as the app registration. However, I still cannot for the life of me get a token. The closest I have gotten is getting redirected back to my end user portal. I am not seeing the green banner and going back into the email authentication config does not show the token tab as expected.

    I know this is on the line between osTicket and a MS issue, so I am willing to open a ticket with MS if needed. Thank you for all your work on this.

        lstrom

        If you go back to the client portal then URL Rewriting is not enabled on your web server (or if you are using IIS it may be due to web.config not being loaded properly or at all) and if you get errors when redirecting back you need to investigate the errors or post them here.

        Cheers.

            We are having problems as well, both in our production environment and in a freshly installed test environment. I have followed the official instructions to the letter: https://docs.osticket.com/en/latest/OAuth2/Microsoft%20Authentication%20(SSO)%20Guide.html

            But when I try to log in as an agent, authentication is successfull (it shows up in our Azure portal logs) and I'm redirected back to the default osTicket homepage. When I try to access the admin panel, I'm not signed in.

            We are running the latest osTicket version and OAuth2 plugin on a freshly installed IIS on a fresh Windows Server 2019, php version 8 and MySQL version 8 aswell.

            KevinTheJedi
            Thank you, we are using IIS and URL rewrite is active (we are doing something with URL shortening via YouRLs on the site, though the person that set all that up has since departed). Could there be a rewrite rule we need to configure? I don't get an error on the redirect, it just loads the customer portal as if I was going to open a ticket.

            I will also be opening a ticket with MS as I did find the enterprise app logs in Azure and see the following:

              Good day all
              I have installed and been operational on nginx with the correct redirects etc, however after successful authentication, redirect I get this error:

              File not found.

              Error log indicates: 2022/10/13 16:15:04 [error] 716270#716270: *7043 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream

                korcom

                You do not have URL Rewriting enabled on your server. Since you are using NGINX you may not have the correct configuration either. You can look for the other threads on this. A community member posted their working NGINX config.

                Cheers.

                  i have a problem with configuring remote mail box , after submitting all my entries the application keeps loading endlessly .
                  SMTP is working pretty great can you please hint me what mistake might be happened ?

                    Hi All,

                    I configured OAuth2 with osTicket 1.17 (1d8b790) with Microsoft AzureAD per the osTicket documentation Documentation

                    The logs within AD was indicating that the end-user was successfully authenticating, however it kept redirecting back to the login page! It turns out that the cURL SSL certificate for PHP was missing. After installing the certificates, the authentication worked fine!

                    Try these steps, hopefully it'll save someone an headache!

                    1. Open up your PHP.ini configuration.
                    2. Ensure you have your CA cert installed for cURL. You can also use this one for testing Certificate
                    3. Place the certificate within a directory which PHP has READ access to.
                    4. Edit your PHP.ini configuration and point to the .PEM certificate files (see entry below).
                    curl.cainfo = "C:\PHP\v8_1_11\certs\cacert.pem"
openssl.cafile= "C:\PHP\v8_1_11\certs\cacert.pem"
                    1. Restart Internet Information Services (IIS).
                    Staging Server Configuration:
osTicket Version: v1.17 (1d8b790)
Web Server: Microsoft-IIS/10.0
MySql: 5.7.17
PHP version: 8.1.11

                      DvDaf Thx mate! That did it! I had added CA cert file and edited php.ini file, adding line

                      curl.cainfo = "C:\PHP\v8_1_11\certs\cacert.pem"

                      but I was missing the second one,

                      openssl.cafile= "C:\PHP\v8_1_11\certs\cacert.pem"

                      I also thought I was editing the right .ini file, but after double checking I realized it was using a different .ini since our server is full of PHP folders of older installations. Now everything seems to be working properly.

                        Hi,

                        I have managed to get this to work fine when users can consent, however, when the admin consent request is enabled i keep getting the following after it's been approved and redirected. (Rewrite is correct on Apache2 and working)

                        This is returned from Azure.
                        =AADSTS65004%3a+User+declined+to+consent+to+access+the+app.

                        Ive tried the fixes mentioned above:

                        • grant admin consent twice, once on the API Permissions and again under Enterprise Applications > click app > click Permissions > grant admin consent.

                        However, the same occurs.

                        I've just tried this on a separate tenancy's with the same admin flow to replicate the issues and I see the same.

                        Has anyone else seen this or have any insight to get this to work?

                        I can of course give that user admin rights and it succeeds but I cannot do this in a production environment.

                        Thanks.

                        SC

                          megatronic79

                          User+declined+to+consent+to+access+the+app. as the error states a User denied the consent to the app. You will need to consent in order to get a Token.

                          Cheers.

                              KevinTheJedi

                              Thats the prob thou, user cannot do that, it's sent to the admin for approval.

                              When the approval is done BY the admin the user clicks on the return and redirects back to osticekts, however it seems you are dropping the client-side approval... hence the returned message from azure. The user cannot do any more than that, and all settings are applied on the azure side.

                              I've tested this on two separate tenancies. if I turn of the approval flow it works as expected, when it's on this part breaks it doesn't appear you can complete the auth.

                                megatronic79

                                Yea that won't work, you'll need to allow them access to grant consent. We have some updates coming soon that shouldn't force prompt=consent which might help in your case. In the meantime you can download the plugin raw files from github, hydrate them, and make the change yourself to not force the prompt or you can wait for the next set of updates to be released.

                                Cheers.

                                    @KevinTheJedi having a similar issue. After O365 auth is complete, i click 'save' and it gives this message. I've triple checked to verify imap/pop still enabled on the account and followed your guide for the O365 Aure AD application. A little stuck